Few industries rely more heavily on sensitive personal information than the healthcare sector, and therefore few collect, store and share as much data. The Department of Health and Human Services (HHS) recently issued a notice of proposed HIPAA revisions – “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” – which would bolster the current guidelines for policy updates. This is a necessary and critical step for the healthcare industry to mitigate increasingly frequent and costly cyberattacks.
In fact, several strategic and infrastructural updates are overdue or urgent enough priorities that should be made by healthcare IT teams as soon as possible, regardless of the timing and extent to which they are required from a compliance standpoint. Given the inherent data risks taken on by healthcare organizations – and the great financial and reputational costs when an incident occurs – these updates should not only be viewed philosophically as an extension of physician-patient privilege but also welcomed as a matter of practicality by organizations with businesses to run.
Here’s what the new cybersecurity rules will ultimately require of healthcare networks and facilities.
Specific Requirements of Proposed HIPAA Updates
The HIPAA updates proposed by the HHS to improve cybersecurity in the healthcare industry are definitionally intended to “better protect the confidentiality, integrity, and availability of electronic protected health information (ePHI).” It marked the first proposed revision to HIPAA since 2013 and is intended to mitigate cybersecurity attacks on healthcare providers, which have skyrocketed over the past several years.
The Office for Civil Rights tracked a greater than 100 percent increase in large breaches from 2018 to 2023, and found that the number of people affected by healthcare data incidents leapt by more than 1,000 percent. Clearly, changes are necessary. As such, the update would require healthcare organizations to:
- Create a technology asset inventory and network map that details the movement of ePHI data through its systems. Both would need to be updated at minimum once per year or when environments or operations change.
- Provide a “more specific” review of their risk analyses.
- Use multi-factor authentication.
- Scan systems for vulnerabilities at least every six months.
- Conduct penetration testing at least once a year.
Essentially, HIPAA will now require that healthcare organizations conduct thorough and routine cybersecurity risk assessments. A favored risk-assessment framework includes vulnerability monitoring, vulnerability scanning and security monitoring. However, many hospital and healthcare systems lack the infrastructure and expertise to reliably safeguard against current and future security threats, let alone to respond with appropriate measures in the event of an attack.
How Healthcare Organizations Can Tackle Cybersecurity Despite Limited Resources
Past HIPAA standards had been outdated before the HHS’ recent notice, and although its proposed updates are well-intentioned and a step in the right direction, even they are, respectfully, behind the times. Given the threats now facing healthcare data systems, satisfying all the necessary security controls requires a framework that includes current technology solutions, authoritative risk-management awareness and constant vigilance. Most healthcare organizations are missing at least one component in that equation, and many lack all three. Outsourcing cybersecurity to an accredited, third-party cybersecurity partner is often the most viable option for managing data risk in the healthcare industry.
An external partner is better equipped to take the lead on increasingly complex cybersecurity issues than a healthcare enterprise. A cybersecurity partner can address individual controls, such as retaining system logs and creating an instant response plan.
A third-party platform can also provide a security operations center (SOC) as part of its service, which can help satisfy specific HIPAA security controls and address other workflows that mitigate risk as well as activate an instant response team in the case of a breach or recognized threat. A cybersecurity partner can also help an organization create and then enforce better policies and procedures, tying them to their platform for additional monitoring.
Meeting (and Exceeding) the New Standards
Healthcare facilities often fight financial limitations and time constraints that bury cybersecurity down a lengthy list of everyday and future priorities, but data threats are clever, constant and potentially devastating. Ignoring or downplaying information risk management, or leaving it in anything less than expert hands, is an invitation for bad actors and damage that may be impossible to undo.
A cybersecurity partner can help a healthcare organization tailor its own risk management processes to HIPAA standards and organizational preferences – which may exceed HIPAA standards – while bringing its program online (and into compliance) far sooner and more efficiently than a facility likely could on its own.
Regularly updated and thorough cybersecurity processes and risk analyses are essential to patient health and safety. Regardless of whether these updates are formally mandated, healthcare operators should implement as much of the recommended strategies as they can to prevent increasingly common attacks.
About Jacob Johnson
Jacob Johnson is Chief Information Security Officer for ArmorPoint, a managed SIEM provider used by mid-market and enterprise-sized organizations. Johnson has almost 20 years of experience in network engineering and cybersecurity, including work with the U.S. Department of Defense where he managed a range of technical solutions for civilian and military capabilities. He has extensive knowledge and hands-on experience in cybersecurity, compliance and IT risk management.
