Over the past decade, cybersecurity breaches have skyrocked, particularly in healthcare. The Attack on Change Healthcare was a Major wake-up call – Prompting, Among other reforms, the Notice of proposed rule From HHS in December 2024, designed to strengthen cybersecurity requires.
This follows the hhs Cyber Performance Goals Introduced in 2023, Signaling a push for stricter security measures across the industry.
Despite the Hitech Act being signed more than 15 years ago, hipaa hasn’t kept pace with modern cyber threats, experts say. The NPRM AIMS to Eliminate Ambiguity in the Original Security Rule and Reinforce Essential Safeguards.
Key proposed changes include:
Making all security requirements mandatary by eliminating “Addressable” standards.
Requiring Comprehensive Asset and Technology Management Programs, Including DOCUMENT Diagrams, Data Transmission Maps for EPHI, Annual Panetration Testing and BI-Annual Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable Vulnerables.
Formalizing Security and Risk Management Programs with Structured Policies, Accurate Self-Cassesments and Docuted Risk Registers.
ENhancing Incident Response and Disaster Recovery with a 72-Hour Restoration Requirement for Critical Services.
Strengthaning Access Governance Controls to ENSURE TIMELY WORKFORCE Updates.
Mandating Encryption, Multi-Factor Authentication and Anti-Malware Protections to Safeguard Sensitive Data.
For Organizations Still Struggling with Asset Management and Budget Constraints, these updates count be a heavy lift. The NPRM is anticipated to move through Congress by Mid-2025. However, with Ongoing Leadership Changes and An Executive Order Pausing New Regulations, IT’s Uncertain Whether these updates will take afect in 2025 or be pushed to 2026.
Eather Way, The Message is Clear: Healthcare Organizations Need to Strengthen their Cybersecurity Posture Before Theykay within the next breach headline.
Scott Mattilla is CISO and COO of Intraprise Health, A Health Catalyst Company, A Healthcare Compliance and Cybersecurity Organization. We sat down with Him to get his expert views on Proactive Measures Critical to Reduction Cyber Risks, Steps Hospitals and Health Systems Can TAKE TO PREPARES to Prepare Now, Keys to COMPLYING SISES to COMPLYIN SUSTEMS to CONTEMS to Prepare Now, And the impact of Direct Liability on Business Associates.
Q. Why are prescriptive, Proactive Measures Critical to Reducing Cyber Risks in Healthcare?
A. Prescriptive, Proactive Measures Are Essential to Reducing Cyber Risks in Healthcare, they Eliminate Ambiguity and ENSURE Organizations Implements The Necessary Constrols to Protectust Protected Health Information. Historically, the open-ended nature of hipaa regulations has been organizations to interpret requirements subjectively rather rather than adopting the Technical Safeguards Need for Robust Security.
By Leveragging Frameworks Such as Hitrust and NistOrganizations gain clear expectations for achieving security maturity and resilience, minimizing the likelihood of cyber threats. As a colleague often saying, “It’s akin to maintaining good health – exercising, eating vegetables and taking vitamins; in cybersecurity, we must plan and act for the future.”
The Healthcare Community has been recognized the persistent cyber threats in the industry, with the cybersecurity practice guidelines (CPGS) Signaling the Invitability of Future Legislation – Eve Some initially Hesitant to Acknowledge It. While The Threat Landscape Continues to Evolve, Implementing Basic Prescriptive Technical Controls Remains Critical.
The NPRM has outlined these measures to help Organizations Anticipate Challenges and Mitigate the Risk of Major Cybersecurity Incidents.
Q. What are some steps for hospitals and health systems to prepare now?
A. With proposed security regulations on the Horizon, Hospitals and Health Systems Should Start Preparing by Identifying Vulnerability and Prioritizing Mitigation Efforts. The first step is Engaging Leadership and Key Stakeholders to ENSURE EVERYONE is Aligned on Upcoming Changes and Compliance Strategies.
A gap analysis is also also essential – Whiter Conducted Internally or with a Specialized Security Vendor – to Assess Risks and Determin where the Most Significants are Needed. Quick Wins, like strengthening access controls and improving government, should be tackled first, while larger initiatives like network segment and asset management should be planned white Milestones.
It’s also important to be realistic – Not everything can be done at once. A Phaased Approach that Balancs Immediates Improvements With Long-Term Security Goals will be the most effective. Organizations Should also evaluate their current security tools and technology stack to identify options for consolidation or more integrated solutions.
Finally, Strong Vendor Partnerships are Key. Working with trusted vendors that understand the evolving regulatory landscape can make compliance and security efforts more effective.
Q. What are keys to complying with Crucial Mandates, Such as Encryption, Multi-Factor Authentication and Vulnerability Management?
A. Compliance with critical mandates should begin with identification your Organization’s Most Vulnerable Areas, Prioritizing Risks and Assemblying A Cross-Functional Team to Address them. Whather it’s updating policies, introducing new procedus or deplying security tools, the focus should be on both meeting requirements and strengthing overall resilience.
The NPRM isn’t just about checking compliance boxes – it emphasizes prescriptive Measures designed to protect against an increase complex and evolving threat landscape,
A proactive, well-structured approach ensus that ensureption, multi-factor authentication and vulnerability management are available regulatory obligations but essential safeguards formal safeguards Security.
Q. What is the impact of Direct Liability on Business Associates And What does this mean for compliance partnerships?
A. The proposed rule significantly Incountability for Business Associates, Removing The Distinction Between Mandatory and addressable requirements. Essentially, they’re now consulted Direct Expenses of Covered Entities, Which means Greater Responsibility – and Liability – When It Comes to Protecting Patient Information.
One Major Change is the expanded definition of a business associate, now incidence more subcontractors handling phi. This means covered entities will step up oversight, introducing stricter Third-Parthy Risk Management and Conducting more frequent security reviews.
Business associates must also not also covered entities of any phi breaches within 24 hours and will now face direction direct enforcement actions if they fail to complete the Hipaa Security Rule.
For business associates, this shift makes compliance more critical than ever. They need to align with covered entities on security expectations, strengthen internal controls and take a proactive role in ensuring hipaaa compliance to Avoid Regulatory Penalties.
Follow Bill’s Hit Coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare it news is a Himss Media Publication.
Watch now: mount sinai’s new cdio offers an inside look at her very full plate
