Enhancements to the HIPAA Security Rule. Is your organization ready?

Written By David Malcom

Happy New Year from the US regulators and lawmakers who have proposed new legislation to protect hospitals from cyberattacks after a year of massive data breaches, ransomware attacks, and software outages. The problem? Many smaller providers are already fighting against cyber criminals everyday and losing.

A bipartisan bill proposed in the Senate in November would require the Department of Health and Human Services (HHS) to overhaul their own cybersecurity capabilities and develop incident response plans to follow in the event of a cyberattack (wait, you’re telling me that prior to this year, the HHS didn’t have an incident response plan - DM). The bill would also add stricter cybersecurity requirements to the Health Insurance Portability and Accountability Act (HIPAA), including mandates for multifactor authentication and undergoing regular audits.

In addition to the above mentioned bill, the HHS separately submitted HIPAA updates in October to the White House for review, which included new requirements for protecting electronic health information. These rules have now been submitted for public review and would apply to the covered entities listed below that handle protected health information (PHI). PHI includes demographic data that relates to: 1) an individual’s past, present, or future physical or mental health or condition, 2) the provision of health care to the individual, or 3) the past, present, or future payment for the provision of health care to the individual, and that identifies the individual through common identifiers including name, address, birth date, and Social Security Number.

Covered entities that are required to follow the security requirements defined by HIPAA include 1) health plans (individual and group plans that provide or pay the cost of medical care for more than 50 participants. This includes insurance companies, Medicare, Medicate), 2) health care providers who, REGARDLESS OF THEIR SIZE, electronically transmit health information to other covered entities, 3) health care clearinghouses which process non-standard information they receive from another entity into a standard format or vice versa, and 4) business associates who are defined as a person or organization, that is not part of the covered entity’s workforce, but performs certain functions on their behalf that involves the use or disclosure of individually identifiable health information. Activities that business associates typically perform on behalf of a covered entity include claims processing, data analytics, and billing.

The newly proposed HIPAA security regulations runs 393 pages and includes extensive changes to the HIPAA Security Rule, including developing and updating a list of your technology assets and creating a network map that illustrates how PHI moves through your organization, performance of a risk analysis to identify ‘reasonably anticipated threats to the confidentiality, integrity and availability of PHI, developing written procedures for restoring data within 72 HOURS based on the criticality of the data, conducing internal audits every 12 months to assess compliance with the Security rule, conduct vulnerability scans every six month and penetration tests every 12 months, timely implementing patches and software updates, verification of a business associate’s security measures at least annually, encrypt all PHI at rest and in transit, multi-factor authentication, and anti-malware protection.

I don’t know where to start when discussing the challenges that these new regulations pose. First of all, let’s talk about who fits the description of a ‘health care provider’ based on the definition provided by HIPAA. This includes any provider, who regardless of their size, transmits health information in connection with certain transactions. Your dentist, who owns a private practice, needs to send information to an endodontist about your root canal? Now required to comply with 393 pages of updated HIPAA security rules. Your doctor who shares a practice with five other physicians needs to send in order for a prescription to your pharmacy? Now required to comply with 393 pages of updated HIPAA security rules.

Now, I think we’d all agree that the health industry is one in which the quality of security can be improved, given the number and magnitude of cyberattacks and data breaches that have impacted the sector over the last several years. Within the 393 page proposed rule, a 2024 study performed by the Ponemon Institute on cyber ‘insecurity’ in healthcare identified that 92% of surveyed health care organizations experienced a cyberattack in the past year, and almost three-quarters of the respondents who had experienced a cyberattack reported negative effects on patient care, including delays in tests or procedures, longer stays, increased mortality rates due to complications from medical procedures, and patient transfers or diversions to other facilities. Yeah, we can probably do better here guys….

But is the answer really 393 pages of updated security rules that I could only read in 20 page increments? Let’s think about the small health care providers and business associates who electronically transmit PHI. Do you think many of these organizations have a Chief Information Security Officer? Do you think many of them have someone on-staff dedicated to cyber-security? Honestly, in what would be considered a larger practice, they’d be lucky to have a Director of IT. Smaller clinics and specialized providers don’t know where to start and often can’t qualify for basic cyber insurance policies. A lack of technical resources at small organizations means that all of the advice, tools, and assistance provided by the federal government is worthless if they have no one on-staff to interpret it.

This is EXACTLY why Malcom Risk Advisors was formed. Our cybersecurity expertise can be utilized to simply help you digest the 393 pages of new security requirements, perform a gap analysis to identify areas of risk and non-compliance, assist you in implementing realistic and cost-efficient solutions to achieve compliance, and conduct annual audits of your own organization’s security capabilities as well as those of your business associates. We can work with you under a monthly retainer agreement that makes our experts available to you 24x7 or by performing individual projects which could include interpreting the rule changes, performing gap analyses, recommending and implementing missing cybersecurity controls, and conducting internal audits. Please reach out to us today so we can help you from becoming one of the 567 health care organizations who reported a cybersecurity incident to the HHS in 2024.

David Malcom

dd

David Malcom
Previous

NY Cybersecurity certification explained - filing due on April 15th.
Next

Hello From Malcom Risk Advisors!