Healthcare CIOs and CISOs are closely following the recent proposal by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to update the HIPAA Security Rule. The proposed changes, outlined in a Notice of Proposed Rulemaking (NPRM), are focused on enhancing cybersecurity protections for electronic protected health information (ePHI). As organizations assess the potential impact of these updates, the key question at hand is whether they will help meet compliance requirements or strengthen the security framework for safeguarding patient data.
The proposed measures under the updated HIPAA Security Rule fall under two main themes for healthcare CIOs:
Enhanced Documentation
The proposal emphasizes the importance of maintaining a comprehensive and up-to-date technology asset inventory and network map that tracks the flow of ePHI across electronic systems. Organizations are required to review and update this inventory and map annually or whenever significant changes occur that could impact ePHI. This poses a challenge for organizations with limited technical resources, particularly small and rural facilities. Implementing these requirements may necessitate bringing in dedicated virtual CIO or consultant resources to manage this aspect of compliance.
Additionally, organizations must establish written procedures for restoring critical electronic information systems within 72 hours of a loss. While having written procedures is a good start, healthcare organizations must also regularly test and validate their ability to restore systems within the specified timeframe. This process is complex and requires consistent practice to ensure operational readiness. Healthcare executives should anticipate budget increases associated with redesigning disaster recovery plans to meet this standard.
Enhanced Technical Safeguards
On the technical front, the proposed rule includes safeguards to enhance the protection of ePHI. Encryption of ePHI at rest and in transit is mandated, with limited exceptions, to ensure data security throughout its lifecycle. Multi-factor authentication is also required to strengthen access controls and prevent unauthorized access, aligning with industry standards.
Additional security measures include mandatory vulnerability scanning every six months, annual penetration testing, and implementing network segmentation to reduce the risk of breaches. Separate technical controls for backing up and recovering ePHI and associated systems are essential to ensure data integrity and availability. Regulated entities are also required to review and test the effectiveness of specific security measures annually, moving beyond the general requirement of maintaining such measures.
Carter Groome, CEO at Health First Advisory, commends the efforts to enhance cybersecurity measures, noting the alignment with HHS cyber performance goals (CPGs) and the clarity provided by terms such as “deploy” and “required.” However, there is a concern about the timeliness of these regulations, as technical guidelines can quickly become outdated in the face of evolving technology and sophisticated cyber threats. Healthcare providers must remain vigilant and adaptable to stay ahead of potential security risks.
Overall, the proposed updates to the HIPAA Security Rule aim to elevate security posture and reduce risks across healthcare organizations. While there may be challenges in implementation and ongoing compliance, the focus on enhancing cybersecurity protections for ePHI is a positive step towards safeguarding patient data in an increasingly digital healthcare landscape.
