Security Rule Updates

A new HIPAA Security Rule update proposal was published on December 27, 2024.

We’ve anticipated this for about a year since the U.S. Department of Health and Services (HHS) published its Healthcare Sector Cybersecurity Strategy in December 2023. Last year, HHS also published voluntary Cybersecurity Performance Goals, signaling the upcoming Security Rule changes. Most of the voluntary CPGs are now part of the mandated Security Rule requirements in the proposed rule.

The astonishing growth of ransomware and cyberattacks on the healthcare sector in recent years has prompted HHS to push the industry to modernize and update cybersecurity practices. The Security Rule updates are part of this push.

The complete Notice of Proposed Rulemaking is here.

HHS published a Fact Sheet which summarizes the NPRM.

HIPAA Risk Analysis Needs to Improve

The heart of most proposed changes is strengthening risk analysis and risk management procedures. From requiring an asset inventory to business associate due diligence to mandating encryption, multi-factor authentication, vulnerability scanning, and network segmentation, the proposal doubles down on requiring more current cybersecurity practices, which have been encouraged for several years.

Some of the key changes listed in the Fact Sheet include:

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
  • Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  • Add specific compliance time periods for many existing requirements.
  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of electronic Protected Health Information (ePHI) throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis.
  • Strengthen requirements for contingency planning and responding to security incidents. Specifically, regulated entities would be required to, for example:
    • Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
    • Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
    • Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
    • Implement written procedures for testing and revising written security incident response plans.
  • Require regulated entities to conduct a compliance audit at least once every 12 months to ensure compliance with the Security Rule requirements.
  • Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for subcontractor business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  • Require encryption of ePHI at rest and in transit, with limited exceptions.
  • Require the use of multi-factor authentication, with limited exceptions.
  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Require network segmentation.
  • Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.

HIPAA Training is Essential

The proposed rule repeatedly emphasizes the importance of HIPAA training, even noting that “Many regulated entities have determined that twice-annual training and monthly security updates are necessary, given their risk analyses.” The workforce is the first line of defense against cybercrime. Still, they need training to increase their awareness of and defense against cybercriminals’ sophisticated social engineering tactics.

Prepare Now to Get Ahead of the Security Rule Update

Rulemaking is a long process, and the current proposal is many months from becoming final. However, it’s not too soon to strengthen your compliance with the HIPAA Security Rule.

  • Refresh your HIPAA Risk Analysis.
  • Review the voluntary Cybersecurity Performance Goals.
  • Conduct due diligence with business associates and subcontractor business associates.
  • Create a contingency plan or review and refresh one you already have.
  • Require multi-factor authentication across the organization.
  • Conduct vulnerability scanning and penetration testing.
  • Review and refresh workforce training and provide it at least twice a year.

The HIPAA E-Tool® can help if you need guidance or have any HIPAA compliance questions.

Free HIPAA Checklist
What best describes you?