Blog
Explore All Blog Posts

HIPAA Security Rule Overhaul: What You Need to Know Now

Published on January 14, 2025
 
By: Richard Staynings, Chief Security Strategist
 
9 — minute read

HIPAA Security Rule Overhaul: What You Need to Know Now

On December 27th, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released a proposed, long overdue update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Many things have changed in digital healthcare since the rule’s last update in 2013. Today, the healthcare industry is nearly wholly reliant upon technology for patient care delivery. This includes:

  • Rapid expansion of healthcare IoT and connected medical devices
  • The widespread use of artificial intelligence (AI) and machine learning (ML) to mine the vast medical information data lakes now generated by the industry

The updated rule takes account of widespread use of cloud and virtual technologies. It also includes provision for even newer technologies, including virtual reality and quantum computing.

HIPAA passed in 1996, at a time when few hospitals or health insurance groups had made the transition to digital records and most users considered a 28.8kbps internet connection to be fast. WiFi, mobile devices, and 5G cellular were still distant dreams, as was the meaningful exchange of information in digital format between all those involved in treating patients. The HIPAA Security Rule in particular was considered out of date the moment it was published, although the HIPAA Privacy Rule has faired better. In 2009, the HITECH Act updated the security requirements of HIPAA Covered Entities (CEs) and Business Associates (BAs) to take into account changes in technology and some major ambiguities in the language of the original rule. A further Omnibus update took place in 2013 for similar reasons.

When Were Changes to the HIPAA Security Rule Announced?

On December 27th, 2024 the HHS Office of Civil Rights (OCR) announced a Notice of Proposed Rulemaking (NPRM) to modify the 1996 HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The rule “seeks to strengthen cybersecurity by updating the Security Rule’s standards better to address ever-increasing cybersecurity threats to the health care sector.” (You can find a complete summary of the proposed changes to the HIPAA security rule in the Fact Sheet on the HHS website.)

Most of the proposed changes to the HIPAA Security Rule are already being followed by larger and better-funded HIPAA CEs, although probably not by all BAs. The proposed rules spell out in a more granular format each of the “required” and “addressable” rules that CEs and BAs should already be following. However, what was previously considered “addressable” is now a “requirement” under the proposed rule changes.

Specific HIPAA Security Rule Change Areas of Interest

Below are some specific areas of interest related to the proposed HIPAA security rule change:

  • The language of the proposed rule change removes the distinction between “Covered Entity” (CE) and “Business Associate” (BA) and instead employs the term “Regulated Entity” (RE).
  • Distinction between “required” and “addressable” has been removed. All are now requirements and must be implemented. Time limits are added to meet requirements and to become compliant.
  • Various terms in the HIPAA Security Rule such as “electronic media” have been changed to take account of the wider use of VoIP technologies, telehealth, digital messaging, cloud, and AI.
  • A complete asset inventory of all network-connected assets is now required, along with a network map that illustrates the movement of ePHI throughout the Regulated Entity network. This needs to be updated at least every 12 months or when new assets join the network.
  • Each RE needs to know where all of its PHI resides on its network and in which systems, whether owned and operated by the RE or some other entity.
  • Network segmentation between operational and IT networks is now required.
  • Improved regular testing and security risk analysis is now required, including:
    • Technology asset inventory and network map
    • Improved identification of threats, vulnerabilities, and risks to the confidentiality, integrity, and availability (CIA) of PHI.
  • Improved audit of access to PHI by users is now required.
  • Improved business continuity, contingency planning, and security incident response capabilities is now required.
  • Multi-factor authentication is now required.
  • A minimum 24-hour notification time has been set. This applies for BAs to notify CEs, and for subcontractors to notify BAs.

How Proposed HIPAA Security Rule Changes Impact Hospitals

If a Regulated Entity (RE) currently fully complies with the HIPAA Security Rule (as updated by HITECH and Omnibus), then very little changes. However, today most REs are not compliant. The updated Security Rule proposal itself states that while conducting an audit of regulated entities against the current Security Rule, OCR found that “94 percent failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

This means that most REs have some work to do in order to catch up with existing Security Rule requirements, let alone the additional effort that will be required to come up to speed with the updated requirements. It also means that more effective risk assessment and analysis is required moving forward.

Rule Change Intent

The intent of this proposed rule change is to remove inconsistent application of the Security Rule across REs. In so doing, it removes the option for “reasonableness and appropriateness” in connection with the costs of security controls, along with often misinterpreted “addressable” implementation specifications to mean they are “optional.” These are now “required” and are mandatory.

Furthermore, the rule changes introduce the need to evaluate the “effectiveness” of security controls in supporting the resiliency of the regulated entity. “Resiliency” refers to the entity’s ability to withstand and recover from adverse events. In this regard, the changes appear to recognize the vulnerability of REs to denial of service (DOS) and ransomware attacks and the need to protect against these “availability” attacks through increased resiliency.

This implies the need for much improved business continuity, disaster recovery, and security incident response capabilities so that REs can be back up and running quickly following an incident or attack. It also implies the need for more resiliency in technology architectures using N+2 architectures where a second or third copy of an application can be used in times of need and switched into production quickly. The protracted healthcare downtimes that have impacted the industry recently have been largely caused by single points of failure, an encrypted Electronic Medical Record (EMR) system, or other core system with no hot or warm standby, or the ransoming of a critical third party like Change Healthcare as examples.

How Hospitals Should Prepare for the Proposed HIPAA Security Rule Changes

This long-awaited update to the HIPAA security rule will help address the chronic imbalance between a growing number of healthcare cyber threat actors and payers and providers with weak security controls. The rule change should lead to significant security risk assessment and analysis improvements and the speedy remediation of identified security vulnerabilities. As such, the new rules should reduce the number of successful cyber attacks, and thus help ensure that hospitals and other delivery partners are available in times of medical need by patients and the communities that they serve. Furthermore, these changes will help to reduce growing patient safety concerns, including increased morbidity and mortality when hospitals are under attack.

The need to identify and track connected healthcare IoT and medical devices, to know where data resides and moves across medical networks, and to segment operational and IT networks under the proposed rules will be a real deal changer for security. This is well known as the weakest link and is often referred to as the “open back door to healthcare security.” Medical networks and IT/IoT have changed greatly over recent years, as has our reliance upon technologies to diagnose, monitor, treat, and manage patients in our largely digital healthcare system. Its therefore vital that our security controls keep pace with these and other changes.

How Cylera Helps with HIPAA Compliance

If you need help complying with HIPAA, including complying with new HIPAA security rule changes once the final rule is issued, Cylera can help.

Cylera provides the following capabilities related to HIPAA compliance.

Asset Discovery and Inventory

Cylera’s real-time, continuous IT, healthcare IoT, and connected medical device asset discovery and inventory capabilities ensures all healthcare IT and IoT devices are discovered and classified, including devices and systems that contain PHI. This ensures that asset records are accurate, up-to-date, and complete, streamlining audit processes and preventing audit errors and compliance penalties.

Vulnerability and Risk Management

Cylera continuously monitors healthcare IoT devices for vulnerabilities and risks. Cylera also conducts regular risk assessments to identify and evaluate potential security risks to ePHI. This aligns with HIPAA requirements for ongoing risk management and helps organizations maintain a strong security posture.

For example, in terms of ePHI security, Cylera can identify if a device is sending ePHI using the following methods:

  • Network Traffic Analysis: Cylera inspects and assesses the network traffic of connected devices. By analyzing the granular flow and communication attributes, it can detect if sensitive data, such as ePHI, is being transmitted, and also plot and map pontential flows of PHI.
  • Device Profiling: Cylera auto-categorizes and assesses both known and unknown devices without requiring retooling. This helps in identifying devices that handle or transmit ePHI.
  • Passive, Real-Time Detection: Cylera employs passive, real-time detection to identify vulnerabilities and indicators of compromise (IOCs) that could affect devices handling ePHI.

Network Segmentation and Protection

Network segmentation ensures that only authorized healthcare staff can access specific segments where electronic protected health information (ePHI) is stored or transmitted. This reduces the risk of data breaches and unauthorized access to sensitive patient information. Cylera helps enable network segmentation and protection in the following ways:

  • Device and Network Profiling: Cylera automatically detects and profiles every connected device, gathering detailed information about their attributes and behaviors.
  • Network Segmentation Policy Generation: Based on the profiles, Cylera generates network segmentation policies that define how devices should communicate within the network. These policies are designed to isolate sensitive data and critical systems, enhancing security.
  • Integration with Firewall and Network Access Control Solutions: Natively, Cylera can passively alert on anomalies detected by the Cylera platform, such as if an imaging modality is suddenly transmitting data to an external entity. The network segmentation policies Cylera generates can  also be forwarded to popular firewall and Network Access Control (NAC) solutions via integrations. These solutions can then use the policies from Cylera to facilitate active enforcement and block of devices with behavioral anomalies.
  • Continuous Monitoring and Adjustment: Cylera continuously monitors the network and adjusts network segmentation policies it generates as needed to address new threats or changes in the network environment.

Audit and Compliance Reporting

Cylera consolidates all vulnerability, threat, and resolution information into an audit-ready format. This makes it easier for healthcare organizations to gather and present compliance evidence during HIPAA audits

Next Steps

Here at Cylera, we have been helping healthcare delivery organizations secure their healthcare IT, IoT, and connected medical device assets and comply with HIPAA requirements using our innovative technologies and ML-based capabilities for much of the past decade.

Cylera serves healthcare customers across North America, Europe, and the Middle East and Africa. Contact us, and we would be happy to schedule an exploratory call with you to discuss how we can help you with your HIPAA compliance challenges.

  • Richard Staynings, a global cybersecurity advocate, renowned author, and public speaker, specializes in fortifying Healthcare and Life Sciences security. With extensive board service, including AEHIS and HIMSS, Richard advises governments and industry leaders on cybersecurity strategies. As Chief Security Strategist at Cylera, he continues to drive innovative security measures globally.

Recent Related Stories

Healthcare Cybersecurity
2024 Healthcare Cybersecurity Year in Review
2024 will go down in history as another watershed year in healthcare cybersecurity. With 386 reported healthcare cyber attacks by…
Read More
Compliance
How Cylera Helps NHS Trusts Comply with the New CAF-aligned DSPT
In an earlier article, “Cyber Assessment Framework: Why NHS Trusts Must Act Now,” we provided an overview of the new…
Read More
Compliance
Cyber Assessment Framework: Why NHS Trusts Must Act Now
NHS Trusts and other healthcare providers in the UK must start thinking about the Cyber Assessment Framework (CAF) now to…
Read More

Categories

United Kingdom (UK) (3)
Network Segmentation and Protection (4)
Artificial Intelligence (AI) (2)
AI - Defensive (2)
AI - Offensive (1)
Asset Discovery and Inventory (3)
Asset Visibility (3)
Board Communications (1)
CCTV Cameras (1)
Critical National Infrastructure (CNI) (2)
Company (5)
Compliance (12)
Cyber Attack (8)
Cybercrime (3)
Cybersecurity (9)
Cybersecurity Best Practices (4)
Cybersecurity Talent (1)
Cyber Threats (14)
Cybersecurity Startups (1)
Cyberwarfare (2)
Data Breach (1)
Data Enrichment (4)
Events (1)
FDA (1)
Fireside Chat (1)
Fraud (1)
General (7)
Geopolitics (1)
Healthcare (7)
Healthcare Cybersecurity (15)
Healthcare IoT (6)
Healthcare IoT Security (HIoT) (6)
HIPPA (1)
Incident Response (1)
Integrations (1)
Interview (1)
IoT (1)
IoT Security (9)
Inventory (5)
Machine Learning (ML) (2)
Medical Imaging (1)
Medical Device Security (12)
Monitoring (1)
Password Policy (1)
Ransomware (4)
Regulation (3)
Remediation (2)
Risk Analysis (1)
Risk Mitigation (10)
Rural Healthcare (1)
Russia (2)
Security Education (2)
Technology (7)
Technology Company (1)
Threat Landscape (1)
Threat Response (4)
Vulnerability and Risk Management (2)
VPN (1)
Webinar (1)

Connect