.png)
The Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule just underwent significant proposed revisions, including some very heavy cybersecurity "lifts." For the first time since 2013, the Security Rule will see new definitions and requirements expected to increase both impenetrability and expenses for healthcare providers. Examples of the new requirements include annual penetration testing for covered entities and security certifications for business associates.
On January 6, 2025, the Department of Health and Human Services (“DHHS”) published the Proposed Rule, giving the public until March 7, 2025 to comment before DHHS considers revisions and publishes the final rule for compliance. While the timeline in which to expect a final rule is uncertain, the Security Rule requirements could take effect before the end of 2025. DHHS explains the dramatic changes, in part, as transitioning “addressable” implementation specifications to more specific and consistent compliance standards in response to trends in cybercrime.
In addition to 22 new definitions (including those amended), the proposed changes to the Security Rule include the following 14 requirements for “covered entities:”
Encrypt ePHI at rest and in transit.
Use multi-factor authentication (MFA) to verify user identities.
Implement network segmentation “or other techniques that deny or impede an intruder’s lateral movement,” within “an organization’s relevant electronic information systems.”
Create written documentation of all Security Rule policies, procedures, plans, and analyses.
Implement termination procedures that notify other covered entities or business associates within 24 hours whenever a workforce member retires, quits, or is terminated.
Develop and annually update a network map/diagram and inventory of technology assets that illustrate the movement of ePHI through electronic information systems.
Conduct annual compliance audits against the Security Rule’s requirements.
Conduct annual penetration testing.
Conduct an annual test of existing security measures.
Conduct twice-annual vulnerability scans.
Create separate technical controls for backup and recovery of ePHI and electronic information systems (isolated redundancies).
Update risk analyses to include:
a. Technology asset inventories and network maps.
b. Threats to the confidentiality, integrity, and availability of ePHI.
c. Potential vulnerabilities to electronic information systems.
d. Risk level assessments for each identified threat and vulnerability.
Update cybersecurity incident response plans to include:
a. Procedures to restore the loss of network systems and data within 72 hours of an incident.
b. Plans to conduct an analysis of criticality of network systems and technology assets to determine priorities for system and data restoration.
c. Document incident reporting for workforce members and business associates.
d. Implement written procedures to test and revise the cybersecurity incident response plan.
Implement the following technical controls for both software and electronic information systems:
a. Anti-malware protection software.
b. Ability to removal malicious software.
c. Ability to disable network ports.
Additionally, the proposed updates to the Security Rule require business associates to notify covered entities within 24 hours of a cyber incident that triggers the business associate to implement its incident response or contingency plans. Business associates must also provide covered entities with an annual certification, completed by a subject-matter expert, that the business associate complies with the Security Rule changes. These changes are long overdue as healthcare continues to be one of the most frequently targeted critical services sections by cyber-criminals.