First HIPAA Security Rule update in 10 years is on the horizon

CIOs, get ready to study up: the HIPAA Security Rule is poised for its first major update in a long time. 

Just before the New Year, the Office of Civil Rights (OCR) issued a notice of proposed rulemaking announcing its intention to modify HIPAA to “improve cybersecurity and better protect the US health care system from a growing number of cyberattacks.” 

With 2023 and 2024 hitting the books as record years in cyberattacks, government officials are actively seeking new ways to strengthen the healthcare industry’s defenses with both new rulemaking and Congressional action. 

Since 2019, large breaches caused by hacking have increased by 89 percent, while ransomware breaches are up by 102 percent. In 2023, over 167 million individuals were affected by large breaches—a new record, although those numbers are slated to be dwarfed by the events of 2024. 

“Cyberattacks continue to impact the health care sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually. The number of people affected every year has skyrocketed exponentially, a number we expect to grow even bigger this year with the Change Healthcare breach, the largest breach in our health care system in US history,” said OCR Director Melanie Fontes Rainer.  

“This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation.” 

Among the many proposed updates, OCR plans to remove the distinction between “required” and “addressable” implementation specifications to make all specifications required with only specific, limited exceptions. 

Covered entities will be required to provide written documentation of all Security Rule policies, procedures, plans, and analyses, and will also need to develop and maintain a technology asset inventory and network map that clearly illustrates the movement of protected health data through regulated pathways. 

The inventory and map will be part of new express requirements around conducting a risk analysis. Entities will also need to identify, and risk stratify, all reasonably anticipated threats and vulnerabilities around protected data in a written assessment. 

The new rule will strengthen requirements for planning for contingencies and responding to known security incidents, including requiring entities to: 

• Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours. 

• Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration. 

• Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents. 

• Implement written procedures for testing and revising written security incident response plans. 

Additional provisions in the proposed update include requirements for encrypting all ePHI at rest and in transit (with limited exceptions), conducting a compliance audit at least once every 12 months, and deploying additional strategies including anti-malware protection, multi-factor authentication, and network segmentation. 

Overall, the rule aims to level up the baseline of the nation’s defenses against ransomware and other types of potentially devastating cyberattacks. Alongside a slew of other federal efforts to establish a more unified bulwark against bad actors, the rule is likely to give much-needed clarity and direction to covered entities who are struggling to keep their systems protected.  

Industry stakeholders can click here to share their comments on the proposed rule.  The public comment period closes on March 7, 2025. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.