The U.S. Department of Health and Human Services (HSS) Office for Civil Rights (OCR) has published a Notice of Proposed Rulemaking (NPRM) proposing substantial cybersecurity requirements for all regulated entities and their business associates to be added to the HIPAA Security Rule.
Comments are due on or before March 7, 2025, with a final ruling due to take effect 60 days after publication and a compliance date 180 days after that. Following these dates, the NPRM also proposes a transition period beyond the 180-day compliance period to allow regulated entities to modify their business associate agreements in response to the changes.
Why Now?
The 390-page NPRM marks the first time OCR has updated the HIPAA Security Rule since 2013 in the wake of a substantial increase in breaches. The OCR Breach Portal data for 2024 makes for sobering reading and necessitates urgent action. The Secretary of the HHS OCR Breach of Unsecured Protected Health Information is required to post any breaches of unsecured protected health information affecting 500 or more individuals. As of December 20th, a staggering total of 677 major health data breaches affecting more than 182.4 million people had been recorded for the year 2024.
The main contributor to the dramatic increase in numbers was one attack in particular, the Change Healthcare ransomware attack, which happened in February and consumed the news in March when the story broke. One of the key takeaways from this attack was that UnitedHealth (Change Healthcare is a subsidiary of UnitedHealth) wasn’t using multifactor authentication (MFA), despite it being an industry standard practice.
Eliminating Ambiguity
An important aspect of the NPRM is how the HSS OCR is proposing to address issues around compliance by seeking to clarify the terms “addressable” and “required” implementation specifications. Currently, regulated entities can implement an addressable specification, use alternative security measures, or choose not to comply at all, which has led to confusion.
The NPRM proposes to eliminate this distinction, establishing that the HIPAA Security Rule provides a minimum standard for cybersecurity protections. This change will make it clear that regulated entities must comply with all standards and specifications, although they can determine how to meet them, with limited exceptions.
Industry Perspective
Ted Miracco, CEO of approov, believes that “Rebuilding user trust and safety remain critical priorities, given the extensive number of data breaches that have occurred in recent years, and their devastating impacts.” Ted identifies that the action taken by HIPPA is long overdue and thinks that enforcing tighter security measures is the right approach. He does concede, however, that mobile developers will be held to a tighter standard and have more work under these new proposals.
Lawrence Pingree, VP at dispersive, welcomes the changes. He expresses the view that “In security, the more prescriptive the controls, the better since this reduces the variance of approaches that might not adequately address current threats.” Lawrence does cautiously advise though that the biggest challenge is to ensure such prescriptive guidance does not become outdated.
Time For Change
In reviewing the NPRM, absorbing the breach portal statistics, and gauging the industry reaction, it is clear that things couldn’t continue as they were. Under the proposal, HIPAA-regulated entities would be forced to modernize. Under the rule, no form of encryption is required, and safeguards such as MFA, login attempt limitation procedures, and patch management are not required. This had to change, and hopefully, after being reviewed by the new administration in Washington, it will.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.