Over the past decade, cybersecurity breaches have skyrocketed, particularly in healthcare. The attack on Change Healthcare was a major wake-up call – prompting, among other reforms, the notice of proposed rulemaking from HHS in December 2024, designed to strengthen cybersecurity requirements.
This follows the HHS Cyber Performance Goals introduced in 2023, signaling a push for stricter security measures across the industry.
Despite the HITECH Act being signed more than 15 years ago, HIPAA hasn’t kept pace with modern cyber threats, experts say. The NPRM aims to eliminate ambiguity in the original security rule and reinforce essential safeguards.
Key proposed changes include:
-
Making all security requirements mandatory by eliminating “addressable” standards.
-
Requiring comprehensive asset and technology management programs, including documented network diagrams, data transmission maps for ePHI, annual penetration testing and bi-annual vulnerability scans.
-
Formalizing security and risk management programs with structured policies, accurate self-assessments and documented risk registers.
-
Enhancing incident response and disaster recovery with a 72-hour restoration requirement for critical services.
-
Strengthening access governance controls to ensure timely workforce updates.
-
Mandating encryption, multi-factor authentication and anti-malware protections to safeguard sensitive data.
For organizations still struggling with asset management and budget constraints, these updates could be a heavy lift. The NPRM is anticipated to move through Congress by mid-2025. However, with ongoing leadership changes and an executive order pausing new regulations, it’s uncertain whether these updates will take effect in 2025 or be pushed to 2026.
Either way, the message is clear: Healthcare organizations need to strengthen their cybersecurity posture before they become the next breach headline.
Scott Mattila is CISO and COO of Intraprise Health, a Health Catalyst Company, a healthcare compliance and cybersecurity organization. We sat down with him to get his expert views on proactive measures critical to reducing cyber risks, steps hospitals and health systems can take to prepare now, keys to complying with crucial mandates, and the impact of direct liability on business associates.
Q. Why are prescriptive, proactive measures critical to reducing cyber risks in healthcare?
A. Prescriptive, proactive measures are essential to reducing cyber risks in healthcare because they eliminate ambiguity and ensure organizations implement the necessary controls to protect electronic protected health information. Historically, the open-ended nature of HIPAA regulations has led some organizations to interpret requirements subjectively rather than adopting the technical safeguards needed for robust security.
By leveraging frameworks such as HITRUST and NIST, organizations gain clear expectations for achieving security maturity and resilience, minimizing the likelihood of cyber threats. As a colleague often says, “It’s akin to maintaining good health – exercising, eating vegetables and taking vitamins; in cybersecurity, we must plan and act for the future.”
The healthcare community has long recognized the persistent cyber threats in the industry, with the Cybersecurity Practice Guidelines (CPGs) signaling the inevitability of future legislation – even if some were initially hesitant to acknowledge it. While the threat landscape continues to evolve, implementing basic prescriptive technical controls remains critical.
The NPRM has outlined these measures to help organizations anticipate challenges and mitigate the risk of major cybersecurity incidents.
Q. What are some steps for hospitals and health systems to prepare now?
A. With proposed security regulations on the horizon, hospitals and health systems should start preparing by identifying vulnerabilities and prioritizing mitigation efforts. The first step is engaging leadership and key stakeholders to ensure everyone is aligned on upcoming changes and compliance strategies.
A gap analysis is also essential – whether conducted internally or with a specialized security vendor – to assess risks and determine where the most significant improvements are needed. Quick wins, like strengthening access controls and improving governance, should be tackled first, while larger initiatives like network segmentation and asset management should be planned with clear milestones.
It’s also important to be realistic – not everything can be done at once. A phased approach that balances immediate improvements with long-term security goals will be the most effective. Organizations should also evaluate their current security tools and technology stack to identify opportunities for consolidation or more integrated solutions.
Finally, strong vendor partnerships are key. Working with trusted vendors that understand the evolving regulatory landscape can make compliance and security efforts more effective.
Q. What are keys to complying with crucial mandates, such as encryption, multi-factor authentication and vulnerability management?
A. Compliance with critical mandates should begin with identifying your organization’s most vulnerable areas, prioritizing risks and assembling a cross-functional team to address them. Whether it’s updating policies, introducing new procedures or deploying security tools, the focus should be on both meeting requirements and strengthening overall resilience.
The NPRM isn’t just about checking compliance boxes – it emphasizes prescriptive measures designed to protect against an increasingly complex and evolving threat landscape.
A proactive, well-structured approach ensures that encryption, multi-factor authentication and vulnerability management aren’t just regulatory obligations but essential safeguards for long-term security.
Q. What is the impact of direct liability on business associates and what does this mean for compliance partnerships?
A. The proposed rule significantly increases accountability for business associates, removing the distinction between mandatory and addressable requirements. Essentially, they’re now considered direct extensions of covered entities, which means greater responsibility – and liability – when it comes to protecting patient information.
One major change is the expanded definition of a business associate, now including more subcontractors handling PHI. This means covered entities will step up oversight, introducing stricter third-party risk management and conducting more frequent security reviews.
Business associates must also notify covered entities of any PHI breaches within 24 hours and will now face direct enforcement actions if they fail to comply with the HIPAA Security Rule.
For business associates, this shift makes compliance more critical than ever. They need to align with covered entities on security expectations, strengthen internal controls and take a proactive role in ensuring HIPAA compliance to avoid regulatory penalties.
Follow Bill’s HIT coverage on LinkedIn: Bill Siwicki
Email him: [email protected]
Healthcare IT News is a HIMSS Media publication.
WATCH NOW: Mount Sinai’s new CDIO offers an inside look at her very full plate
