Proposed HIPAA amendments will close healthcare security gapsProposed HIPAA amendments will close healthcare security gaps

The US Department of Health and Human Services (HHS) is planning a massive overhaul of the Health Insurance Portability and Accountability Act (HIPAA) security rule to strengthen baseline cybersecurity requirements for protecting electronic protected health information (PHI). The proposed amendments, which will be published in the Federal Register on Jan. 6, would require healthcare organizations and other covered entities to implement security controls, such as multifactor authentication (MFA) and enhanced encryption requirements.

The proposal describes the most substantive changes to HIPAA to date. The security rule was last revised in 2013. The threat landscape is different now than it was over a decade ago, and breaches against healthcare organizations have increased by 102% between 2018 and 2023, the HHS Office  for Civil Rights said in a statement. In 2023, over 167 million people had their health information compromised, a 1,002% increase from 2018.

Proposed Changes to HIPAA

The amendments will apply to health plans, healthcare clearinghouses, health providers, healthcare facilities, insurance companies, and business associates.

Everything in writing: All policies, procedures, plans, and analyses will need to be in writing. This also applies to developing stronger incident response procedures, such as having documented incident response plans and testing plans, as well as written procedures to be able to restore information systems and data within 72 hours.

Asset inventory: Healthcare organizations will need to develop and regular maintain an up-to-date technology asset inventory and network map to track the movement of PHI through the various systems.

To read the complete article, visit Dark Reading.