With giant knowledge breaches rising in healthcare, the U.S. Division of Well being and Human Providers Workplace for Civil Rights (OCR) is proposing to change the HIPAA Safety Rule to require well being plans, clearinghouses and most suppliers and their enterprise associates to strengthen cybersecurity protections for people’ protected well being data.
This marks the primary time HHS has sought to replace the HIPAA Safety Rule since 2013.
The rule would make clear and supply extra particular instruction about what lined entities and their enterprise associates should do to guard the safety of digital protected well being data. The proposed rule additionally would require that insurance policies and procedures be in writing, reviewed, examined, and up to date regularly. OCR mentioned that it might additionally higher align the Safety Rule with fashionable greatest practices in cybersecurity.
These proposals handle:
• Adjustments within the surroundings wherein healthcare is supplied.
• Vital will increase in breaches and cyberattacks.
• Widespread deficiencies OCR has noticed in investigations into Safety Rule compliance by lined entities and their enterprise associates.
• Different cybersecurity pointers, greatest practices, methodologies, procedures, and processes.
• Courtroom selections that have an effect on enforcement of the Safety Rule.
As an illustration, the proposed rule require better specificity for conducting a threat evaluation. New specific necessities would come with a written evaluation that comprises, amongst different issues:
• A overview of the know-how asset stock and community map.
Identification of all moderately anticipated threats to the confidentiality, integrity, and availability of ePHI.
• Identification of potential vulnerabilities and predisposing circumstances to the regulated entity’s related digital data techniques
• An evaluation of the danger stage for every recognized menace and vulnerability, primarily based on the chance that every recognized menace will exploit the recognized vulnerabilities.
It additionally would require community segmentation, and vulnerability scanning at the very least each six months and penetration testing at the very least as soon as each 12 months.
“Cyberattacks proceed to affect the healthcare sector, with rampant escalation in ransomware and hacking inflicting vital will increase within the variety of giant breaches reported to OCR yearly. The variety of individuals affected yearly has skyrocketed exponentially, a quantity we count on to develop even larger this yr with the Change Healthcare breach, the biggest breach in our well being care system in U.S. historical past,” mentioned OCR Director Melanie Fontes Rainer, in an announcement. “This proposed rule to improve the HIPAA Safety Rule addresses present and future cybersecurity threats. It will require updates to current cybersecurity safeguards to replicate advances in know-how and cybersecurity, and assist be certain that medical doctors, well being plans, and others offering healthcare meet their obligations to guard the safety of people’ protected well being data throughout the nation.”
OCR has seen a considerable improve in reviews of enormous breach reviews acquired during the last 5 years. From 2018-2023, reviews of enormous breaches elevated by 102 p.c, and the variety of people affected by such breaches elevated by 1002 p.c, primarily due to will increase in hacking and ransomware assaults. In 2023, over 167 million people have been affected by giant breaches—a brand new report. Since 2019, giant breaches brought on by hacking and ransomware have elevated 89 p.c and 102 p.c.
Whereas HHS is enterprise this rulemaking, the present Safety Rule stays in impact.
