Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

HHS Proposes Critical HIPAA Security Rule Updates to Combat Rising Cybersecurity Threats in Healthcare

3 Minute Read

The Health and Human Services Office of Civil Rights (OCR) has launched an effort to improve cybersecurity measures for a wide variety of healthcare organizations.

The aim is to counter the significant increase in the number of breaches and cyberattacks impacting healthcare along with the common deficiencies OCR has observed in its investigations into Security Rule compliance, cybersecurity guidelines, best practices, methodologies, procedures, and processes.

On December 27, 2024, OCR issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The proposed rule seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the healthcare sector.

OCR cited the substantial increase in large breach reports received over the last five years as support for the proposal. Reports of large breaches increased by 102% during this period, and the number of individuals affected by such breaches increased by 1002%, primarily because of increases in hacking and ransomware attacks. In 2023, over 167 million individuals were affected by large breaches—a new record. Since 2019, large breaches caused by hacking and ransomware have increased by 89% and 102%, OCR reported.

Trustwave SpiderLabs conducted and posted the in-depth report: Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape. The report presented a comprehensive roadmap that highlights the attack methodologies employed by threat actors, offering valuable insights on how organizations can safeguard themselves against specific types of attacks. Many of the SpiderLabs’ recommendations for creating a safer healthcare data environment are reflected in the proposed update.

 

HHS’ Proposed Changes

The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications. Here is a synopsis of the most important proposed changes, the full list can be viewed here.

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
  • Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  • Add specific compliance time periods for many existing requirements.
  • Strengthen requirements for planning for contingencies and responding to security incidents. To include establishing written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours, establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents, and how the regulated entity will respond to suspected or known security incidents. Implement written procedures for testing and revising written security incident response plans.
  • Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
  • Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI.
  • Require encryption of ePHI at rest and in transit, with limited exceptions.

Explore how Trustwave can help your health organization comply with HIPAA.

Learn More
  • Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:

    • Deploying anti-malware protection.
    • Removing extraneous software from relevant electronic information systems.
    • Disabling network ports in accordance with the regulated entity’s risk analysis.
  • Require the use of multi-factor authentication, with limited exceptions.
  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Require network segmentation.
  • Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
  • Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
  • Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
  • Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

The NPRM is set to be published in the Federal Register on January 6, 2025. Once published, there will be a 60-day public comment period during which you can submit feedback on the proposed changes.

While the Department is undertaking this rulemaking, the current Security Rule remains in effect.

 

How Trustwave can Help with Compliance

Trustwave Security Colony offers HIPAA HITECH Compliance Toolkit, which is designed to provide the fundamental building blocks for developing an information security management system (ISMS) within an organization, meeting the requirements of HIPAA and HITECH for the healthcare sector. The package includes both core policies and standards, and supporting documents.

For more general compliance information, Security Colony has a Compliance Support kit that contains five spreadsheets to help organizations develop and maintain their Information Security Management System. These spreadsheets are:

  • Statement of Applicability (SOA) ISO 27001-2022
  • Mapping Tables ISO 27002 2022-2013
  • ISO 27001-2022 Interview Questions
  • ISO 27001-2022 Evidence Toolkit
  • ISO 27001-2022 Assessment Workbook

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Database Protection Compliance

Latest Intelligence

Why Companies Need to Extend Penetration Testing to OT Environments
From Retail Rampages to 2FA Fails: Trustwave's Wild Ride Through the 2024 Cybersecurity Circus
Trustwave’s 2025 Cybersecurity Predictions: Zero Trust and AI Regulation

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo