Making sense of the new HIPAA Security Rule

In a previous article, we discussed a pair of U.S. Senate bills that are quickly moving through Congress and that will have profound impacts on healthcare providers’ cyber regulatory requirements. Since then, we’ve seen numerous announcements from agencies that clarify the direction in which Washington is taking the industry but that, at the same time, blur some of the lines. 

Here, we introduce you to the most significant of those announcements—the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. We’ll also share our thoughts about what it means for healthcare providers and how you can prepare and even engage with us to try to influence the final regulations. 

HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information 

Regarding the implementation of cybersecurity best practices at the organizations they regulate, the U.S. Department of Health and Human Services has come to the same conclusion that the Department of Defense came to several years ago: that optional or recommended best practices will, at best, be haphazardly implemented or, at worst, not at all. So, it is no surprise that, like DoD, HHS is following suit and requiring that its cyber control practices be mandatory for participation in the programs it regulates.  

On Dec. 27, 2024, HHS announced the intention to move in the direction of mandatory participation with the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, and it opened public comments on Jan. 6. (For the full fact sheet from HHS click here. 

(For the complete text of the proposed rule click here.) 

What the proposed rule does 

The number of details included in the new rule precludes listing them all here. The following are those that are the most significant, with many guaranteed to add costs to your IT budget: 

• Definition standardization. The rule aims to clear up, modernize, and standardize the many definitions used in previous HIPAA rules and updates. Because HIPPA is close to 30 years old and has gone through several major updates, it is no wonder that many of the technical definitions are no longer in concert. Aligning all the definitions not only with each other but with current technology industry terminology is a welcome relief for all of us who have to read and comply with these rules. 
• Mandatory compliance. Past updates to the HIPAA rules, and various advisory documents from HHS, called out cyber controls and practices. As indicated above, however, these practices were either actually optional, or they carried such a vast number of exclusions that they were, in effect, optional. The new rule makes all the controls mandatory with very few exclusions. And those exclusions will come with significant documentation and reporting requirements. 
• System security plan and annual risk analysis. Healthcare providers will be required to have a written and annually updated system security plan. This will likely not be a nominal exercise, as it will require descriptions of how every single practice is assured for every single IT asset that holds, processes, or transfers ePHI. Along those same lines, healthcare providers will need to conduct an annual risk analysis with every identified risk analyzed against the security plan.   
• Annual independent assessment. Both the security plan and risk analysis will be required to be audited by a third party.  Additionally, each control failure in the assessment will need to be documented in an action plan along with each risk that rises above a defined level.   
• New breach processes. The breach notification time frame will be shortened from 72 to 24 hours. In addition, healthcare providers will be required to have “written procedures to restore loss of the covered entity’s or business associate’s critical relevant electronic information systems and data within 72 hours of the loss,” according to the proposed rule.  A validated annual test of this recovery ability will be a required part of the annual assessment. 

 
What the proposed rule doesn’t do 

Despite all the details, there is one thing the rule doesn’t do: call out enforcement mechanisms. This needs to be done by Congress and is currently underway via the two Senate bills discussed above and here. 

Analysis and opinion 

Overall, we consider this a positive move by HHS, primarily because it will bring clarity to what had been a relatively vague set of requirements. Once the details of this rule are finalized, there should be very few questions as to what an organization will need to do in the face of a breach to steer clear of the double jeopardy nature of a government fine along with the cost of the breach itself. 

On the other hand, compliance will be expensive. Given the complexity of healthcare IT systems and the relative lack of complexity of network environments, the cost to properly implement many of the practices will be significant. Network segmentation, for example, may require the re-architecting and implementation of large sections of corporate clinical networks. There are also new processes with major documentation and maintenance activities that will add to compliance costs. 

Given the unlikeliness that IT budgets will rise to fully cover the costs of implementing the requirements, organizations will find that much stronger IT governance practices are needed. For the first time since the Meaningful Use program, clinical applications may need to start taking an expenditure back seat to shoring up cyber defenses. This is not good news, and we hardly advocate for it. However, the downsides of noncompliance, including a continually rising risk of breach, means it is a step that must be taken. 

So far, between the legislation and rule declaration, there has been no discussion about how the mandatory assessments will work, including how they are to be performed, how they will be scored, and what the thresholds are for passing and failing. HHS has a couple of models that work well with the other agencies, so we hope that a solution is forthcoming to help us all prepare. 

One of the issues facing organizations in evaluating their cyber defenses for HIPAA specifically, but with the National Institute of Standards and Technology controls more generally, is that each of the government agencies defines their own practices outside of the NIST framework. Even though the controls are very similar to their NIST 800-53 counterparts, they aren’t the same, which leads to confusion and cost. We will continue to advocate that the agencies move their practice control definitions to the NIST standards. 

What you can do to prepare 

Given that so many of the details required to put an effective compliance program in place are still up in the air with this rule and the Senate bills, a definitive plan for what to do will not be available for some time. That said, we offer these suggestions for CEOs, CFOs, and boards of directors: 

• Invest in your IT governance. Given the industrywide rate of IT projects that are started up and subsequently shut down without completion, it is not a stretch to say that the governance processes in place at most organizations, if any, are not effective. Ineffective governance represents a large hidden cost that can be eradicated by moving to a more effective governance process, which may even help pay for these new programs. 
• Elevate cybersecurity in management discussions. One thing is clear in all these new regulatory positions: The federal government will be holding healthcare provider C-suite executives and boards accountable for not only these practices, but also the expected outcomes. It will be important for these groups to not only understand their organizations’ cyber position, but to review it regularly. This will require organizations to create standard reporting and verification methods and allocate time to them. 
• IT asset inventory. Historically, for many reasons, IT inventories, including biomed devices that contain PHI, are nowhere near as accurate as seemed. They are not nearly accurate enough for any cyber controls to be effective. Getting control of IT inventories is a difficult task, therefore it’s something that should be started as soon as possible. 
• Effectiveness of outcomes. Studies of healthcare IT have repeatedly shown that the frequency of breaches in healthcare is driven by two things: 1) the sheer complexity of the modern hospital IT enterprise and 2) the IT team’s tendency to under-implement the tools they purchase (and then they purchase more tools), which leads to a higher expense for an underperforming environment. Given what we know about this new rule, an environment as described will not pass a compliance audit. It will be important for CEOs and CFOs to work with their IT teams to understand the position of their cyber tools and processes and convince them to rethink and reimplement their strategy if needed.  
• Technology budget review. The time to start to understand the costs of complying with this rule and to consider how it may fit into the existing IT operating and capital budgets is right now. Being proactive is paramount. 

The Kodiak team are not only your healthcare experts, but we have decades of experience with these controls and with implementing cyber defenses. We can help answer any of your questions on the above analysis and the new rule and what its likely landing point will be.