By Greg Freeman
Health and Human Services (HHS) recently issued proposed updates to the HIPAA Security Rule to address continuing cybersecurity threats in healthcare, urging covered entities to keep up with the bad guys by adopting the most up-to-date technology.
The proposed rule is available online at https://bit.ly/4jGnLKI.
HHS Office of Civil Rights (OCR) is looking to update the Security Rule to account for the current state of technology used in the healthcare industry, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ. He notes the Security Rule was last updated in 2013.
Advances in artificial intelligence (AI), digital health records, applications, integrated medical devices, and the use of mobile technologies of almost every kind have created a healthcare landscape much different than what was around more than a decade ago, he says. Additionally, the threats to these digital technologies have increased exponentially over the same period of time.
“Data breaches and cybersecurity incidents, such as ransomware attacks, have also become more prevalent with some of the largest data breaches to ever affect the healthcare industry having occurred in the past couple of years,” he says.
Some of the key changes that the Notice of Proposed Rulemaking (NPRM) suggest include removing the concept of addressable standards, Howard explains. Under the current rule, certain standards and implementation specifications are listed as required while others are listed as addressable. Addressable standards do not have to be implemented, but if they are not, covered entities and business associates are required to document compensating controls that are implemented to provide the intended type of protection to electronic protected health information (ePHI) and any reasoning for why it was determined an addressable item was not implemented, Howard says.
The required/addressable structure was intended to allow the rule to be flexible for all sizes of entities, he says.
“But HHS OCR has indicated that current information security technologies and resources available to entities have improved in a manner that will still allow the rule’s requirements to be implemented in a flexible manner,” Howard says. “HHS OCR also indicated that they feel making this change will help solve some of the issues where entities have not consistently dealt with addressable items correctly.”
The proposed rule also will make clarifications to existing definitions and introduce some new defined terms.
“One potentially significant change that is worth mentioning is how the definitions of ‘electronic media’ are being modified to not just include electronic media where data is recorded but also where it is maintained and processed. The introduction of the idea or the processing of data could potentially expand the scope of types of technology the Security Rule would apply,” Howard says. “This can also be seen in the catch-all proposed to be added to the list of electronic storage material examples — ‘any other form of digital memory or storage.’ This in of itself will require entities to consider all devices involved in ePHI data flows.”
Specifically, the updated definition of “electronic media” and inclusion of data processing could affect cloud service providers and third-party vendors, says Paul F. Schmeltzer, JD, senior attorney with the Clark Hill law firm in Los Angeles.
“As more covered entities turn to cloud service providers to store and manage patient data, they should evaluate how these changes might expand their contractual and oversight obligations under business associate agreements,” he says.
Howard says some other proposed changes to note would be the elevation of the security management process to the level of a standard, rather than an implementation specification, to allow for more granular requirements to be provided as implementation specifications under the new standard. These new specifications would include new requirements to create detailed asset inventories that include network maps and data flows for ePHI, he says.
“HHS OCR feels this is a cornerstone for an accurate risk assessment, something HHS OCR has been pushing in its enforcement actions for some time,” Howard says.
Schmeltzer says the updated standards could affect the adoption of AI and machine learning tools in healthcare. For example, the enhanced requirements for documenting data flows and interactions may delay the deployment of AI-driven solutions, he says.
Covered entities and business associates are going to need to take a close look at all of their technology deployed that has access to ePHI or has ePHI flowing through it or part of any processing, Howard says. They will need to make sure to document and track their systems, data flows, and any interactions or integrations they have in place. This level of detail will be new for most entities and require a significant time and, potentially, monetary investment to create and maintain, Howard says.
Schmeltzer says another impact on covered entities will be their need to create and implement a robust vendor management program (if they do not already have one) to ensure their third-party vendors comply with the new rule. This is especially so as third-party systems now are more explicitly included in ePHI data flows, he says.
“The proposed shift from addressable to required standards could necessitate that covered entities conduct a detailed reevaluation of their risk management frameworks,” Schmeltzer says. “Covered entities will of course also need to thoroughly review and update their policies and procedures to reflect the mandatory requirements in the final rule.”
In the end, HHS OCR is trying to align the Security Rule with current cybersecurity frameworks and known information security controls and safeguards known to work, Howard says. If entities are to carefully implement the proposed changes, they will end up with a much better cybersecurity stature and ultimately be better protected against current cyber threats. Getting there may not be easy for all entities, he says.
“There will be different types of challenges entities may face. Of course, this will vary depending on the size and sophistication of the entities themselves, but either way, there will be some areas that will be difficult for just about everyone,” Howard says. “Some top areas where we may see compliance challenges will be in keeping all of the required security documentation updated while also keeping up with technology innovations and needs within the industry. It is often that new technology is pushed out quickly, and in most cases securely, but if there is a need to fully document all technology interactions, this may slow the deployment of new technology down.”
Of course, it is critical that new technology and any risk involved be considered and documented, as necessary, Howard says. There just may need to be an adjustment to make this process occur prior to deployment.
Schmeltzer says there likely will be tension between the rapid innovation in healthcare technology and the need for extensive documentation and risk assessments.
An additional area where compliance difficulties may arise is in the change to make encryption required instead of addressable, Howard says.
“Couple this with the adjustments to the definition of electronic media and introduction of the idea of data processing, that will cause some issues when dealing with some older medical devices, hardware, or other types of technology,” he says.
Schmeltzer adds that legacy systems and older medical devices may not support encryption or other mandated safeguards, and covered entities might need to invest in retrofitting or replacing outdated equipment to meet compliance standards. For mid- to small-sized entities, Howard says this likely will cause some form of burden in the form of a need for additional staffing or funding to outsource some of the requirements under the NPRM. Additionally, there may be a need to obtain services either through a managed security services provider or other security applications to provide the level of security needed. Additionally, all entities will need to invest time with current staff to assess current information technology assets, security management programs, and perform risk assessments. This also may require the need to obtain independent third-party audits to ensure compliance, he says.
Smaller practices and rural healthcare providers may be disproportionately burdened by the NPRM’s requirements, especially in terms of funding and access to cybersecurity expertise, Schmeltzer says. Often, these healthcare entities operate on much smaller budgets and they will need to make some difficult decisions about how they can pay for their increased compliance obligations, he says.
“HHS OCR recognizes there are resource constraints that these smaller practices and rural providers face, and the NPRM emphasizes that the Security Rule will continue to be flexible and scalable, allowing for implementation that considers the size, complexity, and capabilities of each organization,” he says. “While all covered entities are required to implement strong security measures, the specific actions taken can be tailored to what is reasonable and appropriate for their particular circumstances. A small rural clinic may adopt different technical solutions compared to a large hospital system, provided that the chosen measures effectively protect ePHI in accordance with the Security Rule’s standards.”
Although the flexibility in the proposed rule provides some comfort to smaller healthcare practices with lesser financial resources, Schmeltzer says it is important to note that all healthcare providers, regardless of size, are expected to implement robust cybersecurity measures to ensure the confidentiality, integrity, and availability of ePHI.
“Despite the guidance and resources made available by OCR, these smaller and rural providers could still struggle to mitigate the dangers posed by ever-evolving cyber threats. Perhaps they can leverage automation and AI-driven compliance tools to reduce staffing burdens, streamline documentation, and enhance real-time monitoring of ePHI data flows,” he says.
Howard says it is important to remember that the proposed rule is just that — proposed changes to the Rule. There is still a need to go through the comment period, review of comments received, and any process to revise and get approved the changes that make it through.
“There will likely be changes in the proposed rule. The key at this time is for entities to keep track of the process and any changes announced,” he says. “It is also a good time to start the review of current compliance programs and security risk management processes. Take stock in what is being done currently and compare it to current cybersecurity frameworks, such as the [National Institute of Standards & Technology] cybersecurity framework, and see if there are any gaps that should be addressed. Doing this now will give you a head start on any potential changes coming up. It will also help keep your systems secure, which is never a bad thing.”
Schmeltzer agrees and says it is unlikely that we will get a final rule this year. There probably will be a significant number of comments in response to this proposal, he says. Schmeltzer thinks it is doubtful that the final rule will resemble this proposal, partly because the new administration will have different priorities.
There is a lot to digest in the 120-page proposed rule, notes Candice Moschell, CISSP, cybersecurity leader with the Crowe consulting firm in Indianapolis. Asset management will be a challenge for some covered entities complying with the rule, she says.
“A big investment that likely covered entities will need to make is having some type of automated asset discovery tool and or supplementing that with the configuration management database,” she says. “We’re starting to see more adoption of those types of tools. However, I think that’s a big project that likely organizations are going to need to invest in heavily to ensure that they’re able to meet that new proposed rule.”
The proposed rule also addresses the overall data flow of ePHI, which historically has been hard for organizations across any industry to identify, Moschell says.
“That’s often because organizations don’t have strong data governance practices in place,” she says. “That means having more than a policy that states data of this nature is classified this way, but actually, truly understanding where your data is and having that data tagged to understand the movement within the environment and understand what controls need to be placed on that data based on classification.”
Sources
- Candice Moschell, CISSP, Crowe, Indianapolis, IN. Telephone: (800) 599 2304.
- John F. Howard, JD, Senior Attorney, Clark Hill, Scottsdale, AZ. Telephone: (480) 684-1133. Email: jfhoward@clarkhill.com.
- Paul F. Schmeltzer, JD, Clark Hill, Los Angeles. Telephone: (213) 417-5163. Email: pschmeltzer@clarkhill.com.
Greg Freeman has worked with Relias Media and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Relias Media products. In addition to his work with Relias Media, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.