Main cybersecurity breaches proceed to plague the US healthcare trade, and on December 27, 2024, the U.S. Division of Well being and Human Providers (HHS), by way of its Workplace for Civil Rights (OCR), issued a Discover of Proposed Rulemaking (NPRM) to amend the HIPAA Safety Rule, titled “The HIPAA Safety Rule to Strengthen the Cybersecurity of Digital Protected Well being Data”. Feedback had been requested and over 4000 had been acquired earlier than the remark interval ended on March 7 2025. Let’s dissect the feedback acquired, discusses what may come subsequent, and provides suggestions on learn how to put together for the regulatory highway forward.
The up to date HIPAA Safety Rule presents a proposed improve of the Safety Requirements for the Safety of Digital Protected Well being Data (“Safety Rule”) which was initially issued below the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA) and up to date once more with the Well being Data Know-how for Financial and Medical Well being Act of 2009 (HITECH Act).
The declared intent of the HHS is to replace the Safety Rule in response to the evolving healthcare expertise panorama, and to handle new rising threats. The aim of the NPRM is particularly to strengthen cybersecurity protections for digital protected well being data (ePHI).
The proposed Safety Rule replace will be seen as an evolution of earlier work:
- The Healthcare Sector Cybersecurity Technique doc printed in December 2023 proposed a framework to assist the healthcare sector handle cybersecurity threats. This set voluntary cybersecurity targets for the healthcare sector, and set out an HHS-wide technique to assist larger enforcement and accountability.
- In January 2024, OCR printed its HPH Sector Cybersecurity Efficiency Targets (CPGs) in collaboration with CISA ( U.S. Cybersecurity and Infrastructure Safety Company) These align with the Nationwide Institute of Requirements and Know-how (NIST) Cybersecurity Framework features and suggest cybersecurity practices geared toward bettering safety at HIPAA-regulated entities to fight cyberattacks, enhance incident response, and decrease threat.
The newly up to date safety rule enforces a few of the voluntary “greatest practices” specified by the CPGs, corresponding to use of encryption and multifactor authentication (MFA). Clearly OCR doesn’t consider voluntary targets can be enough to drive the behavioral change wanted to enhance cybersecurity to the extent required.
The proposed amendments goal to handle the rising cybersecurity threats and vulnerabilities dealing with the U.S. healthcare system. The up to date HIPAA Safety Rule recommends that healthcare organizations implement superior controls like obligatory encryption for all ePHI (each at relaxation and in transit), multi-factor authentication (MFA), community segmentation, common vulnerability scanning and penetration testing, strong anti-malware safety, patch administration, and configuration controls, whereas additionally conducting thorough threat assessments and sustaining sturdy entry controls to restrict unauthorized entry to delicate affected person information.
Feedback had been acquired from 4749 people, healthcare suppliers, skilled organizations and cybersecurity distributors, a broad present of assist for strengthening cybersecurity protections for ePHI. These mirrored vital issues in regards to the practicality, burden, and readability of a few of the proposed adjustments.
Healthcare Suppliers targeted on implementation challenges and the feasibility and price of the measures and the practicalities of implementing sure necessities, notably for smaller organizations and people with technical limitations. Many targeted on the numerous the monetary impacts of implementing the proposed measures, and issues about underestimating the prices concerned in penetration testing, particularly for smaller entities. Some additionally frightened about potential disruptions to healthcare operations if compliance turns into overly burdensome.
Business organizations: HIMSS really helpful nearer alignment with frameworks like NIST Cybersecurity Framework 2.0 and the HHS CPGs. The Client Know-how Affiliation (CTA) famous the burden of making ready detailed plans and procedures. The American Council of Life Insurers (ACLI) urged that HHS rethink the precise time durations supplied within the Proposed Safety Rule, and attempt to implement the rule in a manner that wouldn’t require re-negotiating Present Enterprise Affiliate Agreements (BAAs).
Cybersecurity consultants famous that the NPRM considerably underestimates the effort and time required for thorough penetration testing and different safety assessments and processes, referencing trade requirements like PTES.
Know-how distributors pressured the necessity for larger readability each by way of scope (e.g. are EHR distributors “Enterprise Associates?”), and clearer technical implementation particulars (e.g. round cloud environments, MFA, encryption, and so forth.).
A number of commenters expressed vital pushback on the varied timeframes proposed within the up to date HIPAA Safety Rule, arguing that they’re usually too brief, rigid, and don’t account for the operational realities and useful resource constraints of regulated entities, notably smaller and rural suppliers
Incident Reporting: There’s a requirement for regulated entities to ascertain written procedures for restoring sure related digital data methods and information inside 72 hours, carry out a criticality evaluation, and create documented safety incident response plans.
There may be vital pushback that this rule is simply too prescriptive and would create undue burdens.
Patches and fixes: The proposed rule suggests patching vital vulnerabilities inside 15 days and high-risk vulnerabilities inside 30 days. Many argued these timelines are aggressive and tough to satisfy because of system downtime necessities, vendor delays in releasing patches, the necessity for thorough testing, and the challenges related to legacy methods at or nearing finish of life assist.
Suggestions included revising the deadlines to 30 days for vital dangers, and 45 days for high-risk vulnerabilities with flexibility for documented exceptions aligning with trade norms like NIST SP 800-53. Some prompt timelines primarily based on the CVSS severity score scale or permitting patching to happen on a “cheap and applicable” timeline primarily based on threat evaluation.
Workforce Entry Termination Notification:
The proposal to inform different regulated entities of a workforce member’s entry termination to ePHI in lower than 24 hours was challenged, citing variability in termination processes and reliance on HR system updates. Permitting entities to regulate the timeline primarily based on their threat evaluation was really helpful by commenters, with instant termination for high-risk separations and a 24-hour window for traditional instances
Knowledge Backup and System Restoration: The proposed requirement — to revive lack of vital related digital data methods and information in 72 hours or much less — acquired substantial pushback, provided that restoration can depend upon components exterior the regulated entity’s management, corresponding to regulation enforcement investigations, provide chain delays, and coordination with distributors – particularly medical gadget suppliers.
Many additionally function with restricted personnel, making such speedy restoration infeasible. Furthermore, untimely restoration earlier than totally addressing the basis disruption trigger may result in repeated breaches.
Commentors really helpful changing the strict 72-hour deadline with a versatile timeframe that requires well timed restoration with out additional jeopardising information safety “inside an affordable and applicable interval, to not exceed 7 days,” primarily based on a criticality evaluation
Critiques and Testing: A number of proposals included a requirement for evaluations and checks to happen no less than as soon as each 12 months for numerous administrative, bodily, and technical safeguards. This consists of insurance policies procedures, technical controls, and safety incident response plans. The proposed annual compliance audit to be carried out no less than as soon as each 12 months was additionally questioned. Contributors argued that the extra employment prices can be notably burdensome for organisations already topic to a number of compliance audits, and in smaller organisations, would threat diverting assets from affected person care. It was prompt that the frequency of testing and evaluations ought to be risk-based, with some recommending compliance audits each few years as a substitute of yearly
Knowledge Backup Testing Frequency: The proposed requirement to check the effectiveness of backups and doc the outcomes no less than month-to-month was cited as unnecessarily frequent. Month-to-month testing may require substantial IT assets and workforce time, diverting consideration from different vital safety actions or affected person care. Commenters as a substitute prompt a risk-based method for figuring out testing frequencies
Vulnerability Scanning Frequency: The proposal for automated vulnerability scans no much less continuously than as soon as each six months was questioned: one commenter prompt month-to-month scans for extremely dynamic IT environments and six-month scans for steady environments
In abstract, the dominant theme within the pushback concerning proposed timeframes and frequencies is that they’re usually perceived as unrealistic, overly prescriptive, and probably detrimental to affected person care because of the vital useful resource burdens they might impose, particularly on smaller and rural healthcare entities. Many commenters advocated for a extra versatile, risk-based method to those necessities.
About George McGregor
George McGregor is VP of Advertising and marketing for Approov. He’s keen about healthcare sector cybersecurity and beforehand held government roles at Imperva, Citrix, Juniper Networks and HP. Approov API Risk Safety gives a multi-factor, end-to-end cell API safety answer that enhances identification administration, endpoint, and gadget safety to lock-down correct API utilization. Solely protected and authorised apps can efficiently use APIs. Bots and faux or tampered apps are all simply turned away and PHI is protected.
