The Health and Human Services Office of Civil Rights (OCR) has launched an effort to improve cybersecurity measures for a wide variety of healthcare organizations.
The aim is to counter the significant increase in the number of breaches and cyberattacks impacting healthcare along with the common deficiencies OCR has observed in its investigations into Security Rule compliance, cybersecurity guidelines, best practices, methodologies, procedures, and processes.
On December 27, 2024, OCR issued a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The proposed rule seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the healthcare sector.
OCR cited the substantial increase in large breach reports received over the last five years as support for the proposal. Reports of large breaches increased by 102% during this period, and the number of individuals affected by such breaches increased by 1002%, primarily because of increases in hacking and ransomware attacks. In 2023, over 167 million individuals were affected by large breaches—a new record. Since 2019, large breaches caused by hacking and ransomware have increased by 89% and 102%, OCR reported.
Trustwave SpiderLabs conducted and posted the in-depth report: Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape. The report presented a comprehensive roadmap that highlights the attack methodologies employed by threat actors, offering valuable insights on how organizations can safeguard themselves against specific types of attacks. Many of the SpiderLabs’ recommendations for creating a safer healthcare data environment are reflected in the proposed update.
HHS’ Proposed Changes
The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications. Here is a synopsis of the most important proposed changes, the full list can be viewed here.
- Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
- Require written documentation of all Security Rule policies, procedures, plans, and analyses.
- Add specific compliance time periods for many existing requirements.
- Strengthen requirements for planning for contingencies and responding to security incidents. To include establishing written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours, establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents, and how the regulated entity will respond to suspected or known security incidents. Implement written procedures for testing and revising written security incident response plans.
- Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
- Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI.
- Require encryption of ePHI at rest and in transit, with limited exceptions.
- Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
- Deploying anti-malware protection.
- Removing extraneous software from relevant electronic information systems.
- Disabling network ports in accordance with the regulated entity’s risk analysis.
- Require the use of multi-factor authentication, with limited exceptions.
- Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
- Require network segmentation.
- Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
- Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
- Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
- Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
The NPRM is set to be published in the Federal Register on January 6, 2025. Once published, there will be a 60-day public comment period during which you can submit feedback on the proposed changes.
While the Department is undertaking this rulemaking, the current Security Rule remains in effect.
How Trustwave can Help with Compliance
Trustwave Security Colony offers HIPAA HITECH Compliance Toolkit, which is designed to provide the fundamental building blocks for developing an information security management system (ISMS) within an organization, meeting the requirements of HIPAA and HITECH for the healthcare sector. The package includes both core policies and standards, and supporting documents.
For more general compliance information, Security Colony has a Compliance Support kit that contains five spreadsheets to help organizations develop and maintain their Information Security Management System. These spreadsheets are:
- Statement of Applicability (SOA) ISO 27001-2022
- Mapping Tables ISO 27002 2022-2013
- ISO 27001-2022 Interview Questions
- ISO 27001-2022 Evidence Toolkit
- ISO 27001-2022 Assessment Workbook