In response to the alarming increase in cyberattacks targeting the healthcare industry, the Office for Civil Rights (OCR) has unveiled proposed updates to the HIPAA Security Rule, scheduled for publication in the Federal Register on January 6. These revisions are designed to bolster security for entities regulated under HIPAA, including healthcare providers, health plans, and business associates. The proposed changes come as the U.S. healthcare system grapples with a surge in cyber incidents that threaten patient privacy and the stability of healthcare services.
The OCR has reported a staggering rise in the frequency and severity of breaches, with over 167 million individuals affected by large-scale health information breaches in 2023 alone. This marks a 1002% increase from 2018, highlighting the escalating nature of these security challenges. Hacking, including ransomware attacks, is the leading cause of breaches, with nearly 80% of large breaches attributed to cybercriminal activity. Since 2019, the OCR has observed an 89% increase in large breaches due to hacking, underscoring the urgent need for stronger safeguards.
The proposed changes to the HIPAA Security Rule reflect these mounting concerns and aim to ensure that healthcare organizations are equipped to manage and mitigate the risks posed by cyber threats. Key proposals include:
1. Comprehensive Documentation of Security Measures
All policies, procedures, and risk analyses related to security must be formally documented. This includes detailed plans for managing electronic Protected Health Information (ePHI) and other sensitive data across the organization’s networks.
2. Technology Asset Inventory and Network Mapping
Entities will be required to create and maintain an inventory of all technology assets and a network map that tracks the flow of ePHI across their systems. This inventory must be updated annually, ensuring that organizations remain vigilant about potential vulnerabilities in their networks.
3. Enhanced Risk Analysis Requirements
Risk assessments will need to be more specific, outlining identified threats to ePHI confidentiality, integrity, and availability. Organizations will also need to include actionable items for mitigating these risks.
4. 24-Hour Notification for Workforce Access Changes
Organizations must notify relevant parties within 24 hours whenever an employee’s access to ePHI or critical information systems is altered or terminated, ensuring quick responses to potential security risks.
5. Strengthened Incident Response Protocols
Organizations will be required to implement robust incident response procedures, including plans to restore critical information systems and data within 72 hours of a breach. These procedures must also include regular testing and revisions to ensure their effectiveness.
6. Regular Security Audits and Compliance Checks
Entities will be mandated to conduct an annual compliance audit to evaluate adherence to the Security Rule. Business associates will also need to verify their compliance at least once a year.
7. Mandatory Encryption of ePHI
Encryption of ePHI will be required both in transit and at rest, with only limited exceptions. This step is essential in safeguarding sensitive patient information against unauthorized access.
8. Anti-Malware and Extraneous Software Removal
Organizations must deploy anti-malware software and remove unnecessary applications from their information systems to reduce the risk of cyberattacks.
9. Multi-Factor Authentication
To further protect sensitive data, multi-factor authentication will become a mandatory security measure, with exceptions limited to specific circumstances.
10. Business Associates Must Notify Covered Entities of Contingency Plan Activation
Business associates will be required to notify covered entities within 24 hours if they activate their contingency plans, ensuring timely communication and coordination during security incidents.
11. Group Health Plan Requirements
Group health plans will need to update their plan documents to include strict security requirements for plan sponsors. This includes ensuring compliance with the Security Rule and requiring that any agent with access to ePHI adheres to the rule’s safeguards.
These proposed revisions come at a critical time, as cyber threats to healthcare organizations continue to evolve, posing significant risks to patient privacy and healthcare continuity. Stakeholders, including healthcare providers and business associates, are encouraged to review the proposed changes and submit comments to the OCR within 60 days of the publication date. Feedback will help shape the final version of the rule and ensure that it addresses the needs of the healthcare sector.
As cybersecurity risks increase, it is more important than ever for covered entities and business associates to stay informed and prepared. Organizations should begin reviewing their current security practices in light of these proposed changes to ensure compliance once the rule is finalized.
Read more: