Proposed HIPAA Amendments Will Close Healthcare Security Gaps

Source: Zoonar GmbH via Alamy Stock Photo

The U.S. Department of Health and Human Services is planning a massive overhaul of the Health Insurance Portability and Accountability Act security rule to strengthen baseline cybersecurity requirements for protecting electronic protected health information (PHI). The proposed amendments, which will be published in the Federal Register on Jan. 6, would require healthcare organizations and other covered entities to implement security controls such as multi-factor authentication and enhanced encryption requirements.

The proposal describes the most substantive changes to HIPAA to date. The security rule was last revised in 2013. The threat landscape is different now than it was over a decade ago, and breaches against healthcare organizations have increased by 102% between 2018 and 2023, the HHS Office for Civil Rights said in a statement. In 2023, over 167 million people had their health information compromised, a 1,002% increase from 2018.

Proposed Changes to HIPAA

The amendments will apply to health plans, healthcare clearinghouses, health providers, healthcare facilities, insurance companies, and business associates.

Everything in Writing: All policies, procedures, plans, and analyses will need to be in writing. This also applies to developing stronger incident response procedures, such as having written incident response plans and testing plans, as well as written procedures to be able to restore information systems and data within 72 hours.

Asset Inventory: Healthcare organizations will need to develop and regular maintain an up-to-date technology asset inventory and network map to track the movement of protected health information (PHI) through the various systems.

Risk Analysis: Healthcare organizations are not all that good at security risk analysis. The proposed changes include more specifics on how to conduct security risk analysis, such as written assessments that include a review of the technology asset inventory and network map, identify all potential threats to PHI, and assess the risk level for each threat and vulnerability.

Implement Security Controls: Healthcare organizations will be required to employ multifactor authentication and network segmentation to make it harder for healthcare systems to be compromised or data breaches. All PHI will need to be encrypted both during rest and in transit, reflecting the consensus that encryption is no longer optional. For systems that process PHI, security teams will need to scan for vulnerabilities every six months, run penetration tests at least once a year, deploy antimalware defenses, and remove extraneous software from systems. These requirements show how these are moving from recommended activities to minimum security baseline every entity must meet.

Organizations will need to conduct a compliance audit at least once every 12 months to ensure these technical controls are in place, and prove the safeguards have been implemented at least once every 12 months via a written certification.

Next Steps After Comments

Anne Neuberger, deputy national security adviser for cyber and emerging technology, said during a Dec. 27 press briefing that the changes to the security rule will cost approximately $9 billion in the first year, and $6 billion for years two to five. “The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences,” Neuberger said.

Stakeholders have 60 days after the nearly 400-page proposal is published to submit comments (early March 2025). HHS will issue the final version of the rule afterwards, although a specific date has not yet been set followed by a compliance date of 180 days. It is also not clear if the work on the changes to the security rule will continue under the new presidential administration. Even so, healthcare organizations should review proposed requirements and evaluate their existing security programs to prepare for potential changes.

About the Author

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional – and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.