By Phil Englert
On December 27, 2024, the Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) to solicit comments on its proposal to modify the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).
The proposed modifications would revise existing standards to better protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). The current administration has yet to clarify its position and will ultimately decide whether to advance these changes.
HIPAA was introduced in 1996 to protect healthcare information. The rise of Accountable Care incentivized healthcare providers to demonstrate improved outcomes, which required extensive data collection. This, combined with the improved efficiencies and economies of computing power, resulted in massive data. Pace University estimates that the average hospital generates about 50 petabytes of data encompassing clinical notes, lab test results, medical images, sensor readings, genomics data, and operational and financial records. Science Direct claims this represents about 30% of the world’s data volume. Among other things, the Health Information Technology for Economic and Clinical Health Act of 2009, the Breach Notification Rule, and stricter enforcement, including fines and penalties for non-compliance. The electronic world has changed significantly over the past 14 years.
The proposed changes span over 400 pages and include several updates that will impact medical devices. Three key components are the Technology Asset Inventory, the Network Map, and enhanced risk analysis requirements.
Healthcare organizations must maintain a detailed list of all technology assets that handle electronic protected health information (ePHI), including hardware, software, and other devices that store, process, or transmit ePHI. The inventory must be updated at least once every 12 months, and whenever environmental or operation changes could affect ePHI. This combined asset inventory may include medical devices, IT technology, interfaces, and applications. Creating and maintaining this inventory will require multiple stakeholders and the ability to correlate disparate asset management systems like CMMSs and CMDBs.
The Network Map will greatly aid the asset inventory by visually representing how ePHI moves through an organization’s electronic information systems. It illustrates the flow of data, identifying where ePHI is stored, processed, and transmitted. Monitoring and tracking data flows will be essential to recognizing and managing new asset connections This map must also be updated regularly and in response to any changes that could impact the security of ePHI.
The proposed changes also have significant implications for medical devices, which are increasingly integrated into healthcare systems and handle sensitive patient data. Several of the technical proposed rule changes apply to any technology that generates, manages, or transports ePHI, including medical devices. In contrast, others are clarifications to remove ambiguities present in the earlier versions.
All ePHI must be encrypted, including data stored and transmitted by medical devices. This ensures that patient information remains secure even if devices are compromised, providing additional protection against data breaches. The proposed rule also offers exceptions. For instance, if a regulated entity does not believe encryption is a reasonable and appropriate safeguard, then it must document why it would not be reasonable and appropriate and implement an alternate measure if reasonable and appropriate. The proposed rule mandates the use of MFA for accessing ePHI. This adds an extra layer of security, especially for medical devices that may have previously relied on less secure authentication methods.
Multi-Factor Authentication (MFA) significantly increases the difficulty for unauthorized individuals to gain access to accounts or systems. By requiring multiple forms of verification, such as a password and a one-time code sent to a mobile device, MFA adds an extra layer of security that is challenging to bypass.
Implementing MFA enhances security and raises user awareness about best practices in cybersecurity. It encourages users to be more vigilant about their security habits, fostering a better overall security hygiene culture. This heightened awareness can lead to more proactive measures, such as regularly updating passwords and recognizing phishing attempts, further strengthening the organization’s security posture.
HHS stated that the proposed modifications would explicitly codify those activities critical to protecting the security of ePHI as requirements and provide greater detail for such requirements in the regulatory text. Covered entities must demonstrate planning and movement toward compliance with the proposed rules. The proposed rule introduces specific compliance time periods for many existing requirements, ensuring timely implementation of security measures. This helps ensure all entities work towards the same security goals within a reasonable timeframe. Regulated entities must conduct regular risk analyses and annual audits to maintain compliance with the updated security standards. These ongoing assessments help ensure that security measures remain effective and up to date.
It is unclear if the proposed changes to the HIPAA security rule are designed to address the evolving cybersecurity threats and enhance patient data protection, especially in medical devices. Even if the proposed changes are not implemented by following these steps, healthcare organizations can better protect ePHI and comply with the updated HIPAA Security Rule requirements.
