What’s Changing about HIPAA in 2025? And why does it matter?
Are real changes to healthcare related cybersecurity programs coming down the pipeline? Or are the proposed rules another serving of ‘too little, too late’ for information security teams?
Rebecca Schaefer and Andrew Stahl, cybersecurity consultants with Reveal Risk, take us through the need-to-know information.
What is HIPAA? (Nope, that’s a hippo.)
HIPAA stands for Health Insurance Portability and Accountability Act. It’s a federal law that protects patients’ health information.
What is the Notice of Proposed Rulemaking?
On December 27, 2024, the Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) to introduce modifications to the HIPAA Security Rule under the Health Insurance and Portability Act (HIPAA). The NPRM was scheduled to be added to the Federal Register on January 6, 2025.
Why updates are happening with HIPAA now:
Covered entities and business associates (“regulated entities”) since 2003 and 2013 respectively, have been required to adhere to the HIPAA Security Rule. However, HHS is concerned that more work is needed by HHS and regulated entities to enhance and make relevant the requirements of the Security Rule.
Many of the requirements are dated with respect to modern technological capabilities. Some of the requirements are also misunderstood as optional regarding “required” vs “addressable”. For example, encryption is sometimes bypassed by regulated entities as it’s “addressable” under the current rule. However, the proposed rule will require encryption with limited exceptions, as most modern industries require.
ePHI is arguably the most valued type of data to steal on the underground market.
Requirements are being updated now because (this is the TL;DR version):
-
- The number of healthcare related breaches has grown rapidly in recent years.
-
- Larger, more complex and interconnected systems led the way to more frequent and sophisticated attacks (hacking, phishing, ransomware) on healthcare IT systems.
-
- Despite efforts to provide resources and direction to regulated entities on the protection of PHI, HHS believes current documentation and direction are not instructive enough to assist regulated entities to improve compliance with the Security Rule.
-
- Regulated entities’ compliance with the requirements of the Security Rule is inconsistent.
-
- HHS believes the Security Rule accomplishes the goals of HIPAA generally, but would benefit from modifications to the Security Rule to address the following:
-
- Significant changes in technology
-
- Changes in breach trends and cyberattacks
-
- HHS’ OCR’s enforcement experience
-
- Other guidelines, best practices, methodologies, procedures, and processing for protecting ePHI
-
- Court decisions that affect the enforcement of the Security Rule.
The final rule’s effective date would be 60 days after publication, which could be delayed, subject to approval in the new administration. We’re waiting and seeing…
So, what requirements are shifting within HIPAA?
First, HHS will make changes to definitions and implementation specifications to reflect relevant terminology and technology. These will include:
-
- Regulated entities required to update policy, procedure, and other documentation to reflect changes to the Rule.
-
- Regulated entities required to develop and maintain accurate and comprehensive technology asset inventory and network map.
-
- HHS will provide specific direction for conducting accurate and thorough risk analysis, as this has been an ongoing issue across the healthcare industry.
-
- Regulated entities to establish documented procedures contingency planning and incident response.
-
- Security Measures Enhancement
-
-
- ePHI encryption in transit and at rest
-
-
-
- MFA
-
-
-
- Network segmentation
-
-
-
- Vulnerability scanning at least every 6 months
-
-
-
- Penetration testing at least every 12 months
-
-
-
- Anti-malware protection
-
-
-
- Extraneous software removal from relevant information systems
-
-
-
- Network port disablement
-
-
-
- Separate technical controls for backup and recovery of ePHI
-
-
-
- Review and test of security control effectiveness
-
-
-
- Regulated entities required to notify within 24 hours when employee’s access to ePHI is terminated
-
-
-
- Group health plans must require group health plans to document compliance with administrative, physical, and technical controls of the Security Rule.
-
Why do updates to HIPAA matter?
Gone are the days of information kept within physical paper records. As technology and information systems become more sophisticated, interconnected and complex, so do the methods to attack and exploit system vulnerabilities. ePHI is arguably the most valued type of data to steal on the underground market. Not to mention, access to these systems containing ePHI is often the golden ticket required for a successful Ransomware attack.
As emerging technologies are being added to the healthcare space, regulated entities will need to determine if these technologies create, receive, maintain or transmit ePHI and how to secure them.
On the horizon, organizations need to plan for:
-
- Quantum Computing: Potential ability to crack asymmetric cryptography
-
- Artificial Intelligence: Generative AI can create mass scale attacks through phishing and social engineering. Also, Offensive AI will be able to learn and mutate itself with minimal chance of detection.
-
- Virtual and Augmented Reality (VR and AR): Collection of ePHI – integration of privacy and security into the development groups.
Technological capabilities will continue to evolve and become more sophisticated. We have entered an age where our personal data is collected at almost every turn, including PHI.
As emerging technologies enhance the processing capabilities and improve patient outcomes, so does the need to protect against the capabilities of new technologies to attack and exploit systems containing ePHI. It all starts with qualified experts revealing the risks associated with all areas of practice where ePHI is involved.
Need to start a conversation about HIPAA requirements and assessments? We have experts ready to help! Drop us a line here: https://www.revealrisk.com/contact-us/
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.
317.759.4453
