With the increasing number of cybersecurity breaches in healthcare over the past decade, the industry is facing a critical need for stronger security measures. The recent attack on Change Healthcare served as a wake-up call, leading to the notice of proposed rulemaking from HHS in December 2024. This proposed rule aims to enhance cybersecurity requirements and address the evolving threat landscape.
The HHS Cyber Performance Goals introduced in 2023 signaled a push for stricter security measures across the industry. Despite the HITECH Act being signed more than 15 years ago, HIPAA regulations have not kept pace with modern cyber threats. The proposed rule aims to eliminate ambiguity in the original security rule and reinforce essential safeguards.
Key proposed changes include making all security requirements mandatory by eliminating “addressable” standards, requiring comprehensive asset and technology management programs, formalizing security and risk management programs, enhancing incident response and disaster recovery protocols, strengthening access governance controls, and mandating encryption, multi-factor authentication, and anti-malware protections.
For healthcare organizations still struggling with asset management and budget constraints, implementing these updates could be challenging. The NPRM is expected to move through Congress by mid-2025, but ongoing leadership changes and an executive order pausing new regulations may impact the timeline for implementation.
Scott Mattila, CISO and COO of Intraprise Health, emphasized the importance of proactive measures in reducing cyber risks in healthcare. Prescriptive, proactive measures help eliminate ambiguity and ensure that organizations implement necessary controls to protect electronic protected health information. Leveraging frameworks such as HITRUST and NIST can provide clear expectations for achieving security maturity and resilience.
Hospitals and health systems can prepare for upcoming security regulations by identifying vulnerabilities, engaging leadership and key stakeholders, conducting a gap analysis, prioritizing mitigation efforts, and evaluating current security tools and technology stack. Compliance with crucial mandates such as encryption, multi-factor authentication, and vulnerability management requires a proactive, well-structured approach to ensure long-term security.
The proposed rule also increases accountability for business associates, treating them as direct extensions of covered entities with greater responsibility and liability for protecting patient information. Business associates must align with covered entities on security expectations, strengthen internal controls, and take a proactive role in ensuring HIPAA compliance to avoid regulatory penalties.
In conclusion, healthcare organizations need to strengthen their cybersecurity posture to prevent becoming the next breach headline. By implementing proactive measures, preparing for upcoming regulations, and fostering compliance partnerships, the industry can better protect patient data and mitigate cyber risks.
