Editor’s note: Steven W. Teppler is a partner and chair of the Cybersecurity and Data Privacy practice group at Mandelbaum Barrett PC in Roseland, New Jersey. Carly Rothstein is a law clerk (pending admission to the New York bar) in the Cybersecurity and Data Privacy practice group at Mandelbaum Barrett PC.
The HHS’ Office for Civil Rights has issued a proposed rule that, if adopted, would significantly amend the HIPAA Security Rule.
The updates aim to fortify the confidentiality, integrity and availability of electronic protected health information, or ePHI, amid escalating cybersecurity threats in healthcare. Once the proposed amendments are finalized and published in the Federal Register, entities will have 180 days within which to comply.
On Jan. 20, however, President Donald Trump issued an executive order imposing a “Regulatory Freeze Pending Review.” While the executive order places into question the status of the proposed rule (as well as all other proposed federal regulations), the imposition of enhanced cybersecurity requirements for healthcare providers should be considered a near certainty.
The proposed amendments to the HIPAA Security Rule represent a crucial step forward in addressing the cybersecurity challenges faced by the healthcare sector. While these changes demand significant effort and investment, they are necessary to protect sensitive patient information and bolster the security of healthcare as a component of critical infrastructure.
The need for enhanced cybersecurity in healthcare
The HIPAA Security Rule has gone untouched for more than a decade, during which the healthcare industry has rapidly transformed with respect to how ePHI is created, maintained, received and transmitted.
The law, however, has not kept up with these changes. Patient data and health IT system security practices have been relegated in part to suggestions, resulting in system vulnerability to cyberattacks and network breaches.
With each passing year, the number of both cyberattacks targeting the healthcare sector and individuals affected by such attacks has grown dramatically. Large breaches, defined as those affecting 500 or more individuals, involving protected health information, or PHI, affected a record 160 million individuals in 2023, according to the proposed rule. The government expects that 2024 surpassed that record given the gravity of the Change Healthcare breach — which alone impacted more than half of the U.S. population.
Recognizing the healthcare sector’s designation as critical infrastructure, these proposed updates are essential to adapt the HIPAA Security Rule to today’s complex threat environment.
Key proposals in the enhanced security rule
1. Uniformity across implementation specifications
The proposed rule eliminates the distinction between “required” and “addressable” implementation specifications. All specifications will now be mandatory, with specific exceptions.
2. Comprehensive documentation
Covered entities and business associates must maintain written documentation of all Security Rule policies, procedures, plans and analyses.
3. Updated definitions and specifications
Key definitions and implementation specifications will be updated to reflect technological advances and modern terminology.
4. Technology asset inventory and network mapping
Entities must maintain an ongoing technology asset inventory and a network map illustrating the movement of ePHI. These must be updated annually or when significant changes occur.
5. Enhanced risk analysis
The new rule requires a periodic written risk assessment detailing technology asset review, threat identification, vulnerability assessments and risk level evaluations.
6. Access management
Regulated entities must notify designated parties within 24 hours when a workforce member’s access to ePHI or relevant systems is changed or terminated.
7. Incident response and contingency planning
Entities must establish detailed written procedures for incident response, including restoration within 72 hours and prioritized system recovery plans.
8. Auditing and business associate oversight
Entities must conduct annual compliance audits and ensure business associates verify technical safeguards annually through assessments which would now be certified in writing by the BA’s “subject matter expert.” What are considered “compliance audits” and who qualifies as an “auditor” under the proposed rule remains to be seen.
9. Encryption and authentication
Encryption of ePHI at rest and in transit, alongside multi-factor authentication, will be mandatory.
10. Technical safeguards and controls
Entities must deploy anti-malware protection, enforce software controls, disable unused network ports and implement network segmentation.
11. Vulnerability and penetration testing
Entities must conduct vulnerability scans every six months and penetration tests annually.
12. Backup and recovery protocols
Separate, dedicated technical controls for secure ePHI backup and recovery are required.
Benefits of compliance
But meeting the expected HIPAA Security Rule’s enhanced requirements goes beyond regulatory compliance. Organizations that adopt these standards will help:
Reduce risks from ransomware attacks and data breaches.
Strengthen overall threat resilience and operational continuity.
Mitigate financial, regulatory and reputational fallout from non-compliance or security incidents.
Contribute to national efforts to protect critical infrastructure.
Key actions for cybersecurity teams
Cybersecurity teams (both legal and technical) within the healthcare sector must take proactive steps to prepare for these changes:
Review and update policies. Conduct a comprehensive review of existing HIPAA Security Rule policies and align them with the proposed requirements.
Conduct a gap analysis. Identify deficiencies in current security practices in light of the proposed rule.
Invest in technology and training. Upgrade systems to meet encryption, authentication and technical safeguard requirements. Train workforce members on updated policies and procedures.
Develop incident response plans. Establish detailed security incident response procedures and conduct regular drills to test effectiveness.
Monitor business associates. Strengthen contractual oversight of business associates by requiring annual compliance certifications and technical safeguard assessments.
Participate in the rulemaking process. Submit comments on the proposed rule and attend related HHS consultations to provide feedback and gain clarity on requirements.
The proposed amendments to the HIPAA Security Rule represent a crucial step forward in addressing the cybersecurity challenges faced by the healthcare sector. These enhancements underscore the importance of robust cybersecurity due diligence. While these changes demand significant effort and investment, they are necessary to protect sensitive patient information and maintain public trust. Acting now to prepare for compliance will bolster your defenses and position your organization for success in a challenging regulatory — and threat — landscape.
