Pierluigi Paganini January 01, 2025

HHS OCR proposed updates to the HIPAA Security Rule to boost cybersecurity for electronic protected health information (ePHI).

On December 27, 2024, the United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) proposed updates to the HIPAA Security Rule to enhance cybersecurity for electronic protected health information (ePHI).

The proposed updates to the Security Rule aims at bolstering healthcare cybersecurity, aligning with the Biden Administration’s National Cybersecurity Strategy efforts.

The proposed HIPAA Security Rule updates include security measures and controls such as mandatory implementation specifications, regular compliance audits, ePHI encryption, multi-factor authentication, vulnerability scanning, and improved contingency planning. Key proposals include creating a technology asset inventory, conducting specific risk analyses, and requiring prompt notifications for access changes or contingency activations. These updates align with evolving technology and cybersecurity threats, emphasizing stricter documentation, network segmentation, and consistent security practices.

In order to enhance contingency planning and incident response, the proposed rules mandate notifying regulated entities within 24 hours of workforce access changes to ePHI. Requirements include restoring critical systems within 72 hours, prioritizing system restoration, creating detailed incident response plans, and regularly testing and updating those plans.

“Strengthen requirements for planning for contingencies and responding to security incidents.” the HHS states. Specifically, regulated entities would be required to, for example:

• Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
• Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
• Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
• Implement written procedures for testing and revising written security incident response plans.”

The proposal updates include conducting compliance audits every 12 months and requiring business associates to verify annually, with expert analysis and certification, the deployment of ePHI safeguards.

“HHS encourages all stakeholders, including patients and their families, health plans, health care providers, health care professional associations, consumer advocates, and government entities, to submit comments through regulations.gov.” concludes HHS. “Public comments on the NPRM are due 60 days after publication of the NPRM in the Federal Register. The Department will also be conducting a Tribal consultation meeting soon. Information and RSVP details are forthcoming.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, HIPAA)