HHS Proposes Strengthened HIPAA Security Rule to Combat Cybersecurity Threats

The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) have announced a notice of proposed rulemaking (NPRM) to strengthen the Security Standards for the Protection of Electronic Protected Health Information under HIPAA and the HITECH Act. Set to be published in the Federal Register on January 6, 2025, the proposed measures aim to address significant changes in technology, evolving cybersecurity threats, and trends observed in breach reports.

The proposed updates include sweeping changes to the HIPAA Security Rule to modernize its provisions and better address the increase in health care data breaches. One significant change is the removal of the distinction between “required” and “addressable” implementation specifications, making all standards mandatory with limited exceptions. The rule proposes stricter documentation requirements for policies, procedures, technology asset inventories, and network maps, as well as enhanced standards for conducting risk analyses.

The changes also seek to address observed deficiencies in compliance and strengthen enforcement through measures such as mandatory encryption of electronic protected health information (ePHI), multifactor authentication, regular vulnerability scans, and annual audits. These efforts align with the HHS’s Healthcare Sector Cybersecurity concept paper and the National Cybersecurity Strategy, and emphasize an effort from the federal government to prevent the increasing number of cyberattacks on the health care sector. Public comments on the NPRM will be accepted for 60 days following its publication in the Federal Register.

“The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety,” said Deputy Secretary Andrea Palm in a press release. “These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack but are also more secure and resilient.”

Reference

HIPAA Security Rule notice of proposed rulemaking to strengthen cybersecurity for electronic protected health information. Fact sheet. US Department of Health and Human Services. Published December 27, 2024. Accessed January 3, 2025. https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html

HHS Office for Civil Rights proposes measures to strengthen cybersecurity in health care under HIPAA. Press release. US Department of Health and Human Services. Published December 27, 2024. Accessed January 3, 2025. https://www.hhs.gov/about/news/2024/12/27/hhs-office-civil-rights-proposes-measures-strengthen-cybersecurity-health-care-under-hipaa.html