HHS is proposing major changes to HIPAA for the first time in more than a decade, aiming to strengthen cybersecurity protocols for electronic health data. Healthcare cybersecurity leaders are mainly in favor of the proposal — though there are some concerns that smaller providers will struggle with the financial and operational burdens of compliance.
The post HHS’ Proposed HIPAA Changes Are A Step In The Right Direction, But Some Providers May Struggle To Comply appeared first on Above the Law.
Among myriad acronyms in the healthcare industry, HIPAA is one of the most referenced.
At the end of last year, the Department of Health and Human Services proposed major updates to this law — named the Health Insurance Portability and Accountability Act — for the first time in more than a decade.
HHS said its proposal is designed to “better protect the U.S. healthcare system from a growing number of cyberattacks.” The announcement was made at the end of a year in which several high-profile cybersecurity incidents occurred in healthcare, such as the ransomware attacks Change Healthcare and Ascension — the former exposed more than 100 million patient records, and the latter exposed more than 5 million.
These proposed changes seek to strengthen cybersecurity protocols for electronic health data by standardizing certain security processes among providers. HHS is accepting comments on its proposal until March 7.
Healthcare cybersecurity leaders are mainly in favor of the proposed changes, as the regulation will force providers to address longstanding gaps in their data infrastructure and security preparedness. However, the experts interviewed for this article noted that smaller providers may struggle with the financial and operational burdens of compliance.
HHS’ proposal seeks to make several changes to the way providers manage health data under HIPAA, with a key change being the elimination of the distinction between “required” and “addressable” implementation specifications.
Currently, HIPAA has two types of security rules for protecting sensitive health information — “required” rules that must be followed and “addressable” rules that providers can choose not to obey.
By getting rid of these two categories, HHS is aiming to make all cybersecurity rules mandatory for healthcare organizations, as well as emphasizing the need for comprehensive security measures across all health data. This means several cybersecurity protocols will be required for all providers, such as two-factor authentication, data encryption and network segmentation.
If instated, these changes would help providers get on the same page and follow shared cybersecurity standards, pointed out Aaron Neiderhiser, CEO of open-source healthcare data platform Tuva Health.
This standardization will be beneficial for the healthcare industry — because any provider that isn’t using protocols like multi-factor authentication and data encryption is “not protecting data to the extent that they should be,” Neiderhiser said.
But other changes are “more esoteric” and will be more difficult for some providers to implement, he noted.
For instance, the proposed changes to HIPAA would also require providers to maintain detailed written documentation for all of their cybersecurity policies and procedures. HHS wants providers to continually maintain documents for asset inventory, network mapping and risk analyses.
The main goal behind these new documentation requirements is to ensure providers can effectively map out the way their data is being stored and transferred, noted Mitesh Rao, CEO of OMNY Health, a national data ecosystem that facilitates medical research.
“That goes beyond cybersecurity — that’s almost into the infrastructure space,” he said. “[HHS] is saying, ‘Look, you guys are sitting on a lot of data, you need to really have your hands wrapped around it. You need to know where it is, know how it’s moving, know how everything is set up.’”
The changes reflect the fact that data “is now driving everything” in healthcare, but many organizations lack a comprehensive understanding of where all their data sits and how it can best be leveraged, Rao explained.
Gaining this understanding is no easy task, he pointed out. Health systems house massive amounts of data that sprawls across various systems and divisions, such as inpatient services, surgery, pharmacy, imaging and clinical trials.
Still, having a strong grasp on data mapping is crucial, Rao declared.
Once a provider knows exactly where all of its information sits and how that data can best be leveraged, data “becomes more of an asset and less of a liability,” he said.
Last year was the sector’s worst year in history in terms of breached healthcare records, with more than 200 million patient records exposed. Healthcare providers are well aware of what a problem data breaches have become in the past few years, and most organizations realize that they need to work on shoring up their defenses, Rao noted.
In order to do this, providers have to partner with tech companies, he said.
“The infrastructure that exists right now across the provider world isn’t really designed to meet a lot of these capabilities — but there are a lot of great platforms that are designed to do this. So it’s a question of who to partner with,” Rao remarked.
Neiderhiser of Tuva Health also highlighted the fact that providers aren’t tech-savvy enough to meet new cybersecurity regulations on their own.These responsibilities sit outside providers’ core competency.
“Some organizations that we work with will say things like, ‘We don’t know how to log into AWS.’ They’re provider organizations — their business is not technology, it’s care delivery,” Neiderhiser stated.
Larger organizations can easily strike partnerships with tech companies that have expertise in data management and security. For smaller healthcare organizations that may not have deeply established relationships with tech partners, there could be a longer adjustment period, Neiderhiser said.
A large health system may have already had its IT personnel preparing for a potential change in HIPAA for months — but a small rural hospital probably didn’t have the resources or staff to account for this, he noted. In his view, smaller providers will certainly face a bigger burden when it comes to complying with these new regulations.
The smaller provider organizations that Neiderhiser mentioned often operate on tight margins — meaning it might be a struggle to come up with the cash to pay a tech company to manage their cybersecurity compliance functions.
Another cybersecurity expert — Sean Kelly, chief medical officer at health IT security company Imprivata — noted that he is worried about the cost of compliance.
“It’s difficult just to put forth unfunded mandates — and it’s really difficult, without any kind of funding or incentivization, to just put penalties in front of hospital systems that already have limited budgets, particularly when you look at critical care access hospitals and rural practices,” Kelly declared.
If the proposed changes to HIPAA are instated, Kelly said he hopes the federal government establishes a system in which hospitals with fewer resources can qualify for grant money or “some sort of incentivization” for compliance. For instance, perhaps these hospitals could obtain Medicare payments more quickly as an incentive, he stated.
He also pointed out that if Congress conducted an analysis of the cost of cybersecurity breaches versus the cost of a pool of money going toward preventive cybersecurity measures at hospitals, it would find that the breaches are much more expensive.
“The cost of these breaches is enormous — not just for the hospitals and the patients that go through it, but even for the local hospitals around it. When a hospital shuts down, then the ambulances go elsewhere, and patients get seen elsewhere. There’s unnecessary tests, there’s morbidity, mortality, lawsuits, and costs associated with the local area around a hospital that goes down,” Kelly explained.
In 2024, the average cost of a healthcare data breach was $9.77 million, according to research from IBM.
HHS’ proposed changes to HIPAA may adversely affect clinicians’ workflows at times, Kelly pointed out.
If a provider doesn’t execute its staff cybersecurity training flawlessly, employees might fail multi-factor authentication tests or run into other mishaps that lock them out of their systems, he noted. In other words, if any small aspect of the training is inadequate, such as the training not happening quickly enough for new employees or not being detailed enough, there are risks that staff members won’t be able to access critical information.
“That means they can’t access systems to do things like look up medical records, and they don’t have the interoperability between different record sets to properly diagnose and treat patients,” Kelly added.
Getting locked out of an account due to cybersecurity protocols can be annoying as a consumer, but it’s a whole different situation as a clinician, he explained.
“If I’m locked out as an ER doctor, then I can’t see your records. I don’t know that you’re on a blood thinner, and I can’t order the CT to show me that you have an intracranial hemorrhage. I can’t treat you properly for a stroke or for whatever your symptoms are — so there are very real consequences for the workflow aspects of security,” Kelly declared.
He also highlighted that it’s quite difficult to ensure all employees across an entire health system receive adequate cybersecurity training. Hospitals are complex environments with thousands of workers spanning various roles, and sometimes staff members aren’t even directly employed by the provider, Kelly said.
There are potential ways to address this, such as single sign-on methods, he stated.
Single sign-on is an authentication method that allows people to access multiple applications or systems with a single set of credentials, like a username and password. For instance, a hospital may give clinicians a badge they can tap as a single sign-on token to make log-ins easier, Kelly explained.
“You can use two factors once in the day, but then for the rest of the day, you can tap in and out. There are ways to automate the workflow so it’s faster to get into the medical records,” he remarked.
Hospitals may also be able to use facial recognition as a daily single sign-on key for clinicians, Kelly added.
Through its proposal, HHS is seeking to ensure providers have a good grasp on all the different ways their data is being used and transferred — and having this clear view will likely influence providers’ vendor selection for their various tools and devices, Kelly noted.
The concept of third-party risk shot to the forefront of many healthcare leaders’ minds last year amid the Change Healthcare data breach, he said. Change Healthcare may have been the only entity hit by a ransomware attack, but its thousands of customers suffered the operational and financial consequences of the incident for months.
This disaster underscored the risks healthcare providers face by relying on external partners. Healthcare providers won’t ever be able to maintain their daily operations without their network of vendor partners, so it’s imperative that they master their vendor management and data protection strategies, Kelly remarked. HHS’ proposed legislation injects some urgency into these efforts, he said.
“There needs to be a risk assessment before providers even select vendors. Beyond that, providers need to be making sure that [vendors] stay compliant and that every action taken by those third parties is secure,” Kelly stated.
This increased emphasis on vendor management may ultimately lead to fewer breached records down the road, he noted.
Kelly — along with Neiderhiser and Rao — believes that despite the potential cost and workflow concerns, HHS’ proposal is a step in the right direction, as the changes seek to underscore the importance of third-party vendor management and comprehensive cybersecurity staff training. All three experts agree that the proposed changes will likely become finalized in the near future.
Photo: traffic_analyzer, Getty Images
