The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) have recently announced their intention to seek input on a proposal to amend the Security Standards for the Protection of Electronic Protected Health Information (ePHI) under HIPAA and the HITECH Act. This move comes in response to the growing number of reported breaches and the need to enhance healthcare cybersecurity measures.
The proposed modifications, set to be published in the Federal Register on January 6, 2025, aim to address changes in technology, breach trends, enforcement practices, and methodologies for safeguarding ePHI. One of the key changes proposed is the elimination of the distinction between “required” and “addressable” specifications, making all security standards mandatory with limited exceptions.
The proposed rulemaking aligns with the Biden-Harris Administration’s National Cybersecurity Strategy and the Healthcare Sector Cybersecurity concept paper. It also includes plans to publish voluntary cybersecurity best practices and enhance enforcement and accountability in the healthcare sector. OCR Director Melanie Fontes Rainer highlighted the significant increase in cyberattacks targeting the healthcare industry, with ransomware and hacking incidents leading to a surge in reported breaches.
According to OCR, the number of large breaches reported between 2018 and 2023 rose by 102%, affecting over 167 million individuals last year alone. To address common deficiencies in Security Rule compliance, the proposed modifications introduce stricter documentation requirements for covered entities, including the need for a comprehensive inventory of technology assets and network mapping.
HHS Deputy Secretary Andrea Palm emphasized the importance of fortifying healthcare cybersecurity to protect patients, healthcare providers, and communities from the impact of cyber threats. The proposed rule aims to enhance preparedness, resilience, and security in the face of escalating cyber risks.
In light of the increasing frequency and sophistication of cyberattacks targeting the healthcare sector, the proposed modifications to the HIPAA Security Rule signal a proactive step towards safeguarding patient data and ensuring the integrity of healthcare systems. As healthcare organizations navigate the evolving threat landscape, a comprehensive approach to cybersecurity is essential to mitigate risks, uphold patient trust, and maintain the continuity of care.
For more information and updates on healthcare IT news and cybersecurity developments, stay tuned to Healthcare IT News, a HIMSS Media publication. Email senior editor Andrea Fox at afox@himss.org for inquiries and feedback.
