With giant knowledge breaches growing in healthcare, the U.S. Division of Well being and Human Companies Workplace for Civil Rights (OCR) is proposing to modify the HIPAA Safety Rule to require well being plans, clearinghouses and most suppliers and their enterprise associates to strengthen cybersecurity protections for people’ protected well being info.
This marks the primary time HHS has sought to replace the HIPAA Safety Rule since 2013.
The rule would make clear and supply extra particular instruction about what lined entities and their enterprise associates should do to guard the safety of digital protected well being info. The proposed rule additionally would require that insurance policies and procedures be in writing, reviewed, examined, and up to date frequently. OCR mentioned that it will additionally higher align the Safety Rule with trendy greatest practices in cybersecurity.
These proposals deal with:
• Adjustments within the setting through which healthcare is offered.
• Important will increase in breaches and cyberattacks.
• Widespread deficiencies OCR has noticed in investigations into Safety Rule compliance by lined entities and their enterprise associates.
• Different cybersecurity pointers, greatest practices, methodologies, procedures, and processes.
• Court docket selections that have an effect on enforcement of the Safety Rule.
As an illustration, the proposed rule require higher specificity for conducting a threat evaluation. New categorical necessities would come with a written evaluation that incorporates, amongst different issues:
• A evaluate of the know-how asset stock and community map.
Identification of all fairly anticipated threats to the confidentiality, integrity, and availability of ePHI.
• Identification of potential vulnerabilities and predisposing circumstances to the regulated entity’s related digital info programs
• An evaluation of the chance degree for every recognized risk and vulnerability, based mostly on the probability that every recognized risk will exploit the recognized vulnerabilities.
It additionally would require community segmentation, and vulnerability scanning no less than each six months and penetration testing no less than as soon as each 12 months.
“Cyberattacks proceed to influence the healthcare sector, with rampant escalation in ransomware and hacking inflicting important will increase within the variety of giant breaches reported to OCR yearly. The variety of folks affected yearly has skyrocketed exponentially, a quantity we count on to develop even greater this 12 months with the Change Healthcare breach, the biggest breach in our well being care system in U.S. historical past,” mentioned OCR Director Melanie Fontes Rainer, in an announcement. “This proposed rule to improve the HIPAA Safety Rule addresses present and future cybersecurity threats. It will require updates to current cybersecurity safeguards to replicate advances in know-how and cybersecurity, and assist be certain that docs, well being plans, and others offering healthcare meet their obligations to guard the safety of people’ protected well being info throughout the nation.”
OCR has seen a considerable improve in reviews of huge breach reviews acquired during the last 5 years. From 2018-2023, reviews of huge breaches elevated by 102 %, and the variety of people affected by such breaches elevated by 1002 %, primarily due to will increase in hacking and ransomware assaults. In 2023, over 167 million people have been affected by giant breaches—a brand new file. Since 2019, giant breaches attributable to hacking and ransomware have elevated 89 % and 102 %.
Whereas HHS is endeavor this rulemaking, the present Safety Rule stays in impact.