The US government has published plans to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, in a bid to address surging healthcare data breaches.
The proposed rule would require all health plans, healthcare clearing houses and healthcare providers to implement enhanced security measures for individuals’ protected health information (PHI).
The Department of Health and Human Services (HHS) said the new obligations reflect advances in technology and changes in breach trends and cyber-attacks, helping healthcare providers ensure compliance with their data protection duties.
The planned changes cover a broad range of areas, including:
- Modernizing the definition of authentication to reflect best practices in cybersecurity today, such as providing regulated entities with a specific level of authentication for accessing relevant IT systems
- Modernizing the definition of cyber-threats, including updates to the description of malicious software, vulnerabilities and threats
- Requiring entities protect data in transit as well as where it is recorded, including describing the movement of data in a network map and creating asset inventories
- Requiring the testing of security measures, such as conducting attack simulations and reviewing system logs and access logs to evaluate whether policies and procedures governing access to PHI are being followed
- New standards for patch management that require impacted organizations to implement written policies and procedures for applying patches and updating the configurations of its relevant electronic information systems
- Requiring impacted entities to establish and implement a plan for reducing the risks identified through their risk analysis activities
- Updating rules around access authorization for PHI, including requiring entities to establish policies to allow access only to those persons or software programs that have been granted access rights
Andrea Palm, Deputy Secretary at the HHS Office for Civil Rights (OCR), commented: “The increasing frequency and sophistication of cyber-attacks in the healthcare sector pose a direct and significant threat to patient safety.”
“These attacks endanger patients by exposing vulnerabilities in our healthcare system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that healthcare providers, patients and communities are not only better prepared to face a cyber-attack, but are also more secure and resilient,” she said.
If implemented, the proposal would be the first update to HIPAA’s Security Rule since 2013.
The DHS has requested public comment on the proposals, including potential drawbacks and unintended consequences.
HIPAA was first enacted in 1996, establishing national standards for protecting sensitive patient health information.
Healthcare Breaches Rise Significantly
The OCR said it had received a “substantial increase” in large breach reports over recent years, up by 102% from 2018 to 2023. Additionally, the number of individuals affected by such breaches rose by 1002% in the same period.
These increases have primarily been driven by hacking and ransomware attacks, which have gone up by 89% and 102% since 2019, respectively.
The OCR also expects 2024 to be the biggest year on record for individuals impacted by healthcare data breaches, largely driven by the Change Healthcare incident that started in February 2024.
In October, the OCR reported that approximately 100 million individual data breach notices have been sent regarding the incident.