The U.S. Department of Health and Human Services (HHS) wants to update the HIPAA security rule for the first time in more than a decade to bolster healthcare cybersecurity. On January 6, the Office for Civil Rights (OCR), which enforces HIPAA, proposed changes to the regulation that aims to clarify and offer more specific instruction on securing electronic health data. The update would also require organizations and their business associates to keep security policies in writing, as well as review, test and update them on a regular basis. The proposal comes as the healthcare sector has weathered a growing wave of cyberattacks and data breaches.
More on Proposed Rule
Currently, the HIPAA Security Rule distinguishes between “required” and “addressable” implementation specifications, offering flexibility to covered entities based on their specific circumstances, such as their risk analyses and available resources, to determine whether certain implementation specifications are reasonable and appropriate safeguards. The proposed rule would remove this distinction entirely. OCR has found that many covered entities misinterpret “addressable” to mean optional, leading them to skip implementing certain safeguards even when they would be reasonable and appropriate. OCR found this to be particularly concerning in light of the ongoing shift to an interconnected and cloud-based environment, and the notable rise in breaches of unsecured ePHI from both internal and external sources. By eliminating the distinction between “required” and “addressable” implementation specifications, the rule clarifies that all implementation specifications are mandatory, with limited exceptions, ensuring that there is a baseline level of protection for ePHI.
Furthermore, while the current HIPAA Security Rule requires covered entities to conduct risk analyses, it does not specify the frequency or timing of these assessments. The proposed rule would address this by requiring covered entities to review, verify and update their risk assessments on an ongoing basis, and at a minimum once every 12 months and in response to a change in the covered entity’s environment or operations that may affect ePHI. Additionally, the proposed rule establishes eight new requirements for what must be included in risk assessments conducted by covered entities.
The proposed rule would also require covered entities to maintain a written inventory of their technology assets and a network map for their electronic information systems that may impact the confidentiality, integrity or availability of ePHI. The inventory must include all technology assets, such as hardware, software, electronic media and data, which handle ePHI, along with those that may affect it, detailing each asset’s identification, version, responsible person and location. Additionally, the proposed rule would require covered entities to develop a network map that illustrates how ePHI flows through the entities’ systems, including its entry, exit and remote access points. Covered entities would be required to review and update both the inventory and map at least annually, or when changes occur that affect ePHI, such as adopting new technology, system updates, security incidents, or changes in laws or operations.
Additionally, the proposed rule would require covered entities to perform and document an audit of their compliance with each of the Security Rule’s standards and implementation specifications at least once every 12 months. Further, the proposal introduces a new standard requiring covered entities to conduct vulnerability scans of their electronic information systems at least once every six months and in alignment with the covered entity’s risk analysis to identify technical vulnerabilities, such as outdated software and missing patches. Once vulnerabilities are identified, assessed, and prioritized, appropriate corrective actions must be taken, such as applying patches, hardening systems, or retiring outdated equipment.
The proposed rule further seeks to enhance the HIPAA Security Rule’s contingency planning requirements to ensure that covered entities can quickly recover from unforeseen events, including disasters and cyberattacks, specifically requiring covered entities to establish a written contingency plan that contains procedures for responding to emergencies impacting electronic information systems, and creating and maintaining retrievable copies of ePHI backups. The proposed rule also requires covered entities to perform a criticality analysis to assess and document the relative importance of their electronic information systems and technology assets, including those not directly involved with ePHI, to determine their restoration priority. The proposed rule mandates that covered entities test the contingency plan annually. The rule would require covered entities to restore critical systems and data within 72 hours and follow their criticality analysis for restoring other systems.