cybersecurity strategy

Plan Ahead for HIPAA Security Rule Updates

With cybersecurity threats in healthcare at an all-time high, now is an excellent time to prepare for HIPAA Security Rule changes.

Although the Privacy Rule has been modified in recent years, the Security Rule has remained unchanged since the Omnibus Final Rule in 2013. However, in the last several months, HHS has been signaling that changes are coming.

First came the Healthcare Sector Cybersecurity Strategy, published in December 2023. Then, in mid-February, HHS and the National Institute of Standards and Technology (NIST) published a revised guide on complying with the HIPAA Security Rule. Special Publication (SP) 800-66 Revision 2 is designed to help regulated entities understand and implement the Security Rule requirements.

The December Strategy outlines a comprehensive healthcare cybersecurity plan, including introducing new cybersecurity requirements to the HIPAA Security Rule. HHS said it plans to begin this update in Spring 2024.

There are four central elements in the concept paper, with #1 being the most important for covered entities and business associates:

  1. Establish voluntary cybersecurity performance goals for the healthcare sector
  2. Provide resources to incentivize and implement these cybersecurity practices
  3. Implement an HHS-wide strategy to support greater enforcement and accountability
  4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity

HHS acknowledges that many different cybersecurity standards and guidance apply to healthcare, leading to confusion about which to prioritize. The cybersecurity performance goals (CPGs) will help regulated entities decide where to put their resources.

HHS Publishes Cybersecurity Performance Goals

On March 11, HHS released its fiscal 2025 budget proposal for $1.3 billion to improve healthcare cybersecurity. The new CPGs were included in the proposal.

The new CPGs “will include both ‘essential’ goals to outline minimum foundational practices for cybersecurity performance and ‘enhanced’ goals to encourage adoption of more advanced practices.”

The essential CPGs from HHS include:

  • mitigating known vulnerabilities;
  • using email security, multi-factor authentication, strong encryption, and incident response planning;
  • separating user and privileged accounts;
  • addressing vendor and supplier risk; and
  • offering cybersecurity training to employees.

HHS said the enhanced goals are designed to help healthcare organizations step up their cybersecurity capabilities and defend against additional attack vectors. Those goals address asset inventory, third-party vulnerability disclosures and incident reporting, and cybersecurity testing and mitigation.

In the short term, healthcare companies should ensure they meet the essential goals before they become law. Each CPG is already well-known in various cybersecurity publications, whether from HHS, NIST, the FBI, or the Cybersecurity and Infrastructure Security Agency (CISA). Focus on these five essential goals today to stay ahead of the regulators.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU