Navigating the New HHS Healthcare Cybersecurity Proposals

January 13, 2025

At the end of 2024, the U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), introduced a update to the HIPAA Security Rule for the first time since 2013 to improve cybersecurity posture. Currently in its 60-day public comment period, this proposal aims to bolster the protection of electronic protected health information (ePHI) in response to the healthcare sector's escalating cyber threats. Here is a detailed look at what these updates entail and what they mean for healthcare providers and associated businesses.

 

 

Why This Update Matters

Cybersecurity in the healthcare industry has never been more critical. With a 95% increase in large breaches (affecting 500 or more individuals) reported to the HHS Office for Civil Rights from 2018 to 2024 and ransomware attacks soaring more than tenfold during the same period, the need for robust cybersecurity measures is clear.

 

In addition to the impact on patient care, disruption of services and compromised patient safety, the financial toll of cyber incidents in healthcare is significant. The average cost of a healthcare data breach was $9.77 million in 2024, the highest among all industries. That figure is nowhere close to the projected cost of the Change Healthcare cyberattack, which is estimated to reach $2.87 billion in 2024. A staggering amount includes direct response costs and business disruption impacts, including the upstream and downstream supply chains.

 

 

Key Proposals in the HIPAA Security Rule Update

Here are the main elements of the proposed changes to strengthen cybersecurity protections for electronic protected health information (ePHI).

 

  1. Elimination of "Addressable" Implementation Specifications
    The current HIPAA Security Rule distinguishes between "required" and "addressable" implementation specifications. The new proposal seeks to eliminate this distinction by making all specifications required. This change aims to ensure a uniform application of security measures across all covered entities and business associates. However, specific exceptions will still allow for flexibility where necessary.
  2. Enhanced Cybersecurity Measures
    The proposal includes explicit requirements for implementing multifactor authentication (MFA) for accessing ePHI and enhancing encryption practices by making MFA mandatory for accessing ePHI.
  3. Regular Compliance Checks
    Healthcare organizations will now be mandated to undergo regular (annual) compliance audits to ensure adherence to the updated security standards. This encourages continuous monitoring rather than reactive measures post-incident.
  4. Focus on Incident Response
    A strong emphasis is being placed on having a comprehensive incident response (IR) plan. IR plans should include detecting and responding to breaches and managing the aftermath, ensuring that patient care is not compromised during recovery from cyber incidents.
  5. Data Restoration and Recovery
    A proposal to require written procedures to restore the loss of electronic information systems and data within 72 hours post-incident, ensuring rapid recovery to maintain patient care integrity.
  6. Policy and Procedure Updates
    All policies and procedures must be documented in writing, regularly reviewed, tested and updated to reflect current cybersecurity best practices. The emphasis is on developing and testing the effectiveness of procedures, for example, documenting how risks are assessed, security measures are chosen and implemented and how these practices are regularly reviewed and updated.
  7. Alignment with Modern Best Practices
    The rule seeks to align with the HHS Healthcare and Public Health critical infrastructure sector Cybersecurity Performance Goals (CPGs). These goals include adopting high-impact cybersecurity practices, initially voluntarily, with the potential for future rulemaking to make some requirements mandatory.
  8. Clarity and Specificity
    The rule aims to provide more specific instructions on what covered entities, and their business associates must do to protect ePHI. It focuses on reducing ambiguity and improving security measures.
  9. Focus on Risk Management
    The proposed rule focuses on enhancing and strengthening requirements for regular risk assessments to identify, evaluate and mitigate cybersecurity risks. Beyond just identifying risks, the proposed rule emphasizes the need for an active, ongoing risk management strategy. This includes implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

 

 

Public Comment Period

The 60-day public comment period, set to end on February 25, 2025, allows stakeholders across the healthcare sector to provide feedback on the proposed changes. This includes healthcare providers, insurers, technology vendors and patient advocacy groups. The goal is to refine these rules based on practical insights from those who will implement them. The feedback will be crucial in shaping the final version of the regulations, ensuring they are both effective and practical.

 

 

Next Steps and Implementation

Following the comment period, HHS will review all inputs and adjust the draft as needed before finalizing the rule. Implementation will involve a phased approach, giving organizations time to comply, possibly with support through federal funding or incentives to offset the substantial costs.

 

 

Protect Your Data and Your Patients

The proposed updates to the HIPAA Security Rule are a pivotal step towards securing health information in an era of increasing cyber threats. While the proposed changes are not without cost, this financial commitment reflects the serious approach to safeguarding health data and highlights healthcare providers' need for strategic financial planning. The long-term benefits of enhanced cybersecurity could lead to fewer breaches, protecting both patient data and the integrity of healthcare services.

 

The proposed changes to the HIPAA Security Rule do not explicitly mandate the adoption of a specific cybersecurity framework for compliance. However, the rule emphasizes alignment with modern cybersecurity best practices, indirectly encouraging the use of established frameworks. A recognized cybersecurity framework is a best practice for implementing the proposed HIPAA Security Rule changes. It would help demonstrate compliance with the rule's requirements for risk management, security controls, and response planning. Optiv can help organizations choose and implement frameworks like NIST CSF, ISO 27001, and HITRUST CSF or even adopt elements from CPGs to meet these new standards effectively.

 

Optiv delivers cybersecurity services and solutions and helps its clients develop, implement, and manage governance and risk programs (GRC). Our experts also evaluate clients’ existing and proposed cybersecurity controls, technology stacks and cybersecurity solutions to address risk and compliance requirements and align with business plans and priorities.

 

Contact us today to learn more about how Optiv can help your organization effectively meet the proposed HIPAA Security Rule changes.

Keith Forrester
By:
Keith Forrester
Principal Security Advisor | Optiv
Keith Forrester is a principal security advisor at Optiv, working with global Fortune 500 companies to assess, manage and maintain GRC programs for their organizations. Keith has over 30 years of delivering and managing information security governance, risk and compliance programs and projects across various industries, including healthcare. He has also performed and led HIPAA, NIST 800-53, NIST CSF and PCI DSS security assessments for multinational organizations and serves in various vCISO roles for client organizations.

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.