The Department of Health and Human Services’ first major revamp in two decades to its cybersecurity rules would require the ever-growing health-care supply chain to overhaul security practices that have enabled an explosion of cyberattacks against providers from major hospital network to local clinics.
HHS’s Office for Civil Rights’ Jan. 6 notice of proposed rulemaking seeks to strengthen the cybersecurity of electronic protected health information under the 1996 Health Insurance Portability and Accountability Act. If adopted, the rules would bring stringent compliance requirements across the health-care ecosystem, which has expanded with new entrants including artificial intelligence and data analytics providers.
The proposed changes to the Security Rule—formally called the Security Standards for the Protection of Electronic Protected Health Information—aim to adapt to a cyber landscape shaped by increasingly sophisticated and consistent cyber attacks, including supply-chain hacks. One of the most costly hacks ever occurred in February against
Resetting compliance standards to defend against health-care hacks will be expensive, and providers could soon begin anticipating the cost of a new rule. The update would also position the department for more active enforcement, targeting widespread noncompliance across the industry that the agency says has contributed to a spike in medical-related cybersecurity incidents this decade.
“It’s going to be a wake-up call for a lot of covered entities and business associates, because I do think this is a much deeper dive into security,” said Elizabeth G. Litten, partner and chief privacy and HIPAA compliance officer at Fox Rothschild.
Removing Flexibility
The update would move away from flexibility built into the 2003 rule that allowed covered entities, ranging from single practitioners to giant conglomerates, to right-size cybersecurity requirements to fit their processes.
But the Security Rule’s elasticity has also created “huge variations in the level of information security” across the health-care industry, said Adam H. Greene, partner at Davis Wright Tremaine LLP, who served in HHS’ Civil Rights Office as a senior health information technology and privacy adviser.
To address concerns about the sufficiency of the security measures currently implemented by regulated entities, the OCR’s proposed rulemaking removes a distinction between “addressable” and “required” implementation specifications. If approved, this tweak would make all requirements mandatory for many hospitals, pharmacies, insurance carriers, and their vendors, rather than allowing alternatives based on their feasibility.
Some organizations viewed the safeguards as “optional,” an interpretation that is both “incorrect and weakens” their cybersecurity posture, HHS wrote in the proposal.
The rules would also require entities to consistently review, test, and update their security policies. Health-care providers would have to meet recurring deadlines, develop network inventories, perform security risk assessments, and establish procedures to restore the loss of relevant health data within 72 hours.
“By my count, the regulation references doing certain tasks every 12 months no less than 28 times,” Greene said. In contrast, the existing rule didn’t have “a single reference to having to do things on an annual basis.”
The proposal would for the first time require health entities to encrypt all health data—during both storage and transmission—with limited exceptions.
“There’s going to be added costs across the board, whether that be with the smaller, solo practitioners, or that be the larger health systems,” said Aaron T. Maguregui, partner at Foley & Lardner LLP and former in-house counsel at health-care provider
Supply Chain
The proposed rule adds new contractual requirements between health entities and their “business associates” which perform certain functions on behalf of health-care systems involving health data, such as accounting, legal, or administrative firms, and were added to the statute in 2013.
At least once a year, those business associates would have to provide written verification that they’ve deployed the required technical standards along with an analysis of their information systems.
“People are going to need to revise every one of their business associate agreements,” said Kirk J. Nahra, co-chair of WilmerHale’s cybersecurity and privacy and artificial intelligence practices.
The updates come as the role of vendors has broadened in the last decade from performing back-office functions to bringing emerging technologies including generative AI to health services. Some would have to grapple with such requirements for the first time.
“These are organizations that are very early in their journey. Some of them are startups. Some of these are new entrants into the health-care ecosystem,” Maguregui said.
He added, “They’re going to have an uphill battle to comply with these new requirements.”
Enforcement
HHS’s framing of its 2003 rule created enforcement challenges for the department. An appeals court in 2021 vacated a $4.3 million fine against the University of Texas’s M.D. Anderson Cancer Center, finding that the regulator couldn’t point to a specific violation of its Security Rule.
The department had blasted the ruling for allowing health-care entities to meet their security obligations by implementing mechanisms “without regard” for their effectiveness. The more detailed language in the proposed rule would give the OCR “a much greater ability” to enforce its cyber requirements going forward, Greene said.
“The current rule has really hindered enforcement efforts, and this is intended to address that,” he added.
If the updates are finalized in their current form—an open question during a shift in administrations—the agency will likely focus its enforcement actions on compliance with security risk assessments.
On Jan. 8, the OCR announceda $337,350 settlement with USR Holdings LLC, finding it failed to conduct an accurate and thorough risk analysis to identify vulnerabilities in its systems.
The proposed update “is really an attempt to quash the ongoing and continued explosion of cybersecurity events,” Maguregui said.
link