In December 2023, the Department of Health and Human Services (HHS) published its cybersecurity strategy for the healthcare sector, detailing a list of actions to be implemented to improve cybersecurity across the healthcare industry, including voluntary performance targets. These voluntary incentives from the HHS were clearly not enough to bring about the necessary behavioral change in the healthcare sector with regard to cybersecurity.
Therefore, HHS wanted to amend the HIPAA Security Rule to integrate new cybersecurity requirements for HIPAA-covered entities. The revision was supposed to be finished by Spring 2024, but it wasn’t. OCR Director Melanie Fontes Rainer announced at the beginning of this year that the update would be published before the end of 2024.
The suggested change to the HIPAA Security Rule is now done and will be reviewed by the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) on October 18, 2024. The revised HIPAA Security Rule has stricter requirements for HIPAA-covered entities to secure electronic protected health information (ePHI) and to avoid, identify, control, minimize, and recover from threats of cybersecurity attacks.
When the HIPAA Security Rule was created, it did not account for improvements in technology. A lot has changed since then 20 years ago and an update is needed. The public does not know the contents of the revised rule yet. However, covered entities will not wait long to know the cybersecurity requirements of the changed rule. The HHS will issue a Notice of Proposed Rulemaking (NMPR) before December 2024 ends, and healthcare sector stakeholders will have the chance to give feedback on the proposed update for 60 days after being published in the Federal Register.
Because OCR has earlier mentioned its goal to include voluntary cybersecurity performance goals into current laws, it is likely that the Essential Cybersecurity Performance Goals is going to be compulsory. The Biden Administration made the update possible, but the new administration will implement the revised rule when it is applied at all.
The use of ransomware and hacking has increased for getting unauthorized access to ePHI. Since 2003, the technical functions of record systems used to manage health data have changed. The costs of security measures have changed. Marissa Gordon Nguyen, who is the HHS OCR senior consultant for health data privacy, data and cybersecurity at the Safeguarding Health Information: Building Assurance through HIPAA Security 2024 conference, believes that the changes to the Security Rule could help make sure that the security requirements will address present and appearing security problems and threats to ePHI.
Image credits: Oscar, AdobeStock
