On December 27, 2024, the US Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to strengthen cybersecurity and better protect the US healthcare system from the rising number of cyberattacks. The proposed rule seeks to update the HIPAA Security Rule for the first time since 2013, requiring health plans, healthcare clearinghouses (which facilitate the exchange of healthcare data between providers and payers), healthcare providers, and their business associates to enhance protections for individuals’ protected health information (PHI). This effort aligns with the HHS Healthcare and Public Health Critical Infrastructure Sector Cybersecurity Performance Goals.
According to OCR, there has been a significant increase in large breach reports over the past five years. Between 2018 and 2023, reports of large breaches rose by 102 percent, and the number of individuals affected surged by 1002 percent, driven largely by hacking and ransomware attacks. In 2023, over 167 million individuals were impacted by large breaches—a record high. Since 2019, hacking and ransomware-related breaches have increased by 89 percent and 102 percent, respectively.
To address these growing threats, the proposed rule would modify the HIPAA Security Rule to ensure better protection of electronic protected health information (ePHI) against both external and internal threats. It would provide clearer, more specific guidance on the actions covered entities and their business associates must take to safeguard ePHI.
The proposed rule would also require that policies and procedures be in writing, reviewed, tested, and updated regularly. Additionally, it would align the Security Rule with modern best practices in cybersecurity. These proposals address:
- Changes in the environment in which healthcare is provided.
- Significant increases in breaches and cyberattacks.
- Common deficiencies OCR has observed in investigations into Security Rule compliance by covered entities and their business associates.
- Other cybersecurity guidelines, best practices, methodologies, procedures, and processes.
- Court decisions that affect enforcement of the Security Rule.
While the Department is undertaking this rulemaking, the current Security Rule remains in effect.
The HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) can be viewed here at the Federal Register.
A fact sheet on the HIPAA Security Rule NPRM is available in English here.
Compliance Perspective
Issue
Cyber incidents in healthcare have surged in recent years, with reports of large breaches increasing significantly. From 2018 to 2023, breaches reported to the OCR rose by 102 percent, affecting 1002 percent more individuals. A substantial portion of these breaches is attributed to hacking and ransomware attacks. These breaches have severely impacted healthcare organizations, causing extended disruptions in patient care, delays in medical procedures, and patient diversions, all of which pose significant risks to patient safety. As cyber threats continue to evolve, the need for updated cybersecurity measures under HIPAA becomes increasingly critical. The HIPAA Security Rule is designed to protect the confidentiality, integrity, and availability of ePHI, ensuring that regulated entities safeguard against reasonably anticipated threats and unauthorized disclosures.
Discussion Points
- Review and update your policies on HIPAA, ePHI, and the Privacy Rule to ensure they address emerging cybersecurity risks, including ransomware and hacking. These updates should align with the proposed changes to the HIPAA Security Rule.
- Train all staff on HIPAA compliance, emphasizing ePHI security, recognizing phishing attempts, and preventing malware exposure. Training should be repeated annually, whenever new updates to HIPAA or cybersecurity best practices are issued, and whenever new threats are identified.
- Periodic audits should be conducted to ensure that policies and procedures related to ePHI security are being followed, and that staff are demonstrating the necessary competencies to manage cybersecurity risks effectively.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*
