HIPAA Compliance for Healthcare: New Amendments Target Big Security Gaps

Let’s be honest. The last few years in healthcare security have been downright rough. Healthcare data is so valuable on the black market and too easy to hold hostage via ransomware. It shouldn’t be surprising that big changes are needed – especially since changes to HIPAA compliance haven’t happened in 12 years.

We all know why… But in case you don’t, HHS and Forescout have some facts for you to ponder:

HHS:

• Large breaches in healthcare increased by 102% from 2018 to 2023
• In 2023 alone, breaches affected 167 million individuals or nearly half of the U.S. population

Forescout Research – Vedere Labs:

• IoT devices, including IoMT assets, had a 136% increase in vulnerabilities YoY
• In 2022, we discovered 7,000 exposed medical systems on the internet, including PACS, healthcare integration engines, electronic health records, medication dispensing systems, and medical image printers.
• In 2024, we found 225 medical dispensing systems exposed to the internet – up 23% from 2022

 

Latest Proposed Amendments to HIPAA

On January 6, 2025, the U.S. Health and Human Services Department (HHS) published a notice of proposed rulemaking (NPRM) that could make a major impact.

HHS aims to modify the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” aims to revise existing standards to better protect the confidentiality, integrity, and availability of electronic protected health information (ePHI), according to HHS.

These proposed changes would also increase the cybersecurity for ePHI by revising the Security Rule to address the following:

• Changes in the environment where healthcare is provided
• Significant increases in breaches and cyberattacks
• Common deficiencies of Security Rule compliance by covered entities and their business associates (“regulated entities”)
• Other cybersecurity guidelines, best practices, methodologies, procedures, and processes
• Court decisions that affect enforcement of the Security Rule.

The security rule was last revised in 2013, so this proposal describes the most substantive changes to HIPAA to date. Which “regulated entities” do these amendments apply to? Health plans, healthcare clearinghouses, health providers, healthcare facilities, insurance companies, and business associates, finds Dark Reading.

Why This Is Happening Now

When HIPAA was created in the mid-1990s, “there was this big push to transfer medical and health records to the electronic medium…and it was all about protecting patient privacy but not necessarily securing those records,” Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC) told Dark Reading.

In addition, despite threats to ePHI rising every year, the Security Rule has not been updated since January of 2013 – a 12-year gap during which time the volume, types, and sophistication of threats have all increased substantially.

After several major attacks in 2023 and 2024 including Change Healthcare, the government is pushing the industry to tighten up its security practices.

New legislation has been brought forward in 2024 dubbed the Health Infrastructure Security and Accountability Act (HISAA) which would create significant new security requirements for HIPAA Covered Entities and Business Associates. Under HISAA, minimum and enhanced security requirements are on the table – and they would be developed with CISA and the Director of National Intelligence – with fines on the table for non-compliance.

Highlights of the Proposed Rule Changes

While there are a multitude of new security and compliance requirements, the HIPAA Journal outlines 17 key requirements. First, each regulated entity needs to establish a technology asset inventory and network map. This is the fundamental prerequisite to all other requirements.

Section 164.306 of the proposed rule (Security Standards: General Rules) states that a regulated entity must identify its information systems that create, receive, maintain, or transmit ePHI and all technology assets, as defined in 45 CFR 164.304: “Regulated entities cannot understand the risks to the confidentiality, integrity, and availability of their ePHI without a complete understanding of these assets.”

The list of 17 requirements can be categorized into five main areas:

1. Asset Insights
2. Risk Analysis
3. Securing and Isolating Key Network Components
4. Incident Response Planning
5. Compliance Audits

Continuous and ongoing performance in all five areas form the key to success, explains The HIPAA Journal:

• Technology asset inventory and network map – The development and revision of a technology asset inventory and network map illustrating the movement of ePHI throughout the regulated entity’s electronic information systems on an ongoing basis, but at least every 12 months.
• Risk analysis – More specific requirements for risk analysis, include: a review of the technology asset inventory and network map, the identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; the identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems; and an assessment of the risk level for each identified threat and vulnerability based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Contingency planning and security incident response – Development of written procedures for restoring data within 72 hours including restoration priority based on criticality.
• Security Rule compliance audits need to be conducted at least every 12 months
• Reviews and tests of security measures need to be conducted at least every 12 months
• Vulnerability scans – Every 6 months
• Penetration tests – Every 12 months
• Encryption – Encryption of all ePHI at rest and in transit
• Multi-factor authentication
• Network segmentation
• Anti-malware protection
• Technical safeguard for portable devices – Controls required for computer workstations extended to mobiles, tablets, and other portable devices.
• Patch management
• Unnecessary software removal
• Disable unused network ports
• Data backups
• Business associate cybersecurity – At least every 12 months

 

What the Rule Changes Mean for the Healthcare Industry: It’s Not Optional

Clearly, the new Security Rule if implemented would beef up cybersecurity protections for electronic health information and better manage evolving threats against healthcare organizations. Moreover, it would do away with the optional element of the existing rule which states that some rules are “required” while others are “addressable”, enabling healthcare organizations to exploit this loophole by not properly spending on the key security and compliance areas listed above.

HHS calls out this critical change in its statement:

“We are concerned that some regulated entities proceed as if compliance with an addressable implementation specification is optional. That interpretation is incorrect and weakens the cybersecurity posture of regulated entities.”

When Will Healthcare Stakeholders Need to Act on the NPRM?

Stakeholders have until March 7, 2025 to comment on the rules by visiting this Federal Register page and clicking on the “Submit a Public Comment” button near the top. HHS will issue the final version of the rule afterward. Healthcare organizations should note that a compliance date will be set by HHS just 180 days after publication of the final rule. So, CIOs and CISOs should prioritize a review of the proposed requirements and perform a gap analysis in their own security and compliance posture relative to the proposed rule.

Acting soon will also help to mitigate any fines, penalties, and/or additional actions which the federal government may take against healthcare organizations that fail to comply with new rule once published. As The HIPAA Journal pointed out, “HIPAA-regulated entities that demonstrate they have adopted recognized security practices will benefit from a decrease in the length and extent of audits and investigations of data breaches, and OCR (part of HHS) will consider recognized security practices as a mitigating factor to reduce any financial penalties that would otherwise have been applied.”

Forescout Is Here to Help

When you automate cybersecurity device assessment and policy enforcement with the Forescout Platform, adhering to the new HIPAA Security Rule and consistently passing compliance audits become byproducts of your standard security operations.

Forescout helps organizations build and maintain a secure network, drive a vulnerability management program, implement strong access control measures, monitor and test networks, and maintain an information security policy. You can leverage the platform for organization-wide control to track devices and their users within legacy, new and highly technical network infrastructure without reengineering the established network or disrupting services.

The Forescout platform lets you see and monitor devices on the network, from endpoints such as PCs, laptops and printers, to medical IoT (IoMT) devices and personally owned smartphones and tablets. You can also enforce network access policies across the network hierarchy, from switches to access and distribution layers.

Many IoMT devices are especially vulnerable since they cannot host third-party security agents, run outdated or unsupported operating systems, cannot be patched and often lack even the most basic security features. Forescout helps overcome these limitations with its agentless approach and its support for heterogeneous systems.

To understand the full context of today’s IoMT risks in healthcare, watch this webinar:

 

Watch the Full Webinar

 

Share This: Share on LinkedinShare on TwitterShare on Facebook