With giant information breaches growing in healthcare, the U.S. Division of Well being and Human Providers Workplace for Civil Rights (OCR) is proposing to modify the HIPAA Safety Rule to require well being plans, clearinghouses and most suppliers and their enterprise associates to strengthen cybersecurity protections for people’ protected well being data.
This marks the primary time HHS has sought to replace the HIPAA Safety Rule since 2013.
The rule would make clear and supply extra particular instruction about what coated entities and their enterprise associates should do to guard the safety of digital protected well being data. The proposed rule additionally would require that insurance policies and procedures be in writing, reviewed, examined, and up to date frequently. OCR stated that it will additionally higher align the Safety Rule with trendy finest practices in cybersecurity.
These proposals deal with:
• Modifications within the surroundings wherein healthcare is offered.
• Vital will increase in breaches and cyberattacks.
• Widespread deficiencies OCR has noticed in investigations into Safety Rule compliance by coated entities and their enterprise associates.
• Different cybersecurity pointers, finest practices, methodologies, procedures, and processes.
• Court docket selections that have an effect on enforcement of the Safety Rule.
As an example, the proposed rule require higher specificity for conducting a danger evaluation. New specific necessities would come with a written evaluation that comprises, amongst different issues:
• A overview of the expertise asset stock and community map.
Identification of all moderately anticipated threats to the confidentiality, integrity, and availability of ePHI.
• Identification of potential vulnerabilities and predisposing situations to the regulated entity’s related digital data techniques
• An evaluation of the chance stage for every recognized menace and vulnerability, primarily based on the probability that every recognized menace will exploit the recognized vulnerabilities.
It additionally would require community segmentation, and vulnerability scanning at the very least each six months and penetration testing at the very least as soon as each 12 months.
“Cyberattacks proceed to affect the healthcare sector, with rampant escalation in ransomware and hacking inflicting important will increase within the variety of giant breaches reported to OCR yearly. The variety of folks affected yearly has skyrocketed exponentially, a quantity we anticipate to develop even larger this yr with the Change Healthcare breach, the biggest breach in our well being care system in U.S. historical past,” stated OCR Director Melanie Fontes Rainer, in an announcement. “This proposed rule to improve the HIPAA Safety Rule addresses present and future cybersecurity threats. It could require updates to present cybersecurity safeguards to mirror advances in expertise and cybersecurity, and assist be certain that medical doctors, well being plans, and others offering healthcare meet their obligations to guard the safety of people’ protected well being data throughout the nation.”
OCR has seen a considerable enhance in reviews of enormous breach reviews acquired during the last 5 years. From 2018-2023, reviews of enormous breaches elevated by 102 p.c, and the variety of people affected by such breaches elevated by 1002 p.c, primarily due to will increase in hacking and ransomware assaults. In 2023, over 167 million people have been affected by giant breaches—a brand new report. Since 2019, giant breaches attributable to hacking and ransomware have elevated 89 p.c and 102 p.c.
Whereas HHS is enterprise this rulemaking, the present Safety Rule stays in impact.
