US HHS Releases Critical Updates to HIPAA Security Rule to Better Protect PHI
January 03, 2025
On Dec 27, 2024, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) proposed a series of updates to the HIPAA Security Rule. These changes aim to enhance the cybersecurity of electronic protected health information (ePHI) and align with the Biden Administration’s National Cybersecurity Strategy.
Why Cybercriminals Target Health Information
Cybercriminals target health records because they contain a wealth of personal data, including Social Security Numbers, medical histories, insurance details, and billing information. This information, highly prized on the Dark Web, enables identity theft, fraudulent insurance claims, and financial fraud, while also being used for extortion
These factors make healthcare data a prime target, underscoring the urgent need for enhanced protections like those proposed in the updated HIPAA Security Rule.
Here’s a breakdown of what’s included:
1. Mandatory Security Measures
- Encryption for ePHI: All electronic health information must be encrypted to protect it during storage and transmission.
- Multi-factor authentication (MFA): Regulated entities must implement MFA to secure access to sensitive systems.
- Vulnerability scanning: Regular scans for vulnerabilities in systems handling ePHI will be required to identify and address risks proactively.
2. Stronger Contingency Planning and Incident Response
- Workforce access change notifications: Entities must notify relevant personnel of access changes to ePHI within 24 hours.
- Rapid system restoration: Critical systems must be restored within 72 hours of an outage or attack.
- Incident response plans: Regulated entities must create detailed, written plans for responding to security incidents and test them regularly.
3. Enhanced Risk Management
- Technology asset inventory: Organizations will need a comprehensive inventory of all technological assets used to process ePHI.
- Criticality analysis: A prioritization framework will help determine which systems require immediate restoration in the event of an incident.
4. Annual Compliance Audits
- Regulated entities and their business associates must conduct compliance audits every 12 months. Business associates will also be required to certify the implementation of ePHI safeguards through expert verification.
What This Means for Patients and Healthcare Organizations
These proposed changes emphasize accountability and proactive measures to prevent unauthorized access to PHI and data breaches. For patients, this strengthens protection from identity theft and medical fraud.
HHS is encouraging all stakeholders—including patients, healthcare providers, consumer advocates, and government entities—to submit their comments on these proposed updates. The public comment period is open for 60 days following the publication of the proposed rule in the Federal Register. Comments can be submitted via regulations.gov.
Take Control of Your Digital Health Security
As the healthcare sector strengthens its cybersecurity measures, you also can take steps to protect your personal data. Bitdefender Digital Identity Protection helps you monitor your online identity and alerts you to potential risks. Stay one step ahead of cybercriminals by safeguarding your information today.
tags
Author
Alina is a history buff passionate about cybersecurity and anything sci-fi, advocating Bitdefender technologies and solutions. She spends most of her time between her two feline friends and traveling.
View all postsRight now Top posts
Your Device ‘Fingerprint’ Will Go to Advertisers Starting February 2025
December 24, 2024
Beware of Scam Emails Seeking Donations for UNICEF or Other Humanitarian Groups
December 19, 2024
Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware
November 14, 2024
FOLLOW US ON SOCIAL MEDIA
You might also like
Bookmarks
