HHS Proposes Changes to HIPAA Security Rule to Enhance Cybersecurity

The proposed changes would enhance cybersecurity protections for electronic protected health information.

By Jeff Wardon, Jr., Assistant Editor


Cybersecurity continues to be a forefront issue for healthcare facilities as cyberattacks and data breaches keep ramping up. A survey from Proofpoint and the Ponemon Institute found that 92 percent of healthcare organizations experienced at least one cyberattack in the last 12 months prior to October 2024. 

Certain steps must be taken to safeguard sensitive data that healthcare facilities and organizations keep hold of. 

The U.S. Department of Health and Human Services (HHS) has proposed changes to the HIPAA Security Rule to enhance cybersecurity protections for electronic protected health information (ePHI). These updates aim to address growing cyber threats in healthcare. 

Related: Remote Access Systems Pose Cybersecurity Risk

Key proposed changes include: 

  • Making all security requirements mandatory, with few exceptions. 
  • Requiring detailed documentation of security policies and risk analyses. 
  • Updating standards to reflect modern technology and terminology. 
  • Introducing specific deadlines for compliance with requirements. 
  • Mandating asset inventories, network mapping and encryption of ePHI. 
  • Strengthening incident response, contingency planning and system restoration timelines. 
  • Requiring regular vulnerability scans, penetration testing and multi-factor authentication. 
  • Enhancing oversight by conducting annual audits and ensuring business associates meet security standards. 

With cyberattacks becoming increasingly common, mounting a defense against them to protect sensitive data becomes equally as critical. Cloudely recommends the following for ongoing compliance and data security: 

  • Healthcare organizations must develop robust data governance structures which outline effective data asset management. This means the data is cared for professionally from beginning to end, covering data collection, storage, processing and sharing. 
  • The healthcare workforce needs to understand their responsibility to safeguard data while being trained and educated about phishing attacks, protecting passwords and properly disclosing sensitive information. 
  • Protocols for safeguarding data need to encrypt information at rest and in motion-controlled accessibility, meaning only authorized individuals can have access to sensitive materials and secured messaging. 
  • Routine security audits and risk assessments need to identify vulnerabilities or gaps in defenses before they are exploited. In addition, patient data must be backed up as well. 
  • Plans and tests need to be in place for data breaches so that they are addressed accordingly. Also, tight access controls need to be implemented so any unpermitted access to sensitive information is limited. 

Jeff Wardon, Jr., is the assistant editor for the facilities market. 



January 10, 2025


Topic Area: Information Technology , Security


Recent Posts

How Backup Power Needs Vary Across Healthcare Settings

Manufacturers discuss how evolving codes, technologies and care settings shape healthcare backup power strategies.


Flexible Design Strategies Help OhioHealth Maximize Clinical Space

Doing more with less was key to the renovated facility’s design.


New Bass Center for Childhood Cancer and Blood Diseases Opens

The new space not only offers more exam rooms but also features 15 private infusion bays to allow privacy for all patients and their caregivers during treatment.


Encompass Health Rehabilitation Hospital of Daytona Beach Opens

Hospital amenities include all private patient rooms, a spacious therapy gym featuring advanced rehabilitation technologies, an activities of daily living suite and more.


What Healthcare Facilities Can Learn from a $49 Million Window Failure

A major window system failure at the University of Iowa’s Children’s Hospital sparked a costly replacement project – and a $49.4 million arbitration win.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.