With large data breaches increasing in healthcare, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is proposing to modify the HIPAA Security Rule to require health plans, clearinghouses and most providers and their business associates to strengthen cybersecurity protections for individuals’ protected health information.
This marks the first time HHS has sought to update the HIPAA Security Rule since 2013.
The rule would clarify and provide more specific instruction about what covered entities and their business associates must do to protect the security of electronic protected health information. The proposed rule also would require that policies and procedures be in writing, reviewed, tested, and updated on a regular basis. OCR said that it would also better align the Security Rule with modern best practices in cybersecurity.
These proposals address:
• Changes in the environment in which healthcare is provided.
• Significant increases in breaches and cyberattacks.
• Common deficiencies OCR has observed in investigations into Security Rule compliance by covered entities and their business associates.
• Other cybersecurity guidelines, best practices, methodologies, procedures, and processes.
• Court decisions that affect enforcement of the Security Rule.
For instance, the proposed rule require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
• A review of the technology asset inventory and network map.
Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
• Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
• An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
It also would require network segmentation, and vulnerability scanning at least every six months and penetration testing at least once every 12 months.
“Cyberattacks continue to impact the healthcare sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually. The number of people affected every year has skyrocketed exponentially, a number we expect to grow even bigger this year with the Change Healthcare breach, the largest breach in our health care system in U.S. history,” said OCR Director Melanie Fontes Rainer, in a statement. “This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing healthcare meet their obligations to protect the security of individuals’ protected health information across the nation.”
OCR has seen a substantial increase in reports of large breach reports received over the last five years. From 2018-2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent, primarily because of increases in hacking and ransomware attacks. In 2023, over 167 million individuals were affected by large breaches—a new record. Since 2019, large breaches caused by hacking and ransomware have increased 89 percent and 102 percent.
While HHS is undertaking this rulemaking, the current Security Rule remains in effect.
source
Français 
English