The Department of Health and Human services recently issued a significant proposed change to the Health Insurance Portability and Accountability Act (HIPAA) to enhance the cybersecurity of protected health information (PHI). The general policy changes are aimed at improving security specifications to better reflect the modern threat landscape, clarify existing specifications, and make it explicit that the specifications are required by law. Indeed, many technical safeguards that were listed as “addressable” will now be required. We’ll go through each category of safeguard and give an overview of the major changes in each category.

Administrative Safeguards

The proposed changes to the administrative safeguards focus on ensuring that security processes are updated to address the modern threat environment. Key standards, including the maintenance of tech asset inventories, risk analysis and evaluation, and system activity reviews are now full standards rather than optional specifications. Risk management, IAM, annual security awareness training, security incident response procedures, contingency planning, and annual internal compliance audits have either been introduced as standards, or the existing relevant standards have been made more rigorous.

Policies directly related to an organization’s workforce have changed as well. Policies now require tighter controls on information based on employee role, and organizations must designate a responsible individual or team to maintain and enforce security policy. Organizations must also maintain policies for sanctioning employees that violate the security policies, and those sanction policies must be reviewed annually.

Physical Safeguards

The proposed changes to physical safeguards make it clear that policies regarding security of physical assets must be in writing. Facility access policies must now be tested on an annual basis, workstation security policies must now cover mobile devices, and policies about device and media controls now extend to all technology assets; review of all policies is required annually and updated if necessary.

Technical Safeguards

The proposed changes to the technical safeguards have become more stringent. Technical controls for access control must now be in place. Just having policies is insufficient, and there is an emphasis on role-based access. Encryption is now a required standard: Electronic Protected Health Information (ePHI) must be encrypted and integrity checked at rest and in transit, with exceptions for individually requested access, emergencies, and medical devices with other compensating controls.

Regarding system configurations, organizations are required to set a secure baseline configuration for systems with anti-malware and other system-level technical controls, and unnecessary software must be removed. Data backup and recovery requirements now have detailed specifications for frequency, monitoring, and restoration testing, while system-level backup and recovery plans and tests have been added. Vulnerability management scanning, penetration tests, and regular patching are now mandatory. Multi-factor authentication is now required, with the exception of legacy systems that have compensating controls in place.

Finally, organizations are now explicitly required to document their technical safeguards for ePHI and to regularly review and test those safeguards annually.

Other Safeguards

• Documentation Requirements: Written documentation is now required to be in electronic form. Documentation must be updated at least annually, and must cover all actions, activities, and assessments required by the Security Rule.
• New and Emerging Technologies
  • Quantum Computing: Organizations are encouraged to develop a quantum-readiness roadmap outlining a plan to migrate to post-quantum cryptographic standards, and to mitigate the risk quantum computing represents for traditional asymmetric encryption.
  • Artificial Intelligence: ePHI used in AI training data, algorithm data, and the models trained on that data are fully protected by HIPAA. Any AI technology that interacts with ePHI (including models that are trained on ePHI) is subject to the same documentation, controls, and security requirements as traditional security assets.
  • VR and Augmented Reality: Sensitive and biometric data gathered by VR and AR devices are considered to be ePHI, and VR/AR devices that interact with ePHI are subject to the same documentation, controls, and security requirements as traditional security assets.

Getting Started

The proposed changes are extensive, and while they may be required in the future, they’re a good idea to start implementing now; policy moves slower than technology, and technology moves slower than bad actors looking to leverage your patients’ data for their personal gain. Tangible can help you get a head start complying with or exceeding the updated standards.

Our HIPAA compliance gap assessment service can evaluate your current posture against both existing HIPAA requirements and the proposed cybersecurity updates. We identify gaps, assess risks, and provide recommendations for remediation to ensure alignment with compliance requirements.

Learn More at https://tangiblesecurity.com/healthcare/