Title: Preparing for HIPAA's Upcoming Shift in Gear
Healthcare CIOs and CISOs are keeping an eye on the recent proposal by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to revamp the HIPAA Security Rule. This overhaul, as outlined in a Notice of Proposed Rulemaking (NPRM), seeks to fortify cybersecurity protections for electronic protected health information (ePHI). As these leaders assess the potential implications, they ponder if these adjustments will satisfy compliance needs or improve the framework for safeguarding patient data.
Here are two main themes that the significant measures fall under for healthcare CIOs:
Enhanced Documentation
The proposal suggests that regulated entities must maintain a current and up-to-date technology asset inventory and network map, tracking ePHI flow throughout electronic systems. Organizations must scrutinize and revise the inventory and map annually or whenever significant changes in the entity's environment or operations could potentially affect ePHI.
Creating updated inventories and system maps can be challenging for organizations with limited technical resources. Smaller organizations may find it necessary to bring in a dedicated virtual CIO or consulting resources to manage this task. Carter Groome, CEO at First Health Advisory, agrees and states, "Small and rural facilities would face a daunting challenge to meet these baselines – even securing an accurate asset inventory is a colossal task."
Organizations must establish written guidelines to restore critical electronic information systems within 72 hours of a loss. While establishing these written procedures is a positive first step, healthcare organizations must routinely test and verify their ability to restore systems within the allotted timeframe. This process is intricate and requires consistent practice to ensure readiness.
The main concern for a healthcare CIO is that implementing a 72-hour system restore turnaround necessitates a comprehensive redesign of disaster recovery plans to meet this requirement. Healthcare executives should begin budgeting for this undertaking, resulting in increased costs.
Enhanced Technical Safeguards
On the technical side, the proposed rule includes safeguards to bolster the protection of ePHI. It mandates encryption of ePHI both at rest and in transit, with limited exceptions, ensuring the data's security throughout its lifecycle. Multi-factor authentication is also required to bolster access controls and prevent unauthorized access, as this practice is now an industry standard.
Other security measures under the proposed rule include mandatory vulnerability scanning every six months, penetration testing at least annually, and implementing network segmentation to restrict potential breaches.
Regarded entities must have distinct technical controls for backing up and recovering ePHI and associated systems to ensure data integrity and availability. Additionally, these entities must assess the effectiveness of specific security measures annually, replacing the general obligation to maintain them simply. These safeguards aim to improve the security posture and reduce risk across healthcare organizations.
Carter Groome commends the effort and shares his thoughts, "I'm pleased to see OCR leaned on the HHS cyber performance goals (CPGs), and explicit terms such as 'deploy' and 'required' may clarify long-standing ambiguity."
However, the main question remains: will these updates come too late when the laws and actions are in place? The technical guidelines may already be outdated by the time they become law, so healthcare providers must remain vigilant and adaptable in keeping pace with technological advancements and hackers' ingenuity.
Sources:1. OCR, Federal Register, 2022, https://www.federalregister.gov/2. HHS, U.S. Department of Health and Human Services, 2022, https://www.hhs.gov/3. NIST, National Institute of Standards and Technology, 2022, https://nist.gov/4. HealthIT.gov, U.S. Department of Health and Human Services, 2022, https://healthit.gov/
- In light of the proposed changes, healthcare CIOs are considering how the enhancement of technical safeguards, such as encryption of ePHI and multi-factor authentication, will impact their current systems and require potential upgrades or modifications.
- As the role of a CIO in healthcare becomes increasingly focused on cybersecurity, CIOs and CISOs are closely monitoring the proposed changes to the HIPAA Security Rule to understand how they will impact their organization's healthcare information security and overall compliance efforts.
