With cybersecurity threats in healthcare at an all-time high, now is an excellent time to prepare for HIPAA Security Rule changes.

Although the Privacy Rule has been modified in recent years, the Security Rule has remained unchanged since the Omnibus Final Rule in 2013. However, in the last several months, HHS has been signaling that changes are coming.

First came the Healthcare Sector Cybersecurity Strategy, published in December 2023. Then, in mid-February, HHS and the National Institute of Standards and Technology (NIST) published a revised guide on complying with the HIPAA Security Rule. Special Publication (SP) 800-66 Revision 2 is designed to help regulated entities understand and implement the Security Rule requirements.

The December Strategy outlines a comprehensive healthcare cybersecurity plan, including introducing new cybersecurity requirements to the HIPAA Security Rule. HHS said it plans to begin this update in Spring 2024.

There are four central elements in the concept paper, with #1 being the most important for covered entities and business associates:

1. Establish voluntary cybersecurity performance goals for the healthcare sector
2. Provide resources to incentivize and implement these cybersecurity practices
3. Implement an HHS-wide strategy to support greater enforcement and accountability
4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity

HHS acknowledges that many different cybersecurity standards and guidance apply to healthcare, leading to confusion about which to prioritize. The cybersecurity performance goals (CPGs) will help regulated entities decide where to put their resources.

HHS Publishes Cybersecurity Performance Goals

On March 11, HHS released its fiscal 2025 budget proposal for $1.3 billion to improve healthcare cybersecurity. The new CPGs were included in the proposal.

The new CPGs “will include both ‘essential’ goals to outline minimum foundational practices for cybersecurity performance and ‘enhanced’ goals to encourage adoption of more advanced practices.”

The essential CPGs from HHS include:

• mitigating known vulnerabilities;
• using email security, multi-factor authentication, strong encryption, and incident response planning;
• separating user and privileged accounts;
• addressing vendor and supplier risk; and
• offering cybersecurity training to employees.

HHS said the enhanced goals are designed to help healthcare organizations step up their cybersecurity capabilities and defend against additional attack vectors. Those goals address asset inventory, third-party vulnerability disclosures and incident reporting, and cybersecurity testing and mitigation.

In the short term, healthcare companies should ensure they meet the essential goals before they become law. Each CPG is already well-known in various cybersecurity publications, whether from HHS, NIST, the FBI, or the Cybersecurity and Infrastructure Security Agency (CISA). Focus on these five essential goals today to stay ahead of the regulators.