On December 27, 2024, the U.S. Department of Health and Human Services (HHS) proposed significant amendments to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, aiming to bolster cybersecurity requirements for covered entities and business associates that collect, process, and maintain electronic protected health information (ePHI).
While the existing HIPAA Security Rule is already a more stringent standard than most other US sector-specific security laws and regulations, the proposed changes would raise the bar by requiring specific controls that are designed to protect against some of the most common cyberattacks targeting the healthcare sector.
If enacted, the changes would constitute the first significant update to the rule since 2013. Based on the number of significant data breaches of sensitive information maintained by healthcare organizations, many believe these changes have been long overdue.
Key Proposed Changes:
While HHS has proposed extensive changes to the Security Rule, a number of proposed changes stand out.
Elimination of the Concept of “Addressable” Implementation Specifications:
The current Security Rule distinguishes between “required” and “addressable” implementation specifications, allowing some flexibility for “addressable” specifications based on a covered entity’s or business associate’s size, sophistication, and sensitivity of the ePHI processed, as well as the presence of compensating controls. The proposed rule seeks to remove this distinction, making all implementation specifications mandatory, with a significant number of limited exceptions. This change underscores HHS’s view that unauthorized disclosure or use of ePHI poses a high risk to individuals no matter the size and/or sophistication of the covered entity or business associate, so all such entities must be subject to the same standard.
Mandatory Multifactor Authentication (MFA):
Given the intractable problem of password re-use and the ubiquity of stolen credential dumps, a username and password pair alone is now rarely sufficient to secure access to systems. Accordingly, HHS proposes to require multifactor authentication for systems that are used to store or access ePHI (subject to limited exceptions). MFA would provide an extra layer of protection by blocking access even if an intruder has obtained a user’s login credentials.
Encryption of PHI:
The proposed rule mandates the encryption of ePHI both at rest and in transit. Previously, encryption was an “addressable” measure. HHS notes that broader availability, reduced cost, and enhanced speed of encryption solutions since 2013 suggests that it is now feasible and appropriate to make this requirement mandatory in most situations. Practically, the market has dictated encryption requirements for covered entities and business associates for many years so this may not be an operational change for many.
Network Segmentation:
The proposed amendments introduce a new mandate for covered entities and business associates to implement technical measures to segment their networks to isolate systems that handle ePHI from those that don’t. While this has long been a recommended practice to insulate systems that process ePHI from compromise in the event of a breach of another part of an organization’s network, some organizations will need to develop new, isolated environments to comply with this requirement if it is finalized.
Comprehensive Risk Analysis Requirements:
The proposal provides new, detailed specifications for conducting the risk analyses already required under the rule, including:
- Development and review of asset inventories and network maps that illustrate the movement of ePHI throughout systems to ensure that they are current;
- Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
- Assessment of potential vulnerabilities and conditions that could be exploited; and
- Evaluation of the likelihood and potential impact of identified threats exploiting vulnerabilities.
Documentation and Policy Updates:
Covered entities and business associates would be required to document all Security Rule policies, procedures, plans, and analyses in writing. Additionally, the proposal introduces specific compliance timeframes for existing requirements, ensuring timely implementation and regular updates to security measures. If enacted, these requirements may require significant work for covered entities and business associates.
Implications for Covered Entities and Business Associates:
These proposed changes represent a substantial shift towards more stringent cybersecurity requirements within the healthcare industry. Covered entities and business associates may need to invest in updated technologies and processes to comply with the new standards. Business associates – particularly those that process lower-risk ePHI or that incidentally process ePHI that have relied on the flexibility of the existing Security Rule in making strategic security investments – may also need to review and potentially revise their service offerings and potentially their Business Associate Agreements if the new rule is finalized.
The public comment period for these proposed changes is open for 60 days following their publication in the Federal Register on January 6, 2025.
