The HHS proposes new cybersecurity rules for HIPAA in an NPRM to enhance protections for electronic health information.
On December 27, 2024, the Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM) to update the HIPAA (Health Insurance Portability and Accountability Act) Security Rule to have better cybersecurity protections. The NPRM was made by the Office of Civil Rights (OCR), which carries out the Security Rule, which sets requirements to guarantee the best protection for electronic protected health information (ePHI).
America’s health systems face many cybersecurity challenges. The American Hospital Association observed at least 386 cyber attacks in 2024, mainly ransomware attacks and data-theft. 2023 was the worst year on record for cyberattacks on US hospitals. Healthcare organizations are known to be “target rich, resource poor” because of their typically low defenses and important patient information that can be valuable to cybercriminals, especially ransomware affiliates.
This update to HIPAA is just the most recent effort in a long line of initiatives from federal agencies to reduce the number and impact of cyber attacks in the industry. In late 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity toolkit specifically for the Healthcare and Public Health (HPH) sector, and the HHS shared their cybersecurity strategy shortly after. By 2024, HHS had achieved their first step in the strategy by sharing cybersecurity performance goals which provided guidelines for healthcare systems - and the NPRM falls into the same vein of “establishing voluntary cybersecurity best practices”.
Key amendments include modernizing definitions and implementation conditions to account for technological advancements, specifying compliance periods for requirements, requiring more in-depth risk analyses, and annual compliance audits, vulnerability scanning, and penetration testing. The amendments that have caused the most concern are the requirements for a rigorous cyber incident response plan - including a set of procedures to restore important electronic information systems and data within 72 hours.
Sara Goldstein, a regulatory attorney at the BakerHostetler law firm, said the three-day goal could be unworkable: "Many covered entities and business associates have plans to restore access to data as soon as possible. But in reality, it can sometimes take organizations much longer to restore due to unforeseen issues, and implementing a 72-hour requirement is likely not realistic for most covered entities and business associates, as it can take longer than that to confirm that an incident is contained and if access to systems is restored too quickly, there is a risk of a second incident occurring.”
Others point out the financial concerns of enforcing these rules. Errol Weiss, the chief security officer of the Health Information Sharing and Analysis Center (Health-ISAC), said the cost “to fulfill these provisions will be enormous. Where is the money coming from to pay for all this? It can't be from future savings from avoided breach penalties. Financially strained healthcare providers, especially small rural hospitals, don't have the resources to support these new proposals.” These worries are not unfamiliar to the HHS’ cybersecurity efforts - in fact, the second step of their cybersecurity plan is to help poor healthcare providers reach their standards. Still, there hasn’t been a lot of clarity on what this will look like.
While the NPRM won’t be published until January 6, stakeholders can still make comments at regulations.gov, and the public comments will be due 60 days after the publication in the Federal Register.