Regulatory authorities are renewing their focus on HIPAA audits, placing a spotlight on compliance, and healthcare organizations are being urged to pay closer attention to the evolving security landscape. Recently, the U.S. Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule, marking the first major revisions in over a decade. These changes are designed to address the growing complexity of cybersecurity threats and the increasing need to protect sensitive health information.
Key provisions of the proposal include:
- Regulated entities must create and update lists of technology assets and maps showing how protected health information (PHI) flows through their systems.
- Regular vulnerability scanning, penetration testing, and security audits are required.
- Business associates must verify their compliance with new cybersecurity standards annually.
- New requirements for multi-factor authentication (MFA) for accessing PHI, involving at least two forms of verification (e.g., passwords, physical tokens, or biometric data).
- Employers that sponsor health plans will be required to ensure that electronic health information is adequately protected, though they are not currently directly liable under HIPAA.
What’s New in the HIPAA Security Rule?
The proposed updates bring new and expanded requirements that will require healthcare entities to enhance their data security frameworks. Among the most notable changes are mandates for multi-factor authentication (MFA), network segmentation, and robust data encryption. These requirements aim to add layers of protection against unauthorized access to electronic protected health information (ePHI), which is increasingly targeted by cybercriminals.
In addition to these technical safeguards, organizations will also be required to create a technology asset inventory to better manage and track the systems and devices that access sensitive data. Healthcare entities will need to document the movement of ePHI within their systems to ensure data flows are securely managed and monitored.
The Cost of Compliance
While these updates offer stronger protections for patient data, they come with a hefty price tag. Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, has estimated the initial cost of implementing these security measures at $9 billion in the first year alone, with an additional $6 billion over the next four years. Despite the daunting cost, these investments may prove necessary, given the growing sophistication of cyberattacks targeting healthcare providers and insurers.
For healthcare organizations, the key takeaway from these proposed updates is the necessity for timely action. Those using outdated systems or those that do not meet the new security standards may find themselves facing compliance challenges and increased vulnerability to data breaches. As such, organizations should evaluate their current systems and plan to re-platform or upgrade their technology to ensure compliance and mitigate security risks. With heightened security standards on the horizon, healthcare providers must be proactive, taking the necessary steps to protect patient data and maintain regulatory compliance.
Ensuring the security of health information is no longer just a matter of compliance—it’s a critical step in protecting both patient privacy and organizational reputation in an increasingly digital world. That’s why IPS has taken the steps to ensure that our platform is fully in compliance and securely built on Salesforce. While other industry platforms run the risk of leaving you in noncompliance, IPS has maintained careful compliance with each and every new legal update—making sure you’re fully prepared and protected from any new changes.
