Dive Brief:
The HHS wants to update the HIPAA security rule for the first time in more than a decade to bolster healthcare cybersecurity, regulators said late last month.
The Office for Civil Rights, which enforces HIPAA, proposed changes to the regulation that aims to clarify and offer more specific instruction on securing electronic health data. The update would also require organizations and their business associates to keep security policies in writing, as well as review, test and update them on a regular basis.
The proposal comes as the healthcare sector has weathered a growing wave of cyberattacks and data breaches. From 2018 to 2023, the OCR has tracked a more than 100% increase in large breaches, while the number of people affected by healthcare data breaches has soared by more than 1000%.
Dive Insight:
Cybersecurity has become a critical component of healthcare delivery, with nearly every component of the system from appointment scheduling to prescription ordering reliant on connected technology, regulators wrote in the proposed rule.
But as the sector rapidly adopts new devices and tools, organizations are more vulnerable to cyberattacks — and the industry has become an attractive target for cybercriminals.
Since 2019, large data breaches caused by hacking and ransomware, a type of malware that denies users access to their data until a ransom is paid, have exploded, according to OCR.
“Cyberattacks continue to impact the health care sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually,” OCR Director Melanie Fontes Rainer said in a statement. “The number of people affected every year has skyrocketed exponentially, a number we expect to grow even bigger this year with the Change Healthcare breach, the largest breach in our health care system in U.S. history.”
Many healthcare organizations aren’t investing adequately in cybersecurity, and some HIPAA covered entities aren’t consistently following the security rule’s requirements, regulators wrote in the rule.
The proposed changes aim to clarify HIPAA requirements and add details to tamp down on the wave of cyberattacks and breaches.
Among other updates, the proposal would require healthcare organizations to create a technology asset inventory and network map that details the movement of protected health data through its systems. The organization would have to revise the inventory and map at least once every year, or when the company’s environment or operations change.
Plus, the update would mandate more specific risk analyses, including a written review of its technology inventory and network map and potential threats and vulnerabilities.
The proposal would also require covered entities and their business to use multi-factor authentication — a common cybersecurity safeguard where users have to provide more than one form of identification to gain access — with few exceptions. The requirement comes months after the massive Change cyberattack, where hackers were able to access the company’s systems with compromised credentials when MFA wasn’t turned on.
Organizations would have to scan their systems for vulnerabilities at least every six months, and conduct penetration testing, a simulated cyberattack used to evaluate security, every year.
The proposal comes as regulators have signaled interest in bolstering cybersecurity in the healthcare sector. In late 2023, the HHS published a cybersecurity strategy that included plans for a HIPAA update as well as hospital requirements through Medicare and Medicaid.
The agency also published voluntary cybersecurity goals for the industry early last year.
Some lawmakers are also looking to boost cyber standards in the face of increased attacks. This fall, Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., introduced legislation that would direct the HHS to develop minimum requirements for the sector and provide funds to help hospitals boost their practices.
