Healthcare CIOs and CISOs are monitoring the recent Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) proposal to update the HIPAA Security Rule. These changes, outlined in a Notice of Proposed Rulemaking (NPRM), aim to increase cybersecurity protections for electronic protected health information (ePHI). As leaders evaluate the potential impact, the main question is, will these updates fulfill compliance requirements or enhance the security framework for safeguarding patient data?
Below are two themes that the critical measures fall under for healthcare CIO:
Enhanced Documentation
The proposal states that regulated entities must maintain a comprehensive and up-to-date technology asset inventory and network map that tracks electronic protected health information (ePHI) flow across their electronic systems. Organizations must review and revise the inventory and map annually or whenever significant changes in the entity’s environment or operations could impact ePHI.
Creating updated inventory and system mapping is challenging for organizations that do not have many technical, let alone dedicated, security resources. Small organizations may need to bring in a dedicated virtual CIO or consultant resources to manage this piece of work. Carter Groome, CEO at Health First Advisory, agrees and said, “Small and rural facilities would struggle mightily to meet these baselines – just obtaining an accurate asset inventory is an enormous task.”
Organizations must create written procedures to restore critical electronic information systems within 72 hours of a loss. Establishing written procedures is a great start, but healthcare organizations must regularly test and validate their ability to restore systems within the timeframe. This process is complex and requires consistent practice to ensure readiness.
The main concern for a healthcare CIO is that operationalizing a 72-hour system restore turnaround requires a complete redesign of disaster recovery plans to meet this standard. Healthcare executives should start budgeting for this effort, which will drive up costs.
Enhanced Technical Safeguards
On the technical side, the proposed rule includes safeguards to strengthen the protection of electronic protected health information (ePHI). It mandates encryption of ePHI both at rest and in transit, with limited exceptions, ensuring data remains secure throughout its lifecycle. Multi-factor authentication is also required to enhance access controls and prevent unauthorized access. These two should be in place now, as they are the industry standard.
Other security safeguards include mandatory vulnerability scanning every six months, penetration testing at least annually, and implementing network segmentation to limit potential breaches.
Separate technical controls for backing up and recovering ePHI and associated systems are required to ensure data integrity and availability. Additionally, regulated entities must review and test the effectiveness of specific security measures annually, replacing the general requirement to maintain such measures simply. These safeguards aim to elevate security posture and reduce risk across healthcare organizations.
These are great steps forward, and Carter Groome applauds the effort and says, “I’m pleased to see OCR leaned on the HHS cyber performance goals (CPGs), and explicit terms such as deploy and required may clarify long-standing ambiguity.”
Unfortunately, the main question is whether it will be too late when these laws and actions are in place. The technical guidelines are outdated virtually the day they become law, so healthcare providers must keep pace with technological changes and hackers’ ingenuity.
