Happy New Year. Just before the ball dropped, on 30 Dec. 2024, the U.S. Department of Health and Human Services issued a notice of proposed rulemaking to update the Security Rule under the Health Insurance Portability and Accountability Act. The proposal, which will be open for comment until early March, represents a major undertaking with significant consequences for the health care providers, insurance companies and data processors, or business associates, covered by HIPAA — and for every American.
The Security Rule was initially published in 2003 and much of it has not been touched since. Elements of it are woefully outdated. For example, as adopted over 20 years ago, the current rule says the encryption of electronic personal health information is an "addressable" implementation specification, meaning, or misunderstood to mean in HHS's view, that it is optional.
Under the existing Security Rule, a regulated entity must assess whether encryption is a reasonable and appropriate safeguard in its environment, but the conclusion of a hospital or insurance company that it did not need to encrypt sensitive data is effectively unreviewable. The proposed rule would finally modernize that to be consistent with the widely held recognition in other sectors that encryption should be required with only limited exceptions.
Likewise, under the current rule, the adoption of procedures for guarding against, detecting and reporting malicious software and procedures for creating, changing and safeguarding passwords are "addressable." By now, any serious cybersecurity program would treat them as mandatory, which is what the proposed rule would do.
Under the proposal, regulated entities would be required to deploy technology assets and/or technical controls that protect all their technology assets against malicious software, such as viruses and ransomware. And they would be required to implement various measures related to password management, starting with a requirement to ensure employees adopt unique passwords rather than using default passwords.
Given the confusion that has surrounded the concept of "addressable" security measures, the HHS proposal would drop the concept entirely. HHS says the proposal allows plenty of flexibility: regulated entities can choose, for example, which encryption program they use, but they just can't decide to skip encryption entirely.
The proposal retains the overall structure, including administrative, physical, technical and organizational controls, and many elements, including standards, of the current rule, while providing much more detail on implementation of those elements. However, considering just the new elements in the draft shows how outdated the current rule is and how much the basket of minimum cybersecurity practices has progressed since 2003.
The current rule, for example, doesn't mention maintaining an accurate inventory and a network map of a regulated entity's electronic information systems and technology assets even as an optional measure. Tracking what is on an entity's network would be the first item required under the proposed revisions.
For the first time ever, the proposed rule would require multifactor authentication, patch management, network segmentation, limiting log-in attempts, configuration management, disabling network ports, vulnerability management and penetration testing. None of which are even mentioned in the current rule.
The proposed rule is long and detailed. HHS argues detail in this context is industry's friend. Repeatedly, HHS investigations of health care data breaches have found hospitals and other entities did not understand the requirements. HHS concluded regulated entities would benefit from greater precision and clarity about their legal obligations, removing much of the uncertainty that has contributed to the poor state of health care cybersecurity.
Taking the proposal to fruition falls to the Trump administration, which may be skeptical or even hostile. Some in the health care industry are likely to complain that the proposal would impose new costs.
In the 393-page proposal, HHS argued two considerations outweigh those concerns:
- Americans' health care is now dependent upon networked information systems to an unprecedented degree. Over the last 20-plus years, the industry has undergone a dramatic transformation, shifting from one that generally relied upon paper records and siloed devices to one of internet-connected machines and information systems that maintain and exchange patient records, conduct research, run health care provider facility management systems and provide patient care.
- Health care has become a prime target of increasingly aggressive attackers, evidenced by a 100% increase in the number of breaches of unsecured PHI reported to HHS just between 2018 and 2023, a 950% increase in the number of individuals affected by such breaches and a 264% increase in the number of ransomware attacks against health care entities. Remarkable fact: On the dark web, stolen medical data sells for many times times more than credit card data. See footnote 207 in the NPRM.
Adopting the first HIPAA Security Rule took six and a half years, largely due to industry opposition. It remains to be seen whether the new administration can be more effective in moving to protect Americans' health data.
Jim Dempsey is the managing director for the IAPP Cybersecurity Law Center.
