On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The goal is to fortify cybersecurity defenses that protect electronic health information (ePHI). This proposed update represents a proactive approach to safeguarding sensitive health information in an era of escalating cyber threats.
The proposed amendments highlight several critical measures to bolster ePHI protection. Some of these rules are process-oriented, and several are technical. Incorporating these proposed changes into the procurement process will help organizations prepare for the changes when they go into effect. Here is a selection specifically pertinent to medical devices.
The proposed rule necessitates regulated entities to develop and continually update a comprehensive technology asset inventory. This inventory will document all technological assets involved in handling ePHI, including medical devices, which generate significant ePHI. Regular updates are required annually or whenever significant changes occur within the entity’s operational environment. Additionally, regulated entities must create and maintain a detailed network map. This map should illustrate the flow and security of ePHI across their electronic information systems. The aim is to provide a clear visualization of the ePHI movement, facilitating better security oversight and risk management. HTM staff can work with technology vendors and network architects to begin this process before the new rule occurs. Network maps for medical device systems should include access points, gateways, interfaces, and clinical applications to better understand dependencies and possible impacts of data flow interruptions.
The updated technology asset inventory and network map support a more thorough and explicit risk analysis process called for in the proposed modifications. Ask medical device manufacturers to provide a high-level threat assessment, including all reasonably anticipated threats to ePHI’s confidentiality, integrity, and availability. The procurement process should also include requests for a Software Bill of Materials, known vulnerabilities, and controls and configuration practices to maintain the device or system’s cyber-resilience. The proposed changes require evaluating the risk level for each identified threat and vulnerability, considering the likelihood of exploitation. This enhanced risk analysis will give healthcare organizations a better understanding of how threats and vulnerabilities may impact patient safety, the ability to deliver care, and the risk to patients and the organization’s sensitive data. By mandating these detailed assessments, the proposed rule aims to ensure that entities are fully aw
are of and prepared to mitigate potential cyber risks targeting ePHI. HTM staff must play an active role in supporting this effort.
The new requirements emphasize detailed contingency planning, especially in security incidents. Detecting cyber incidents in medical technologies is difficult. Regulated entities must establish written procedures for restoring lost data and systems within 72 hours. This aligns with Medicare requirements to restore systems to restore the ability to restore the electronic transmission of Medicare claims within 72 hours. HTM staff should consider how a cyber incident may disable medical technologies and plan for the restoration of services just as they do with physical failures. Furthermore, working with clinical and IT staff, they should analyze the criticality of their technological assets and prioritize their restoration accordingly. The proposed rule mandates that entities develop comprehensive response plans, detailing how workforce members report and respond to suspected security incidents. Entities must also regularly implement written procedures for testing and revising these response plans.
The proposed rule calls for implementing technical controls to ensure the consistent configuration of electronic information systems including medical devices and other operational technologies which manage ePHI. This includes deploying antimalware protection to ensure systems are shielded against malicious threats. Removing extraneous software to prevent unneeded software from creating security vulnerabilities. Disabling unnecessary network ports to minimize potential attacks Implementing network segmentation to confine potential breaches and limit their impact vectors. With limited exceptions, MFA is required to access ePHI to enhance access security. To ensure the robust protection of ePHI, the proposed amendments require encryption of ePHI both at rest and in transit, with limited exceptions. This measure seeks to minimize unauthorized access and ensure the confidentiality of sensitive health information. The exceptions for medical devices are based on the submission timing and FDA authorization for marketing.
Considering these proposed changes, strengthening cybersecurity protections for medical devices requires active collaboration with clinical staff. Clinicians are often the primary users of these devices and play a pivotal role in identifying potential risks to patients and impacts on care delivery. It is paramount to involve clinicians as active collaborators. Their direct experience with medical devices allows them to provide valuable insights into clinical needs and workflows. When clinicians participate in risk assessments and incident response planning, they help ensure that security measures align with practical, on-the-ground realities.
Equipping clinicians with cybersecurity knowledge is crucial. By understanding the basics of cybersecurity, clinicians can better recognize potential threats and take proactive steps to mitigate risks. Additionally, educating their colleagues about incident response protocols ensures the healthcare team is prepared to respond swiftly and effectively to security incidents.
The proposed changes to the HIPAA Security Rule by the OCR mark a significant stride towards enhancing the cybersecurity defenses for ePHI. The proposed changes have many touchpoints with medical devices and other operational technologies. By implementing comprehensive risk assessments, robust incident response plans, and stringent encryption measures, HTM staff can become valuable partners in safeguarding patients and healthcare organizations from cyber threats.
