3 ways to prepare for impending HIPAA Security Rule updates

March 13, 2024 - In the decades since the HIPAA Security Rule was enacted, it has remained a crucial tool to covered entities and business associates as they navigate the multitude of cybersecurity risks that trouble the healthcare sector.

HIPAA’s flexible and scalable nature allows covered entities to implement the technical, physical, and administrative safeguards that are reasonable for each organization’s size and specific needs. However, as ransomware and data breaches continue to hit the healthcare sector, lawmakers and stakeholders in recent years have called to modernize elements of HIPAA to reflect the current health data security and privacy landscape.

In a concept paper released in December 2023, HHS outlined a comprehensive healthcare cybersecurity strategy that includes introducing “new cybersecurity requirements” to the HIPAA Security Rule. HHS said it plans to begin this update in Spring 2024.

“HHS will also continue to work with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance. In the interim, HHS will continue to investigate potential HIPAA violations,” the concept paper stated.

With these updates on the horizon, covered entities may want to begin adjusting their strategies to prepare for more prescriptive security requirements under HIPAA, Keith Forrester, practice manager, strategy and risk at Optiv, suggested in an interview with HealthITSecurity.

Forrester offered several steps that covered entities can take now to proactively improve security maturity and compliance in anticipation of these updates.

Address Known Security Gaps

“There hasn't been a significant change with HIPAA for quite some time,” Forrester noted. “But if you look right now, healthcare is really taking a beating with the amount of cyber risks out there, especially the ransomware attacks that are taking place against healthcare organizations.”

In 2023, more than 540 organizations reported large healthcare data breaches (impacting more than 500 individuals each) to the HHS Office for Civil Rights (OCR). In the first three months of 2024, several large healthcare organizations have fallen victim to cyberattacks, including Lurie Children’s Hospital in Chicago and Change Healthcare, the latter of which is still causing disruptions across the sector at the time of publication.

As the sector continues to be hit hard by cyberattacks and data breaches, it is crucial that organizations across the sector take steps to improve security and implement key safeguards.

“HIPAA has been out for 20-odd years. We do assessments every day at healthcare organizations, and it has allowed me to see that there are still so many vulnerabilities and risks that are being brought up,” Forrester said. “The basic blocking and tackling in a lot of instances are not being done by organizations.”

Forrester predicted that HHS would continue to emphasize the importance of cyber hygiene and risk management in any future HIPAA Security Rule updates. Other industries have regulations that mandate very specific controls, such as the Payment Card Industry Data Security Standard (PCI DSS), which protects credit card data from fraud and misuse. Forrester reasoned that future iterations of HIPAA might be more like PCI standards in terms of their prescriptive nature.

“HHS is asking for more fines, penalties, and staff to do audits and assessments. We can see where they want to drive things,” he added. “But from a security perspective, I should hope that there's going to be more prescriptive security controls coming out with any updates.”

With this in mind, it is important that covered entities prioritize the areas in which they may be falling short in terms of security maturity. Thankfully, there are a variety of resources available to assess these gaps, including the Health Industry Cybersecurity Practices (HICP) and the HHS Cybersecurity Performance Goals (CPGs).

Understand, Implement the HPH CPGs

As part of HHS’ cybersecurity strategy, the department developed voluntary CPGs to guide the healthcare sector through key security actions. The CPGs consist of “essential” and “enhanced” goals that help healthcare organizations tackle common vulnerabilities, improve incident response, and advance their security programs.

“Look at the areas of these goals that are applicable to your organization and start working towards implementing and looking at the backend control framework,” Forrester recommended.

The healthcare CPGs were built upon the Cybersecurity and Infrastructure Security Agency’s (CISA) own voluntary CPGs and informed by existing frameworks, including HICP, the National Cybersecurity Strategy, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

“Most of these are mapping back to a [cybersecurity framework]. So have a look at what the CSF is calling out for and then ensure that your program is meeting what is required within that CSF framework,” Forrester advised.

“But start working on building that out now. Get ahead of the game and start developing more formal practices. Organizations often have policies, but so often we see that they are lacking in the procedures and the formalized processes to manage and maintain programs consistently.”

Implementing the controls that HHS outlines in the CPGs will help organizations become more resilient overall. Additionally, HHS has made it clear that these CPGs will be the basis for future regulations in this space.

Document Everything

Documentation of security improvements is always a good idea, especially if an organization is faced with an OCR investigation in the future.

What’s more, HHS made it clear in its concept paper that it would prioritize conducting audits in the near future. Aside from the impending HIPAA Security Rule updates, a February 2024 notice in the Federal Register confirmed that HHS intends to revive the long-dormant practice of random HIPAA audits.

“OCR believes that the audits are beneficial to the entities selected for an audit as it gives OCR an opportunity to review their compliance with selected provisions of the HIPAA Rules and to address risks and vulnerabilities before there is an incident that results in the impermissible disclosure or breach of protected health information,” OCR said in a statement shared with HealthITSecurity.

“The audits are beneficial to OCR in providing insight into the HIPAA compliance activities of HIPAA-regulated entities that may not otherwise be subject to an OCR investigation through a HIPAA complaint or reported breach.”

With these developments in mind, covered entities that keep reliable, accessible documentation of security and privacy actions will be in a better position to handle any audits or changes in HIPAA requirements that come their way.

“I always advise my clients that you really want to be in a position so if somebody walks through the door, you can quickly and clearly go to documentation or go to the artifacts, provide them with the information they need,” Forrester said.

“If you are in a state of flux and nobody knows where policies are or the operating procedures, or it takes them weeks to get artifacts together. Well, auditors are going to dig deeper. They are going to look harder. So, prepare, prepare, prepare.”