Proposal for HIPAA Security Rule Updates Moves to Public Comment Phase: Implications and Next Steps
The Department of Health and Human Services (HHS) has officially submitted long-anticipated updates to the 20-year-old HIPAA Security Rule for review by the White House. These modifications aim to enhance the cybersecurity measures in place for protecting electronic protected health information (ePHI), a vital aspect of safeguarding sensitive patient data against increasingly sophisticated cyber threats.
Marissa Gordon Nguyen, a senior advisor for health information privacy, data, and cybersecurity at the HHS’ Office for Civil Rights, revealed during a recent HIPAA summit that the proposed draft is not yet public. However, once it has undergone evaluation by the White House’s Office of Management and Budget, HHS plans to publish a notice of proposed rulemaking by the end of this year and will seek public feedback for 60 days. These efforts are part of a broader initiative outlined in a concept paper published by HHS in December 2023, aimed at strengthening cybersecurity across the healthcare sector.
The proposed updates are designed to bolster the cybersecurity defense mechanisms of entities regulated under HIPAA, reflecting growing concerns over the security of healthcare data. One avenue being explored by HHS includes potential new cybersecurity requirements for hospitals and healthcare providers, which could be incorporated into Medicare and Medicaid financial frameworks, possibly linking compliance with financial incentives or penalties.
Earlier this year, HHS outlined "voluntary" enhanced cybersecurity performance goals, which could potentially evolve into mandatory regulations. However, the Centers for Medicare and Medicaid Services (CMS) has yet to release the expected proposed regulations related to these cybersecurity measures. There is notable pushback within the healthcare sector, particularly from organizations such as the American Hospital Association, which have raised concerns over the fairness of imposing stringent cybersecurity regulations exclusively on hospitals when breaches can involve a broader array of entities, including vendors and health insurers.
As HHS works through these complex issues, the current administration is under pressure to finalize the updates to the HIPAA Security Rule amid the looming uncertainties of the upcoming presidential election. Regardless of which party takes office, there is a substantial risk that these proposed changes could be rescinded or significantly altered. This potential instability poses additional challenges for healthcare organizations striving to improve their cybersecurity frameworks.
In light of these developments, stakeholders should consider the external cybersecurity landscape. The tactics and techniques identified within the MITRE ATT&CK framework, particularly those related to initial access, privilege escalation, and persistence, may be reflective of the methodologies employed by malicious actors targeting healthcare organizations. Understanding these tactics is essential as entities prepare to adapt to the regulatory changes and augment their defense mechanisms against cyber threats.
As the proposal advances to the public comment stage, healthcare stakeholders are encouraged to engage with the process actively. The insights gathered during this phase could significantly influence the final regulations aimed at enhancing the overall security posture of the healthcare system.
