HHS Proposes Major HIPAA Updates to Boost Healthcare Cybersecurity
2025-01-07
New opportunity - healthcare organizations are under threat from evolving cybersecurity requirements. Time to get out your rolodex and offer CloudGuard solutions.
The US Department of Health and Human Services (HHS) is proposing significant amendments to the HIPAA security rule to enhance cybersecurity measures for protecting electronic protected health information (PHI). These changes, set to be published in the Federal Register, include mandatory implementation of security controls such as multifactor authentication, enhanced encryption, and regular security audits. The amendments aim to address the evolving threat landscape, which has seen a dramatic increase in breaches against healthcare organizations. Key proposals include maintaining up-to-date technology asset inventories, conducting thorough risk analyses, and enforcing encryption of PHI both at rest and in transit.
N/A
HIPAA, HHS, healthcare security, PHI protection, multifactor authentication, encryption, compliance audits
N/A
Healthcare organizations
The US Department of Health and Human Services (HHS) is set to implement significant updates to the Health Insurance Portability and Accountability Act (HIPAA) security rule. These updates are designed to bolster cybersecurity measures for safeguarding electronic protected health information (PHI) against rising threats. The changes, which were published in the Federal Register on January 6, reflect the most substantial revisions to HIPAA since 2013. Healthcare organizations will be required to adopt advanced security controls, including multifactor authentication (MFA) and enhanced encryption protocols. These measures are intended to address the current threat landscape, where breaches have surged by 102% between 2018 and 2023. In 2023 alone, over 167 million individuals had their health information compromised. Organizations will need to maintain a comprehensive technology asset inventory and network map to monitor PHI movement across systems. Additionally, the proposed changes specify detailed procedures for conducting security risk analyses. These include written assessments reviewing asset inventories and network maps, identifying potential threats, and evaluating the risk levels for each identified threat and vulnerability. The amendments mandate the encryption of PHI both at rest and in transit, making encryption a fundamental requirement. Healthcare organizations will also be required to scan for vulnerabilities every six months, conduct annual penetration tests, deploy anti-malware defenses, and remove unnecessary software from systems. These practices are transitioning from recommended activities to essential security baselines. To ensure adherence to these new technical safeguards, organizations must conduct compliance audits at least once a year. These audits will verify the implementation of security controls and require a written certification to confirm compliance.Proposed HIPAA Amendments to Enhance Healthcare Cybersecurity
Key Changes to HIPAA
Strengthened Security Controls
Asset Inventory and Risk Analysis
Implementation of Security Measures
Compliance Audits
https://www.darkreading.com/cyber-risk/proposed-hipaa-amendments-close-healthcare-security-gaps