by Nadia Fahim Koster

Upcoming HIPAA Security Rule Changes

On January 6, 2025, the U.S. Department of Health and Human Services (HHS) quietly released the Federal Register :: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, a much-anticipated HIPAA Security Rule Notice of Proposed Rulemaking (NPRM), affectionately referred to as HIPAA Security 2.0

The 400-page document is packed with extensive proposed changes that are sure to make CISOs at regulated entities take notice. While these updates are long overdue, they bring both opportunities and challenges for organizations subject to HIPAA.

Key Highlights of the Proposed HIPAA Changes

The NPRM proposes several notable changes aimed at strengthening the security posture of regulated entities. For a high level overview, read the fact sheet available on the HHS website.

1. Termination of Employee Access: The proposed rule includes a requirement to terminate an employee’s access within one hour of termination, a challenging but necessary step to mitigate insider threats.
2. Establishing Audit and Refresh Frequencies: A specific frequency for security audits and updates is being proposed, ensuring organizations remain proactive in their cybersecurity efforts.
3. Eliminating Addressable Requirements: The distinction between “Addressable” and “Required” will be removed so all requirements, such as encryption, will become mandatory. Making all specifications mandatory reduces ambiguity and enforces stronger security measures.
4. Mandatory Multi-Factor Authentication (MFA): MFA will be required, adding a critical layer of security to safeguard sensitive data.
5. Asset Inventory and Network Mapping: Organizations will need to maintain a comprehensive inventory of assets and an up-to-date network map, improving visibility and control over ePHI as it moves throughout electronic information systems.

HIPAA 2.0 Challenges and Concerns

While these proposed updates are commendable, certain aspects may pose compliance challenges:

• Operational Feasibility: Terminating access within one hour of an employee’s departure could be logistically challenging for many organizations, especially those with complex access management systems.
• Resource Constraints: Smaller organizations might struggle to implement and maintain the proposed requirements, such as continuous asset inventory updates or regular security audits.
• Adaptation Time: The transition to mandatory encryption and MFA may require significant investment in technology and training.

Preparing for HIPAA Security 2.0: A Suggested Approach

To ensure readiness for these proposed HIPAA changes, CISOs and cybersecurity professionals should consider the following steps:

1. Engage with the Rulemaking Process: Participate in public comment opportunities before March 7, 2025, to share feedback on the NPRM and help shape the final rule. Go to https://www.regulations.gov/ and search for Docket ID number HHS-OCR-0945-AA22.
2. Conduct a Gap Analysis: Assess your organization’s current security posture against the proposed requirements to identify areas needing improvement. This is also a good time to refresh your Security Risk Assessment.
3. Build a Comprehensive Asset Inventory and Network Map: Develop a real-time asset inventory and network map to improve ePHI visibility and support compliance.
4. Educate Leadership and Executive Teams: Provide an overview to key stakeholders on the proposed changes and their implications and impact to your organization (financials and resources).

Looking Ahead

While the proposed changes to the HIPAA Security Rule are extensive, they are a necessary step toward modernizing healthcare cybersecurity standards. Organizations should begin preparing now to ensure a smoother transition when the final rule is published. By taking proactive steps, regulated entities can achieve compliance while strengthening their overall security posture, better protecting the sensitive health information with which they are entrusted.

Conclusion

In this rapidly evolving cybersecurity landscape, where threats are becoming increasingly sophisticated, Meditology offers comprehensive solutions tailored to meet the unique needs of the healthcare sector. Meditology helps healthcare providers navigate the intricate labyrinth of HIPAA regulations and adopt practices that shield patient data from malicious actors. By partnering with Meditology, healthcare organizations can confidently face the future—prepared, resilient, and armed against the ever-present cyber threats looming on the horizon.

Are you ready to evaluate and elevate your security posture? Contact Us.

About the Author

NADIA FAHIM-KOSTER | EXECUTIVE VICE PRESIDENT AND GENERAL MANAGER 

Nadia is an industry thought leader and expert in the development, management, and implementation of healthcare privacy and cybersecurity programs. With over 25 years of operational experience, she has served as a Chief Information Security Officer and Chief Privacy Officer for large regional healthcare providers and conducted hundreds of Security and Privacy Risk Assessments for her clients. Nadia possesses extensive expertise in collaborating with the Office for Civil Rights (OCR), the Office of Inspector General (OIG), and the Centers for Medicare & Medicaid Services (CMS) on HIPAA regulatory matters. She has successfully guided organizations through OCR investigations and assisted in the implementation of Resolution Agreements.

As a sought-after consultant and presenter, Nadia offers valuable insights on privacy, cybersecurity, and risk management programs, providing a rich and relevant perspective for all key stakeholders in healthcare.