New HIPAA Guidelines Set to Improve Cybersecurity in Healthcare

The HIPAA Security Rule is updated to enhance cybersecurity for electronic protected health information, require regular audits, and align policies with current technologies.

The Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has introduced a proposed rule to update the HIPAA (Health Insurance Portability and Accountability Act) Security Rule for the first time since 2013. The suggested changes would mandate health plans, healthcare clearinghouses, and insurance companies to enhance cybersecurity safeguards for electronic protected health information (ePHI). These updates would affect most healthcare providers and their business associates ().

“As legitimate ways to access PHI continue to evolve, so do the illegal methods,” said Hoala Greevy, founder and CEO of Paubox, a HIPAA-compliant communication and marketing company for healthcare organizations. “Therefore, the HHS OCR must also update its policies to protect lawful access to PHI while addressing unlawful activities.”

Health Insurance Portability and Accountability Act [HIPAA] - Provisions of HIPAA
This article is useful for the layman, Medical professionals, Healthcare organizations, Network engineers and IT/Software professionals that deal with HIPAA by highlighting main important facts of relevance

‘Did You Know?
HIPAA protects your health information for 50 years after death, and the average fine for a violation can reach up to $1.5 million! #medindia #hipaa #privacy’

Rising Cybersecurity Threats in Healthcare

Cyberattacks are increasingly affecting the healthcare sector, with ransomware and hacking incidents on the rise. The number of patients impacted each year has surged dramatically. In 2023, over 167 million individuals were affected by major breaches, setting a new record. Since 2019, hacking-related breaches have increased by 89%, and ransomware attacks have risen by 102%.

New Mandates for Documentation and Policy Updates

The proposed rule aims to amend the HIPAA Security Rule, requiring health plans, healthcare clearinghouses, most healthcare providers, and their business associates to enhance protection of patients' ePHI from both external and internal threats. It will provide clearer and more specific guidelines on what covered entities and their BAs must do to secure ePHI. The updates will mandate that policies and procedures be documented, regularly reviewed, tested, and updated.

“It’s time for an update to the HIPAA Security Rule,” said Greevy. “A bold and controversial step would be to issue a guideline advising against the use of the Windows operating system by business associates and covered entities. For instance, there have been no documented cases of successful ransomware attacks on covered entities and BAs using systems other than Windows.”

The proposed update brings several important changes to help covered entities reduce risk. "All implementation specifications will become mandatory, removing the current distinction between 'required' and 'addressable' specifications," said Jade Davis, JD, a law partner at Hall Booth Smith in Tampa, Florida, specializing in data privacy, cybersecurity, and artificial intelligence.

Questions Women Should Ask While Buying Health Insurance
Women may have fewer heart diseases and strokes, but they have their own crosses to bear and the insurance industry needs to address them.

Aligning Definitions and Specifications with Current Technologies

The proposed changes would mandate entities to keep detailed written documentation of all Security Rule policies, procedures, and analyses. "Definitions and specifications will be updated to align with current technologies and terminology. Entities will also be required to maintain and update a technology asset inventory and network map annually, or after significant changes," said Davis.

Risk assessments will now require a detailed analysis of technology assets, threats, vulnerabilities, and risk levels. The proposed changes also stipulate that any changes to employee access to ePHI must be reported within 24 hours. Incident and contingency planning will require entities to create plans for restoring systems within 72 hours, conduct criticality assessments, and regularly test incident response procedures, Davis explained.

“These updates mark significant progress, but the healthcare industry should see them as part of an ongoing process, not a one-time fix,” she said. “Technological advancements and emerging risks demand constant adjustments to ensure strong protection of patient data.”

Health and Life Insurance May be Difficult to Get After Donating a Kidney
Kidney donors may face difficulty when they apply or renew their health or life insurance policies; this is despite the fact that there is no evidence that they are at increased health risks.

Certification of Compliance by Business Associates and Subcontractors

Entities will be required to perform annual audits to ensure compliance with the Security Rule. Davis noted that business associates and subcontractors must certify compliance with technical safeguard requirements every year. "Encryption of ePHI, both at rest and in transit, will be mandatory, with a few exceptions," Davis said. "While HHS's efforts are commendable, more needs to be done to foster a proactive cybersecurity culture in healthcare. This includes increasing funding for cybersecurity initiatives and encouraging collaboration between the public and private sectors."

The current proposal enhances security requirements for technical safeguards. Entities will be required to conduct vulnerability scans every six months, perform annual penetration tests, and carry out yearly security checkups to ensure their effectiveness.

Reference:

HHS Proposes HIPAA Privacy Rule Changes - (https://www.renalandurologynews.com/features/hhs-proposes-hipaa-privacy-rule-changes/)

Source-Eurekalert