In the final days of the Biden administration, a proposed overhaul of the HIPAA Security Rule faced predictions of modification under the incoming Trump administration, according to regulatory attorney Sharon Klein from the law firm Blank Rome. Klein emphasized the necessity of updating the Security Rule, which has remained largely unchanged for two decades, despite significant advancements in technology. Notably, she pointed out that the iPhone was not yet released when the original Security Rule was adopted.
The existing Security Rule provided flexibility by specifying that patient data must be rendered unreadable and masked without stipulating specific methods. In contrast, the proposed updates mandate encryption as a strict requirement. Klein noted that while the enhanced security measures, such as encryption and multi-factor authentication, are positive steps toward reducing unauthorized access to patient data, the financial burden of implementing these requirements could pose significant challenges, especially for community hospitals and small practitioners.
Organizations may be compelled to undertake extensive change management initiatives to adapt to these new regulations, which could translate to costs running into the millions and implementation timelines stretching over several years. Klein argues that the potential for increased operational expenses may ultimately be transferred to patients, creating further concerns about healthcare accessibility.
Looking forward, Klein expressed that the initial actions of the new administration would be crucial, with expectations that the proposed rule would be scaled back rather than entirely abandoned. While recognizing the pressing need for an update after two decades, she pointed out that a gradual approach would better accommodate the financial realities faced by healthcare institutions.
In a recent audio interview with Information Security Media Group, Klein elaborated on several broader issues impacting the regulatory landscape. She discussed the necessity for regulated organizations to bolster their cybersecurity practices amid regulatory uncertainties, particularly highlighting the shifting dynamics around the enforcement of regulations under the Trump administration.
Additionally, Klein commented on the evolving role of the courts in shaping the future of regulations, including recent changes to the HIPAA Privacy Rule regarding reproductive health, instituted by HHS during the Biden administration. She also highlighted emerging state and federal cybersecurity measures that target consumer health data beyond the HIPAA framework, and underscored the importance of addressing critical issues related to artificial intelligence in healthcare.
Klein’s expertise further encompasses insights gained from significant cyberattacks and breaches that occurred in the past year, including a notable ransomware attack on Change Healthcare. With her position at Blank Rome, where she co-chairs the privacy and data protection group, Klein advises businesses on navigating the complex landscape of data privacy, compliance, and breach response strategies. She is also a certified information privacy professional through the International Association of Privacy Professionals.
As organizations prepare for the changes ahead, a thorough understanding of the MITRE ATT&CK framework will prove essential. Elements such as initial access, persistence, and privilege escalation are tactics that may be employed by adversaries, providing key insights into potential cybersecurity threats as the landscape continues to evolve.
