HIPAA Update to Include Cybersecurity Requirements for Health Care Organizations

An update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule is now underway with new cybersecurity requirements. In addition, the Department of Health and Human Services (HHS) is issuing new guidance for health care providers to help better prepare them on how best to respond to cyber threats.

The update is designed to help the health care sector build a more resilient system. HHS Healthcare Sector Cybersecurity has issued a concept paper that provides voluntary health care-specific Cybersecurity Performance Goals (CPGs) to help organizations prioritize implementation of high-impact cybersecurity practices. The practices are designed to improve cyber resiliency and ultimately protect patients’ health information and safety. “Hackers are getting wiser,” said Dotty Bollinger, JD, Healthcare Compliance Consultant, Compliancy Group, Greenlawn, New York. “I do believe cyberattacks are a greater threat than they’ve ever been, and unfortunately there is still a prevalent belief that ‘it won’t happen to us.’”

The health care sector is particularly vulnerable to cybersecurity risks, and the stakes for patient care and safety are high. Health care facilities are attractive targets for cyber criminals because of their technological dependence and sensitive data. HHS tracks large data breaches through its Office for Civil Rights (OCR). The latest data show a 93% increase in large breaches (from 369 to 712) reported from 2018 to 2022. During that same period, there was a 278% increase in large breaches involving ransomware reported to OCR.

“I’ve seen so many well-meaning health care practices and providers build robust compliance programs only to skimp on cyber protections because the practice lacks expertise or money to make bold moves in cyber protection,” Bollinger said.

Recent cyber incidents affecting hospitals and health systems have led to widespread care disruptions with patients being diverted to other facilities. These attacks impact local emergency departments, radiology units, and cancer centers.

Currently, health care organizations have access to numerous cybersecurity standards and guidance. The HHS, with input from industry, is establishing voluntary sector-specific cybersecurity performance goals. These goals provide a clear direction for industry and help to inform potential future regulatory action. The Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals (HPH CPGs) are designed to help health care institutions better prioritize the implementation of high-impact cybersecurity practices.

HHS envisions the establishment of 2 programs. One would include an upfront investment to help high-need health care providers, such as low-resourced hospitals. Funds would be allocated to cover the upfront costs associated with implementing “essential” HPH CPGs. A second program would provide incentives to encourage all hospitals to invest in advanced cybersecurity practices.

Given the increased risk profile of hospitals, HHS wants to have all hospitals meeting sector-specific CPGs in the coming years. With additional authorities and resources, HHS will propose incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards.

An update to the HIPAA Security Rule is planned for this spring and it will include new cybersecurity requirements. Some of the ideas discussed involve letting patients inspect their protected health information (PHI) in person and allowing them to take notes or photographs of their PHI. Another change being discussed is shortening the maximum time to provide access to PHI from 30 days to 15 days.

While the pending changes have been talked about for quite some time, the operational impact to most providers will be minimal, Bollinger said. “I see these changes that essentially ease a patient’s access to their own PHI as being really a codification of the service element,” she said.  “It’s the patient’s PHIs. We live in an instant world with technology, and now we need to move promptly and in different ways to provide quick access.”

A serious concern is the tracking of patient data. HIPAA privacy requirements may be violated through data collection and its usage. “As a consumer of health care who is knowledgeable about security processes generally,” Bollinger said, I am concerned that aggregated data is allowing someone, the government, insurers, or health systems, to make assumptions about me based on this trending of patient data. With the presence of AI in health care, I’m even more concerned that individual privacy is at risk.”

Ryan Witt, vice president of Industry Solutions for Proofpoint in Sunnyvale, California, recommends that clinicians follow the guidance from the HHS’s 405(d) program. It aims to develop consensus-based best practices and methodologies to strengthen the health care and public health sector’s cybersecurity preparedness. “It is highly likely that any subsequent HIPAA legislation will be tightly aligned to the 405(d) recommendations for enhanced cybersecurity resiliency,” Witt said.

The health care industry will always be vulnerable because of the high-value nature of its data. “Health care also stores a disproportionately large amount of data and often must keep that data for long periods, increasing the size of the attack surface,” Witt explained. “The industry also has many third-party workers and a significant number of remote workers, both of whom often use employee-owned devices, which complicates the attack vector.”

Proactive steps to help build a more resilient system for healthcare providers are warranted. Cyberattacks on health care organizations now are coming from all over the world, and they are escalating. “The risk is as great as has ever been and the resulting detrimental impact on patient care is a significant area of concern,” Witt said. “The guidance, for example from the 405(d) team, available to the health care industry is clear, pragmatic, and highly valuable. Health care now needs to catch up and match other industries that have made significant investments in improving their cybersecurity preparedness.”