HHS Proposes Changes to HIPAA Security Rule to Enhance Cybersecurity

The proposed changes would enhance cybersecurity protections for electronic protected health information.

By Jeff Wardon, Jr., Assistant Editor


Cybersecurity continues to be a forefront issue for healthcare facilities as cyberattacks and data breaches keep ramping up. A survey from Proofpoint and the Ponemon Institute found that 92 percent of healthcare organizations experienced at least one cyberattack in the last 12 months prior to October 2024. 

Certain steps must be taken to safeguard sensitive data that healthcare facilities and organizations keep hold of. 

The U.S. Department of Health and Human Services (HHS) has proposed changes to the HIPAA Security Rule to enhance cybersecurity protections for electronic protected health information (ePHI). These updates aim to address growing cyber threats in healthcare. 

Related: Remote Access Systems Pose Cybersecurity Risk

Key proposed changes include: 

  • Making all security requirements mandatory, with few exceptions. 
  • Requiring detailed documentation of security policies and risk analyses. 
  • Updating standards to reflect modern technology and terminology. 
  • Introducing specific deadlines for compliance with requirements. 
  • Mandating asset inventories, network mapping and encryption of ePHI. 
  • Strengthening incident response, contingency planning and system restoration timelines. 
  • Requiring regular vulnerability scans, penetration testing and multi-factor authentication. 
  • Enhancing oversight by conducting annual audits and ensuring business associates meet security standards. 

With cyberattacks becoming increasingly common, mounting a defense against them to protect sensitive data becomes equally as critical. Cloudely recommends the following for ongoing compliance and data security: 

  • Healthcare organizations must develop robust data governance structures which outline effective data asset management. This means the data is cared for professionally from beginning to end, covering data collection, storage, processing and sharing. 
  • The healthcare workforce needs to understand their responsibility to safeguard data while being trained and educated about phishing attacks, protecting passwords and properly disclosing sensitive information. 
  • Protocols for safeguarding data need to encrypt information at rest and in motion-controlled accessibility, meaning only authorized individuals can have access to sensitive materials and secured messaging. 
  • Routine security audits and risk assessments need to identify vulnerabilities or gaps in defenses before they are exploited. In addition, patient data must be backed up as well. 
  • Plans and tests need to be in place for data breaches so that they are addressed accordingly. Also, tight access controls need to be implemented so any unpermitted access to sensitive information is limited. 

Jeff Wardon, Jr., is the assistant editor for the facilities market. 



January 10, 2025


Topic Area: Information Technology , Security


Recent Posts

Oracle Health Hit by Data Breach, Patient Data Possibly Compromised

The incident is the latest in a growing list of third-party vendors suffering from cyberattacks.


Ground Broken on New MD Anderson Sugar Land Facility

Anticipated to open in 2029, the five-story location will be MD Anderson’s largest Houston-area location to date.


Florida State University Reveals Plans for Panama City Beach Hospital

The targeted opening date is in 2028.


The Effect of Over-Cleaning on Human Health

Environmental services managers should be concerned and informed about the oral and dermal toxicity of all chemicals used in their facilities.


Rumored Terror Threat to Hospitals Prompts FBI Warning

Despite no threat, healthcare facilities are urged to review emergency preparedness protocols.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.