HHS Proposes New HIPAA Mandates: Strengthening Cybersecurity for Protected Health Information

The Office of Civil Rights and the Department of Health and Human Services proposed new mandates to the Health Insurance Portability and Accountability Act (HIPAA) on December 27, 2024. These proposed changes aim to bolster the cybersecurity protections for electronic protected health information (ePHI).

• Mandatory Multi-Factor Authentication (MFA): MFA is becoming a standard security measure.
• Enhanced Encryption Standards: Stronger encryption for data at rest and in motion is crucial.
• Incident Response and Breach Reporting Enhancements: Improved processes for handling and reporting security incidents.
• Third-Party Risk Management: More rigorous oversight of third-party vendors and their security practices.
• Regular Security Audits and Compliance Reviews: Consistent assessments to ensure ongoing compliance.

The proposed regulations aren’t introducing entirely new concepts but rather reinforcing existing best practices with greater rigor. Key areas for improvement are:

Technology and Data Security Measures:

• Data Discovery and Encryption: Know where your sensitive data resides and encrypt all ePHI, both at rest and in motion. This includes data being shared internally and externally.
• Multi-Factor Authentication (MFA): Implement MFA to ensure the identity of users accessing sensitive data.

Governance and Policies:

• Regular Security Audits: Conduct frequent audits to identify vulnerabilities and ensure compliance.
• Role-Based Access Control: Implement a well-defined access control strategy to limit data access to authorized personnel.
• Data Retention Policies: Minimize the amount of data you store. Delete unnecessary data or encrypt and restrict access to older data.
• Data Masking and Redaction: Mask (replace with similar-looking data) or redact (remove) sensitive information to protect it. Redaction means the information is permanently gone, while masking replaces it with realistic but non-identifiable data.
• Strong Password Policies: Enforce robust password policies and consider using password managers or password-less authentication methods.
• Monitoring and Logging: Monitor logs for suspicious activity and implement measures to protect sensitive data within logs.

Third-Party Risk Management:

• Rigorous Agreements: Ensure strong security agreements with third-party vendors.
• Vendor Assessments: Regularly assess the security practices of your vendors.
• Access Control: Carefully manage and monitor access granted to third parties.

Employee Training and Awareness:

• HIPAA Training: Ensure employees understand what data is important and how to protect it.
• Phishing and Social Engineering Awareness: Train employees to recognize and report phishing attempts, suspicious text messages, and phone calls.
• Physical Security: Remind staff to be aware of their surroundings and question unfamiliar individuals in sensitive areas.

The proposed HIPAA Security Rule changes underscore the importance of a proactive and comprehensive approach to data security. By implementing robust technical safeguards, strengthening governance policies, managing third-party risks, and enhancing employee training, healthcare organizations can significantly reduce their risk of data breaches and maintain patient trust. Now is the time to review your current security posture and prepare for these important regulatory updates.