While the Change Healthcare ransomware attack disclosed early this year disrupted claims processing and payments for months and put the medical privacy at risk of roughly 100 million people—about one-third of all Americans—this was hardly the only healthcare breach this year. A breach of Kaiser Permanente affected 13.4 million people, Concentra Health Services 4 million people, and Sav-RX, WebTPA, and INTEGRIS Health, all ranging from 3 million to 2.4 million affected.
As healthcare providers continue to struggle to secure their systems, the HHS Office for Civil Rights is taking action in the form of substantial proposed rule changes to the long-standing Health Insurance Portability and Accountability Act (HIPAA) Security Rule. While details on the proposed rule changes remain unclear—those changes are currently under review by the Office of Management and Budget (OMB)—HHS plans to issue a Notice of Proposed Rulemaking (NPRM) by the end of the year. These changes are believed to be the most substantial changes since the HIPAA Security rule went into effect in 2003
The core objectives of the changes focus on strengthening safeguards for electronic protected health information (ePHI) while also helping to enhance healthcare organizations’ capabilities to prevent, detect, and recover from cybersecurity incidents. What’s particularly noteworthy is HHS’s shift from security guidance to enforceable standards through Medicare and Medicaid, coupled with the introduction of voluntary cybersecurity performance goals.
The anticipated enhanced security requirements are considerable. They include implementing more rigorous risk assessments, enhanced PHI encryption, tighter access controls and audit trails, and tighter change management controls. The proposed rules also include improved incident response plans and real-time tracking of changes to the status of PHI data.
Regarding security awareness training for covered organizations, most staff must be trained on HIPAA security requirements.
“This is good news. Everyone involved with patient records in any way needs to be trained so that the entire organization is better secured,” says Kurt Osburn, a security services provider NCC Group director. Osburn adds that changes such as enforcing multi-factor authentication for everyone with access to hospital systems will also help to harden the overall security posture.”
The changes acknowledge what many security professionals have long argued — the 2003 standards don’t match today’s risk levels. However, many providers are already conducting thorough security risk assessments, implementing robust data encryption protocols, and rolling out comprehensive staff training programs focused on phishing awareness and cyber hygiene.
Michael Farnum, advisory CISO at technology services provider Trace3, says what’s particularly crucial is the shift toward viewing HIPAA compliance and cybersecurity as integrated components that focus on real-world risk mitigation rather than separate initiatives.
One area where Osburn expects challenges for many covered entities will be providing patients timely access to medical data with a maximum time reduced from 30 days to 15 days.
“Healthcare providers have healthcare information in their environments, but they don’t always have a great handle on where it resides or have it categorized. It will take time for many organizations to map and categorize their data,” says Osburn.
Finally, Osburn expressed concern about regulatory enforcement or its lack thereof.
“The question is how they will enforce these changes. Will they make the investment to be more proactive about enforcement, or will they identify lapses after the fact [a breach or incident] and then fine the heck out of healthcare delivery providers,” he asks.
Overall, experts welcome the changes.
With ransomware rising within healthcare organizations for nearly a decade, healthcare delivery organizations must move beyond essential compliance efforts and implement advanced security measures, including role-based access controls, multi-factor authentication, and robust data usage monitoring systems. The key is developing a proactive security posture that meets today’s compliance requirements and improves security posture.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.
