With giant knowledge breaches rising in healthcare, the U.S. Division of Well being and Human Companies Workplace for Civil Rights (OCR) is proposing to modify the HIPAA Safety Rule to require well being plans, clearinghouses and most suppliers and their enterprise associates to strengthen cybersecurity protections for people’ protected well being data.
This marks the primary time HHS has sought to replace the HIPAA Safety Rule since 2013.
The rule would make clear and supply extra particular instruction about what coated entities and their enterprise associates should do to guard the safety of digital protected well being data. The proposed rule additionally would require that insurance policies and procedures be in writing, reviewed, examined, and up to date regularly. OCR stated that it might additionally higher align the Safety Rule with fashionable finest practices in cybersecurity.
These proposals handle:
• Modifications within the surroundings through which healthcare is offered.
• Important will increase in breaches and cyberattacks.
• Frequent deficiencies OCR has noticed in investigations into Safety Rule compliance by coated entities and their enterprise associates.
• Different cybersecurity tips, finest practices, methodologies, procedures, and processes.
• Courtroom selections that have an effect on enforcement of the Safety Rule.
As an illustration, the proposed rule require larger specificity for conducting a threat evaluation. New categorical necessities would come with a written evaluation that comprises, amongst different issues:
• A overview of the know-how asset stock and community map.
Identification of all fairly anticipated threats to the confidentiality, integrity, and availability of ePHI.
• Identification of potential vulnerabilities and predisposing situations to the regulated entity’s related digital data techniques
• An evaluation of the danger degree for every recognized risk and vulnerability, primarily based on the probability that every recognized risk will exploit the recognized vulnerabilities.
It additionally would require community segmentation, and vulnerability scanning at the very least each six months and penetration testing at the very least as soon as each 12 months.
“Cyberattacks proceed to impression the healthcare sector, with rampant escalation in ransomware and hacking inflicting vital will increase within the variety of giant breaches reported to OCR yearly. The variety of individuals affected yearly has skyrocketed exponentially, a quantity we count on to develop even greater this yr with the Change Healthcare breach, the biggest breach in our well being care system in U.S. historical past,” stated OCR Director Melanie Fontes Rainer, in a press release. “This proposed rule to improve the HIPAA Safety Rule addresses present and future cybersecurity threats. It might require updates to present cybersecurity safeguards to replicate advances in know-how and cybersecurity, and assist be sure that docs, well being plans, and others offering healthcare meet their obligations to guard the safety of people’ protected well being data throughout the nation.”
OCR has seen a considerable enhance in stories of huge breach stories acquired over the past 5 years. From 2018-2023, stories of huge breaches elevated by 102 p.c, and the variety of people affected by such breaches elevated by 1002 p.c, primarily due to will increase in hacking and ransomware assaults. In 2023, over 167 million people had been affected by giant breaches—a brand new document. Since 2019, giant breaches attributable to hacking and ransomware have elevated 89 p.c and 102 p.c.
Whereas HHS is endeavor this rulemaking, the present Safety Rule stays in impact.
