{"id":1669,"date":"2025-01-28T07:30:00","date_gmt":"2025-01-28T07:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1669"},"modified":"2025-01-28T07:30:00","modified_gmt":"2025-01-28T07:30:00","slug":"us-takes-aim-at-healthcare-cybersecurity-with-proposed-hipaa-changes","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1669","title":{"rendered":"US takes aim at healthcare cybersecurity with proposed HIPAA changes"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The US Department of Health and Human Services (HHS) has launched a consultation on stricter rules for the safeguarding of electronic health records.<\/p>\n

The proposed revamp of security rules<\/a> covered by the Health Insurance Portability and Accountability Act (HIPAA)<\/a> is designed to address the increased risk from cyberattacks<\/a> such as ransomware against healthcare environments<\/a>.<\/p>\n

The revamped rules aim to enhance cybersecurity measures for electronic protected health information by requiring encryption of sensitive medical data, the rollout of multi-factor authentication<\/a> as a defense against phishing and increased network security controls, such as network segmentation.<\/p>\n

The major update to the HIPAA security regulations<\/a> also requires healthcare organizations to strengthen security incident response plans<\/a> and procedures, carry out annual penetration tests and compliance audits, among other measures. Many of the proposals cover best practice enterprise security guidelines foundational to any mature cybersecurity program.<\/p>\n

Industry feedback on the rule changes<\/a> \u2014 which are due to become effective in June \u2014 is welcomed before a March 7 deadline.<\/p>\n

Health care revamp \u2018long overdue\u2019<\/h2>\n

Security and legal experts polled by CSO on the proposals were broadly supportive while noting that implementing these changes will require significant resources, costs, and personnel.<\/p>\n

Lisa Sotto, a partner at US law firm Hunton Andrews Kurth, and leader of its cybersecurity and data privacy practice, told CSO that updates to the HIPAA Security Rule<\/a> are \u201clong overdue.\u201d<\/p>\n

\u201cThe cyber threat landscape has evolved dramatically in the last 20 years \u2014 but the rule has remained static, essentially two decades behind the current threat to healthcare systems,\u201d Sotto said. \u201cThe proposed rule would require measures that are already considered a security must \u2014 for example, it is no longer considered optional to have multi-factor authentication in place, and the proposed rule would mandate that covered entities implement MFA.\u201d<\/p>\n

Lack of multi-factor authentication played a key role in the Change Healthcare ransomware catastrophe<\/a> last year.<\/p>\n

\u201cThe proposed changes are extensive and would help HIPAA-covered entities focus on the security safeguards they should have in place to protect against the nefarious threat actors who have been relentlessly attacking healthcare entities,\u201d Sotto said.<\/p>\n

[ See also: The cyber assault on healthcare: What the Change Healthcare breach reveals<\/a> ]<\/strong><\/p>\n

Cybersecurity experts praised the shift to a risk-based approach covered by the security rule revamp, while some expressed concerns that the measures might tax the financial resources of smaller clinics and healthcare providers.<\/p>\n

\u201cThe security measures called for in the proposed rule update are proven to be effective and will mitigate many of the risks currently present in the poorly protected environments of many healthcare payers, providers, and brokers,\u201d said Maurice Uenuma, VP & GM for the Americas and security strategist at data security firm Blancco. \u201cThis new rule update will drive much needed improvement by being more specific, prescriptive, and enforceable.\u201d<\/p>\n

Uenuma added: \u201cThe challenge will be to implement these measures consistently at scale.\u201d<\/p>\n

Trevor Dearing, director of critical infrastructure at enterprise security tools firm Illumio, praised the shift from prevention to resilience and the risk-based approach implicit in the rule changes, which he compared to the EU\u2019s recently introduced DORA rules for financial sector organizations<\/a>.<\/p>\n

\u201cFor years the guidance was to follow frameworks like the NIST, CSF, and CISA; however, implementation has been inconsistent at best,\u201d Dearing told CSO. \u201cThe new approach in the rule changes is similar to what we saw in DORA in the EU, introducing more prescriptive mandates on security controls like segmentation, while also allowing organizations to tailor security efforts to their specific risks so they\u2019re more effective and efficient.\u201d<\/p>\n

However, early returns on DORA, which went into force on Jan. 17, have shown that midsize organizations in particular have been challenged to keep pace<\/a> with the mandate and that the regulation could further strain cybersecurity skills gaps<\/a>.<\/p>\n

Greg Notch, chief security officer at managed detection and response vendor Expel, struck a more cautious tone pointing out practical problems such as the difficulty of retrofitting MFA controls in environments full of legacy healthcare technology.<\/p>\n

\u201cThe updates predominantly require seemingly basic security hygiene, including things such as mandatory MFA, vulnerability management practices, asset inventories, audits, and encryption,\u201d Notch told CSO. \u201cThese appear on the surface to be basic, but for smaller regional hospitals and service providers these could be cost prohibitive or otherwise difficult to implement.\u201d<\/p>\n

[ See also: 8 critical lessons from the Change Healthcare ransomware catastrophe<\/a> ]<\/strong><\/p>\n

Notch continued: \u201cFor example, some healthcare equipment is quite expensive, with long duty cycles which make managing risk more difficult \u2014 and expensive. Some systems do not support MFA directly, and require additional and expensive technology to be implemented.\u201d<\/p>\n

Still, the expense necessary should prove a wise investment, Illumio\u2019s Dearing argued.<\/p>\n

\u201cWhile small and rural providers may struggle to upgrade, ignoring the problem is not an option, as cyberattacks on these devices could lead to significant long-term costs,\u201d he said.<\/p>\n

Cultural shift<\/h2>\n

Some experts argued that mandating additional security controls is unlikely to be effective unless it comes alongside changes in cybersecurity culture within healthcare providers.<\/p>\n

\u201cMerely introducing new rules without a cultural shift in how companies prioritize and implement robust security measures can render these updates ineffective,\u201d said Borja Rodriguez, manager of threat intelligence operations at cybersecurity vendor Outpost24. \u201cCompanies must not only comply with the rules but also embed cybersecurity into their core operations and invest in proactive strategies.\u201d<\/p>\n

Imposing stricter rules and fines could \u201cunintentionally provide leverage to ransomware groups,\u201d as these fines are often cited in ransom demands to pressure organizations into paying, Rodriguez warned.<\/p>\n

\u201cTo mitigate this, the government should consider balancing enforcement with incentives for genuine improvement in cybersecurity posture, such as funding, support programs, or recognition for achieving high security standards,\u201d\u00a0 Rodriguez said.<\/p>\n

Doing so could help dissuade healthcare organizations from viewing the issue entirely from a cost-analysis perspective.<\/p>\n

\u201cHistorically, healthcare providers felt it was better to pay a HIPAA fine rather than hire a security team and put all of the controls in place to protect patient data,\u201d said Bryan Marlatt, chief regional officer at cybersecurity consulting firm Cyxcel. \u201cToday, so many federal regulatory bodies are more empowered to take action on those not meeting data protection requirements.\u201d<\/p>\n

Political uncertainty<\/h2>\n

The Trump administration has signalled a desire to reduce regulations, which leaves some uncertainty about what this will mean for the US Department of Health and Human Services and its proposed rule changes.<\/p>\n

\u201cTopics like cybersecurity, data privacy, and national security tend to have more bipartisan support compared to other issues,\u201d said Brian Arnold, director of legal affairs at managed detection and response firm Huntress. \u201cI think this situation creates an opportunity for tweaks and adjustments that might not have been possible if it had been proposed and adopted under the same administration. I don\u2019t expect these to be the final versions of the rules.\u201d<\/p>\n

Cyxcel\u2019s Marlatt said that some of the requirements are unrealistic and not likely to make it into the final version of the updated Security Rule.<\/p>\n

[ See also: 6 biggest healthcare security threats<\/a> ]<\/strong><\/p>\n

\u201cSome of the proposed changes go beyond what most organizations are able to provide today,\u201d Marlatt argued. \u201cOne item is the 24-hour notification period for changes in user access, modified or terminated, for anyone who can access ePHI [electronic protected health information] data. Another item includes the recovery of systems and data within 72 hours following a security incident.\u201d<\/p>\n

Marlatt warned: \u201cPosing such strict timelines on a healthcare, or other, organization drives incident responders to make mistakes.\u201d<\/p>\n

By contrast other measures such as vulnerability management, multi-factor authentication, malware protection, and data encryption should be required of any entity that maintains sensitive data and \u201cshould be easier to stand up, if they don\u2019t already exist,\u201d according to Marlatt.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The US Department of Health and Human Services (HHS) has launched a consultation on stricter rules for the safeguarding of electronic health records. The proposed revamp of security rules covered by the Health Insurance Portability and Accountability Act (HIPAA) is designed to address the increased risk from cyberattacks such as ransomware against healthcare environments. The […]<\/p>\n","protected":false},"author":0,"featured_media":1670,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1669","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1669"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1669"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1669\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1670"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}