HIPAA Professional doctor use computer and medical equipment all around, desktop top view
Healthcare CIOs and CISOs are closely monitoring the recent proposal by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to update the HIPAA Security Rule. The proposed changes, outlined in a Notice of Proposed Rulemaking (NPRM), aim to enhance cybersecurity protections for electronic protected health information (ePHI). As leaders assess the potential impact, the key question is whether these updates will ensure compliance requirements are met or if they will strengthen the security framework for safeguarding patient data.
Below are two key themes that the critical measures fall under for healthcare CIOs:
Enhanced Documentation
The proposal specifies that regulated entities must maintain a comprehensive and current technology asset inventory and network map that tracks the flow of electronic protected health information (ePHI) across their electronic systems. Organizations are required to review and update the inventory and map annually or whenever significant changes in the entity’s environment or operations could impact ePHI.
Developing an updated inventory and system mapping can be challenging for organizations that lack technical resources, especially dedicated security resources. Small organizations may need to engage a dedicated virtual CIO or consultant resources to manage this aspect of the work. Carter Groome, CEO at Health First Advisory, concurs, stating, “Small and rural facilities would struggle greatly to meet these requirements – just obtaining an accurate asset inventory is a massive undertaking.”
Organizations must establish written procedures to restore critical electronic information systems within 72 hours of a loss. While creating written procedures is a positive step, healthcare organizations must routinely test and validate their ability to restore systems within the specified timeframe. This process is intricate and necessitates consistent practice to ensure preparedness.
A major concern for healthcare CIOs is that operationalizing a 72-hour system restore turnaround requires a complete overhaul of disaster recovery plans to meet this standard. Healthcare executives should begin budgeting for this initiative, which will lead to increased costs.
Enhanced Technical Safeguards
On the technical front, the proposed rule includes safeguards to bolster the protection of electronic protected health information (ePHI). It mandates encryption of ePHI both at rest and in transit, with limited exceptions, to ensure data remains secure throughout its lifecycle. Multi-factor authentication is also required to enhance access controls and prevent unauthorized access. These measures should already be in place, as they represent industry best practices.
Other security safeguards include mandatory vulnerability scanning every six months, annual penetration testing, and the implementation of network segmentation to mitigate potential breaches.
Dedicated technical controls for backing up and recovering ePHI and associated systems are necessary to uphold data integrity and availability. Additionally, regulated entities must annually review and test the efficacy of specific security measures, moving beyond the general requirement of simply maintaining such measures. These safeguards aim to elevate security posture and decrease risk across healthcare organizations.
These advancements are commendable, and Carter Groome commends the effort, stating, “I’m pleased to see OCR leveraging the HHS cyber performance goals (CPGs), and the use of explicit terms such as deploy and required may clarify longstanding ambiguity.”
Unfortunately, the primary concern is whether it will be too late once these laws and actions are implemented. The technical guidelines quickly become outdated, so healthcare providers must stay abreast of technological advancements and the ingenuity of hackers.
