ICYMI: New Security Mandates Proposed for HIPAA

As one of the highest-profile regulatory compliance mandates in the U.S., the Healthcare Insurance Portability and Accountability Act (HIPAA) already addresses many digital and physical security needs to protect patients' healthcare data privacy. Launched nearly 30 years ago, HIPAA requires stringent security measures from healthcare providers, insurance companies, hospitals, and more. However, these requirements may soon become even more demanding if the Department of Health and Human Services (HHS) follows through on a proposal to require annual security testing, multifactor authentication (MFA), data encryption, and procedures to restore lost electronic systems and data within 72 hours as part of its standards.

The proposed changes are a direct response to increasingly aggressive cyberattacks on insurance companies and healthcare agencies, both of which store massive amounts of private and highly sensitive information—from health records to payment data and personal information such as Social Security numbers. According to the HHS, reports of large breaches at healthcare organizations jumped 102% from 2018 to 2023. Last year, four senators introduced a bipartisan bill to provide grants to offset the costs of sophisticated cybersecurity solutions and training in the healthcare industry. Within the technology sector, Microsoft has been a vocal advocate for more stringent regulatory requirements in healthcare, identifying the industry as one of the top 10 most impacted by cyberattacks in the second half of 2024.

All of this begs the question: Is your healthcare practice ready for more stringent demands?

What Should Your Cybersecurity Plan Look Like?

As with many regulatory compliance standards, HIPAA is complicated, detailed, and ever-changing, making it particularly difficult for smaller healthcare practices to navigate and comply. Here are some key elements of the proposed changes that you should consider discussing with your managed services partner:

• Require written documentation of all security policies, procedures, plans, and analyses.
• Update definitions and implementation specifications to reflect changes in technology.
• Develop and regularly revise (minimum every 12 months) a technology asset inventory and a network map showing the movement of data throughout your information systems.
• Conduct more specific risk analyses, including a written assessment with:
  • A review of the technology asset inventory and network map.
  • Identification of anticipated threats.
  • Identification of potential vulnerabilities.
  • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood of exploitation.
• Strengthen requirements for planning and responding to security incidents, such as:
  • Written procedures to restore lost electronic information systems and data within 72 hours.
  • Analysis of the criticality of electronic information systems and assets to prioritize restoration.
  • Written security incident response plans, including reporting and response procedures.
  • Regular testing and revision of security incident response plans.
• Perform compliance audits at least once every 12 months.
• Encrypt ePHI (electronic Protected Health Information) at rest and in transit.
• Implement technical controls for consistently securing electronic information systems, including:
  • Anti-malware protection.
  • Removal of extraneous software.
  • Disabling unnecessary network ports as determined by risk analysis.
  • Multi-factor authentication.
  • Vulnerability scanning every six months and penetration testing every 12 months.
  • Network segmentation.
  • Annual reviews and testing of security measures.

This list of newly proposed requirements can be daunting for smaller healthcare providers, particularly those without internal IT support or specialists. That's where a reputable, informed managed services partner like Exigent can make a significant difference. Our team can guide healthcare professionals through this gauntlet and develop a strategic roadmap to address any gaps in current cybersecurity policies, practices, and technology solutions.

Learn more about how Exigent works with healthcare providers and contact us for a consultative conversation about your specific needs and HIPAA compliance risk assessments.