Since its enactment in 1996, HIPAA compliance has been a top priority for healthcare industry leaders, with the primary goal of protecting patient information. In 2005, these regulations were expanded with the introduction of the Security Standards for the Protection of Electronic Protected Health Information, also known as the “Security Rule.” This set of standards was designed to safeguard electronically stored patient data, with the last update occurring in 2013.
Time for a Change?
As threats to this information continue to evolve, officials are proposing additional protections with a 400-page working draft by the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR). If adopted in 2025, this proposal would formalize current best practices for security as mandatory requirements for healthcare providers, health plans, clearinghouses, and their business associates. Experts have characterized this update as more comprehensive and less flexible than previous versions of HIPAA; a change which HHS characterizes as necessary. “We are concerned that some regulated entities proceed as if compliance with an addressable implementation specification is optional,” HHS wrote in its latest proposal, “That interpretation is incorrect and weakens the cybersecurity posture of regulated entities.”
Proposed Updates
This update would require specific documentation around compliance efforts by all parties involved with the creation and transmission of information, including risk analyses that detail the following:
- How information is created, stored, and moved
- External sources of electronic protected information
- Human, natural, and electronic threats to this information
- Risk posed by either using or replacing legacy devices
The proposal goes on to discuss requirements around patch management, access controls, multifactor authentication (MFA), encryption, backup and recovery, incident reporting and more. For more information, you can view the full proposal on the Federal Register website.
Interested in learning how Legion Cyberworks can work with your healthcare company? Contact us today!