The HIPAA Security Rule would get its first update since 2013 under a new proposal that would mandate basic security practices like multi-factor authentication, encryption, and network segmentation for healthcare providers, health plans, and others who handle sensitive patient data.
The proposed changes to the Health Insurance Portability and Accountability Act’s Security Rule were published this week – and took up 125 three-column pages of the Jan. 6 Federal Register. The U.S. Department of Health and Human Services (HHS) estimates that the new security requirements would cost more than $30 billion over the first five years, but after a difficult year for healthcare data breaches and ransomware attacks, stronger security controls may find favor even in a tougher regulatory environment on Capitol Hill.
“The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety,” HHS Deputy Secretary Andrea Palm said in a statement. “These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient.”
HIPAA Security Rule Adds Encryption, MFA and More
The proposal is now in a 60-day public comment period, after which HHS will consider the feedback before proceeding with a final rule. The new HIPAA security requirements would apply to health plans, health care clearinghouses (organizations that enable the exchange of healthcare data between providers and insurers), most healthcare providers, and business associates.
An HHS fact sheet provides a good overview of the proposal, which also adds requirements for risk assessment, incident response, written policies and procedures, and regular review, testing, and updating.
The cybersecurity controls that the updated HIPAA Security Rule would require include:
- Encryption of ePHI (electronic protected health information) “at rest and in transit, with limited exceptions.”
- Establishing “technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner,” including anti-malware protection, removing extraneous software from relevant electronic information systems, and disabling network ports “in accordance with the regulated entity’s risk analysis.”
- Requiring the use of multi-factor authentication, “with limited exceptions.”
- Requiring vulnerability scanning at least every six months, and penetration testing at least annually.
- Requiring network segmentation.
- Requiring “separate technical controls for backup and recovery of ePHI and relevant electronic information systems.”
Regulated entities would be required to “review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.”
Asset Inventory, Network Map, Incident Response Requirements
Risk assessment, auditing, and incident response planning would also be mandated by the proposal. Some of those proposed requirements include:
- Developing a technology asset inventory and network map that illustrates the movement of ePHI “throughout the regulated entity’s electronic information systems,” to be updated at least annually or in response to changes that affect ePHI.
- Requiring notification of regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
- Drafting incident response plans that include restoring relevant electronic information systems and data within 72 hours.
- Conducting a Security Rule compliance audit at least annually, plus verification requirements for business associates.
Conclusion
The proposed HIPAA Security Rule requirements are based on commonly accepted cybersecurity best practices for preventing – or limiting the damage from – data breaches and ransomware attacks.
As such, they shouldn’t be particularly controversial – especially after a year that saw patient health endangered by numerous cyberattacks, hazards that have led to bipartisan agreement that healthcare cybersecurity needs to improve.
With the average cost of a data breach significantly higher for healthcare than for any other sector, commonsense security controls may wind up saving healthcare organizations money – and improving patient privacy in the process.
