With large data breaches in the healthcare sector on the rise, the US Department of Health and Human Services’ Office for Civil Rights (OCR) proposes modify the HIPAA security rule require health plans, clearinghouses, and most providers and their business partners to strengthen cybersecurity protections for individuals’ protected health information.
This is the first time HHS has attempted to update the HIPAA security rule since 2013.
The rule would clarify and provide more specific instructions on what covered entities and their business associates must do to protect the security of electronic protected health information. The proposed rule would also require that policies and procedures be written, reviewed, tested, and periodically updated. OCR said it would also better align the Security Rule with modern best practices in cybersecurity.
These proposals address:
• Changes in the environment in which healthcare is provided.
• Significant increases in breaches and cyber attacks.
• Common deficiencies that OCR has observed in investigations into compliance with security standards by covered entities and their business associates.
• Other cybersecurity guidelines, best practices, methodologies, procedures and processes.
• Judicial decisions that affect the application of the Security Rule.
For example, the proposed rule requires greater specificity for conducting a risk analysis. The new express requirements would include a written evaluation containing, among other things:
• A review of the inventory of technological assets and the network map.
Identification of all reasonably anticipated threats to the confidentiality, integrity and availability of ePHI.
• Identification of potential vulnerabilities and predisposing conditions to the relevant electronic information systems of the regulated entity.
• An assessment of the risk level for each identified threat and vulnerability, based on the probability that each identified threat exploits the identified vulnerabilities.
It would also require network segmentation and vulnerability scanning at least every six months and penetration testing at least once every 12 months.
“Cyberattacks continue to impact the healthcare sector, with rampant escalation of ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually. “The number of people affected each year has skyrocketed exponentially, a number we expect to grow even more this year with the Change Healthcare breach, the largest breach in our healthcare system in American history,” said the director of OCR, Melanie Fontes Rainer, in a statement. . “This proposed rule to update the HIPAA security rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that physicians, health plans, and others who provide health care meet their obligations to protect the security of protected health information. people throughout the country.”
OCR has experienced a substantial increase in major breach reports received over the past five years. Between 2018 and 2023, reports of major breaches increased by 102 percent, and the number of people affected by such breaches increased by 1,002 percent, primarily due to increased hacking and ransomware attacks. In 2023, more than 167 million people were affected by major breaches – a new record. Since 2019, major breaches caused by hacking and ransomware have increased between 89 and 102 percent.
While HHS is carrying out this rulemaking, the current safety rule remains in effect.
