Proposed HIPAA Security Rule Changes Aim to Enhance Healthcare Cybersecurity
Health & WellnessUS News

Proposed HIPAA Security Rule Changes Aim to Enhance Healthcare Cybersecurity

68

TL/DR –

The U.S. Department of Health and Human Services Office for Civil Rights is proposing changes to the HIPAA Security Rule, which is designed to strengthen cybersecurity protections for health information. The proposed changes include clearer instructions for covered entities and their associates to follow to protect electronic health information, requirements for regular reviews and updates of policies and procedures, and requirements for written risk assessments. This comes in response to a significant increase in data breaches and cyberattacks in the healthcare sector, with the number of people affected by large breaches increasing by 1002% between 2018 and 2023.

US Healthcare Data Breaches Lead to Proposed HIPAA Security Rule Modifications

The continuous rise in large-scale data breaches in healthcare has led the U.S. Department of Health and Human Services Office for Civil Rights (OCR) to propose modifications to the HIPAA Security Rule. This initiative aims to mandate health plans, clearinghouses, providers, and their business associates to enhance cybersecurity measures for individuals’ protected health information. This strategy marks the first upgrade proposal since 2013.

Clarifying Responsibilities for Protecting Health Information

The proposed rule will detail the responsibilities of covered entities and their business associates in ensuring electronic protected health information (ePHI) security. It will mandate the regular review, testing, and updating of written policies and procedures. The OCR also plans to realign the Security Rule with contemporary cybersecurity best practices.

Addressing Essential Aspects of Cybersecurity

The OCR addresses several essential aspects with the proposals. This includes the evolving environment of healthcare provision, the significant rise in cyberattacks and data breaches, common deficiencies observed in previous Security Rule compliance investigations, and recent court rulings influencing Security Rule enforcement.

Proposed Rule to Require In-Depth Risk Analysis

The rule suggests conducting a comprehensive risk analysis, including a written assessment covering the review of technology assets, likely threats to ePHI confidentiality, system vulnerabilities, and an assessment of the risk level for each identified threat.

Besides, the rule would necessitate network segmentation and vulnerability scanning every six months, followed by penetration testing annually.

Addressing Current and Future Cybersecurity Threats

“The proposed rule aims at addressing current and future cybersecurity threats. The objective is to ensure that healthcare providers fulfill their responsibilities of safeguarding individuals’ protected health information,” said OCR Director Melanie Fontes Rainer.

Large data breaches have witnessed a 102% increase from 2018-2023, affecting over 167 million individuals in 2023 alone – a new record. The number of hacking incidents and ransomware attacks have also escalated, with an increase of 89% and 102% since 2019, respectively. Despite these changes, the current Security Rule remains in effect until further notice.


Read More Health & Wellness News ; US News

You might also like More from author