New HIPAA Cybersecurity Rules Pull No Punches

An unmitigated revamp of healthcare cybersecurity is coming in 2025, and experts warn that the compliance burden for organizations will be steep.

Since 2005, healthcare organizations have been subject to Security Standards for the Protection of Electronic Protected Health Information ("Security Rule") under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a set of national standards designed to protect electronic protected health information (ePHI). But while threats to ePHI have risen year after year, the Security Rule has remained staid, last updated in January 2013.

Last week, the US Department of Health and Human Services (HHS), via its Office for Civil Rights (OCR), proposed a long-awaited update to the Security Rule. The 400-page working draft is as serious as its length would suggest, with extensive new requirements for providers, plans, clearinghouses, and their business associates. And while the requirements are all standard best practices, experts point out that this new update is more significant and less flexible than any previous version of HIPAA has been.

Multifactor Authentication, Encryption & Risk

Since the beginning, HIPAA has always been the best, yet insufficient, regulation dictating cybersecurity for the healthcare industry.

"[There's] a history of the focus being in the wrong place because of the way HIPAA was laid out in the mid-1990s," says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). "At the time, there was this big push to transfer medical and health records to the electronic medium. And with the advent of the HIPAA regulations, it was all about protecting patient privacy but not necessarily securing those records."

HIPAA's focus on privacy limited its ability to address more diverse cybersecurity threats in the 2010s, particularly ransomware. Meanwhile, instead of using it as a baseline for developing a robust security posture, organizations tended to treat HIPAA more as a set of boxes to check. "It ended up driving budgets toward compliance and not necessarily security. And in the past five or six years, we've seen what happens in an environment that's not properly secured, not properly tied down, not properly backed up, when they're hit by ransomware," Weiss says.

HHS highlighted this same point in a statement released alongside the draft Security Rule. From 2018 to 2023, it reported, large-scale healthcare breaches rose 102%, and the individuals affected rose 1,002%, primarily thanks to ransomware. 2023 set a new record, with more than 167 million individuals affected.

The newly proposed Security Rule aims to fix things up, with a laundry list of new requirements that touch on patch management, access controls, multifactor authentication (MFA), encryption, backup and recovery, incident reporting, risk assessments, compliance audits, and more.

As Lawrence Pingree, vice president at Dispersive, acknowledges, "People have a love-hate relationship with regulations. But there's a lot of good that comes from HIPAA becoming a lot more prescriptive. Whenever you are more specific about the security controls that they must apply, the better off you are."

HIPAA Grows Teeth

Pingree recalls how "HIPAA, for a long time, had a kind of wide-angle lens. 'Thou shalt protect your data.' And, frankly, those nebulous rules mean that you get lots of different, varying interpretations."

Historically, in fact, this has been HIPAA's great downfall.

It's just about impossible to impose universally effective cybersecurity rules on an entire industry. Smaller and larger organizations have different needs and different capabilities — and budgets. The threat landscape is constantly changing, so rules designed today may prove obsolete tomorrow. To account for this inevitability, the original HIPAA Security Rule included its provision 164.306, which drew a distinction between "addressable" and "required" rules. For addressable rules, organizations could "assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information," according to HIPAA. An organization might decide that a rule was not appropriate or reasonable in its case due to the specifics of its infrastructure, its size or capabilities, the costs of implementing any given security measure, etc.

Joseph J. Lazzarotti, principal at Jackson Lewis P.C., says provision 164.306 allowed for the kind of flexibility businesses always ask for: "That we're not expecting the same thing from every solo practitioner on Main Street in the Midwest versus the large hospital on the East Coast. There are obviously going to be different expectations for compliance."

But some healthcare organizations exploited this legal flexibility to avoid having to invest in more security defenses. "We are concerned that some regulated entities proceed as if compliance with an addressable implementation specification is optional," HHS wrote in its latest proposal. "That interpretation is incorrect and weakens the cybersecurity posture of regulated entities."

The new Security Rule would eliminate the required-addressable distinction, forcing all regulated organizations to comply with the same rules, regardless of circumstance.

New Costs for Data Health With HIPAA

This newer, stricter Security Rule would force major hospitals on the East Coast and solo practitioners in the Midwest alike to implement a lot of new cybersecurity measures, and it won't be cheap. According to a Dec. 27 press briefing from Anne Neuberger, deputy national security adviser for cyber and emerging technology, the White House estimates that implementation costs will run around $9 billion in the first year following the rule change, then another $6 billion in years two through five.

The Health-ISAC's Weiss worries that isn't realistic for many healthcare organizations. "When you look at these organizations, many are, at best, operating on thin profit margins as it is," he says. "Many of them are in the red, and can't afford stuff like this."

"Even if they're already following all the NIST controls," Dispersive's Pingree estimates, implementing the new HIPAA security rules "could cost as low as $100,000 for a small doctor's office, or it could be many millions if you're a big medical group."

One possible way stretched healthcare organizations might navigate all these new rules and their associated costs is with an outsourced, virtual chief information security officer (vCISO), according to Weiss. Because "it's not just about buying the technology. It's also about recruiting and retaining the cybersecurity expertise that you need to run," he says.

"These organizations don't know where to start," he continues. "The cybersecurity market is very confusing. There are a lot of players. There are a lot of solutions. So if you have $100 to spend on cybersecurity, where do you spend that? They need help to be able to figure all of that out. And I think something like a virtual CISO can help implement a strategy, and then be around on a virtual basis — to check in, to be a resource for that organization when they have questions and they need some help. It seems like a decent model for these small rural hospitals that could not necessarily justify or hire a full-time CISO."