The Department of Health and Human Services (HHS) proposed a rule days before the new year began that would hold healthcare organizations to a higher standard for protecting sensitive healthcare information from security threats like cyberattacks.
The proposal would require that entities covered by the Health Information Portability and Accountability Act (HIPAA) achieve specific technical standards like encryption and multifactor authentication. The rule also holds business associates to higher security standards and emphasizes that group health plans have a responsibility to protect electronic health information.
Technology has changed significantly since the HIPAA Security Rule was last updated in 2013, the HHS’ Office for Civil Rights (OCR) said in its notice of proposed rulemaking (NPRM). The rapid advancement of technology has increased the prevalence of electronic health information and the frequency of cyberattacks on the healthcare industry.
Cyberattacks have negative effects on patient care, including delays in tests or procedures, longer stays, and increased mortality rates and complications from medical procedures as well as patient transfers or diversions to other facilities, the OCR said in the rule.
The OCR proposed to update the definitions of some terms like confidentiality and add new definitions like multifactor authentication. It also beefs up the administrative, technical and physical safeguards HIPAA-covered entities should implement to protect electronic health information.
Along with the development of new technology, which requires new standards for security, the OCR also seeks to provide clarification on the 2003 HIPAA Security Rule, because healthcare organizations have misunderstood it, the agency said.
“OCR’s experience investigating allegations of Security Rule violations … demonstrate[s] that regulated entities are not consistently complying with the Security Rule’s requirements,” the agency said in the proposed rule.
One of the clarifications OCR makes in the NPRM is that “all” electronic protected health information (ePHI) is subject to the rule, said Steve Cagle, director of cybersecurity firm Clearwater. The OCR wanted to clarify the language in the rule because some organizations read the text as exempting some forms of ePHI.
The proposed rule also focuses on security measures that will bolster a healthcare organization’s ability to recover in the event of a security breach. It proposes for healthcare organizations to consider how a given security practice would affect resiliency and availability of information during an incident when making decisions on security practices.
Cagle also noted that the OCR adds requirements to ensure modern security practices are implemented and regularly tested for efficacy. The rule would require that most cybersecurity practices be reviewed at least once a year or when there is a change they may affect ePHI.
For many healthcare organizations, the proposed updates to their security practices would be minor, Cagle said. Many of the required practices have already been implemented in healthcare. But, for a small minority of healthcare organizations that have fallen behind on cybersecurity, the rule could be a major lift.
Cagle’s firm Clearwater advises organizations on cybersecurity. It can take years to get a health system up to speed on modern cybersecurity, he noted. The proposed rule proposes a six-month effective compliance date from its finalization.
Lee Kim is the senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society. She said the proposed update gives specific examples of industry best practices for cybersecurity rather than theoretical goal posts for healthcare organizations.
“It also would require more from business associates and third-party vendors,” Kim said. “We do know clearly that there isn’t anything yet on the book, so to speak, that speaks to that kind of verification that you actually are implementing security controls, and I think that’s a way to ensure that what you’ve agreed to actually has some teeth and something of substance behind that.”
But the rule still offers HIPAA-covered entities some flexibility in determining which security measures are appropriate for their organization. “We still have some autonomy and leeway as how to do these various things like risk assessments on down, [but] we’re given more guidance,” Kim said.
The proposed rule would also specifically apply to new technologies in healthcare like artificial intelligence, quantum computing, virtual reality and applied reality. The proposed rule clarifies that healthcare organizations must conduct risk assessments of the cybersecurity threats of new AI tools like ambient scribes or radiology solutions.
“The regulated entity’s risk analysis must include consideration of, among other things, the type and amount of ePHI accessed by the AI tool, to whom the data is disclosed, and to whom the output is provided,” the proposed rule says.
Trump officials will decide whether to scrap or rework the proposal. Cybersecurity was one of healthcare’s key focal points in 2024 from a policy perspective in part because of the massive ransomware attack on UnitedHealth Group’s claims processing subsidiary Change Healthcare.
But even before the Change attack, policymakers had been working on cybersecurity. In December 2023, the HHS released voluntary cybersecurity performance goals (CPGs) to help organizations enhance security.
The OCR says it drew from the CPGs in the proposed rule along with frameworks and best practices from other government entities like the National Institute of Standards and Technology and the HHS’ 405(d) program.
A government watchdog released a report in November that accused the OCR of not taking appropriate steps to mitigate cybersecurity risks to healthcare organizations in the years leading up to an explosion of health data breaches. The HHS’ Office of Inspector General (OIG) criticized OCR’s HIPAA Audit Program, which has not completed an audit since 2017, it said.
The OCR wrote in 2023 that “there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware … Additionally, the large breaches reported this year [2023] have affected over 88 million individuals, a 60% increase from last year.”
The current director of the OCR under President Joe Biden, Melanie Fontes-Rainer, responded to the OIG report saying her office has not had enough funding to complete additional HIPAA audits. The OCR announced its intention to restart its HIPAA Audit Program in February 2024.
An HHS webpage says the OCR will audit 50 covered entities and business associates in its 2024-25 cycle.
This article was originally published on fiercehealthcare