When it comes to cybersecurity, the healthcare industry is struggling. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) observed a 102% increase in ransomware breaches between 2018 and 2023. In that same time frame, the number of individuals affected by healthcare cyber attacks (roughly 167 million in 2023 alone) rose 1,002%. And, in 2024, the Change Healthcare breach compromised the electronic protected health information (ePHI) of roughly one-third of the U.S. population. This breach brought the industry to a halt showing the havoc a real compromise could wreak.
Not only are attacks on the rise, but they’re becoming more devastating. The Change attack resulted in upwards of $100 million lost per day and left patients without access to medication and care. Meanwhile, a June 2024 cyberattack on London hospitals resulted in the delay of more than 1,000 operations and 3,000 outpatient appointments.
Though there are a myriad of reasons why these attacks are escalating, an essential one is that the healthcare industry is seriously behind when it comes to cyber resiliency. Guidelines established in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule were meant to keep medical facilities and patient data safe, but that guidance clearly isn’t working. However, regulators are finally paying attention and looking to upgrade their regulations to meet modern security standards.
The OCR recently announced major updates to the HIPAA Security Rule that have the potential to dramatically increase the security of the industry as a whole. These changes apply to health plans, healthcare clearinghouses, health providers, healthcare facilities, insurance companies, and also business associates of these entities. This is the first large-scale HIPAA update since 2013.
Not only are the new guidelines more specific and robust, but nearly all the specifications, with very few exceptions, will now be required — a monumental change from previous editions. Organizations without a comprehensive security program will be forced to establish one in the immediate future or face significant consequences. Here’s what you should know to prepare.
When companies look at government regulations, their end goal isn’t cyber resiliency — it’s compliance. Rather than using regulations like HIPAA as guidelines for building a holistic security program, companies search for loopholes in an attempt to spend the minimum amount of money and hours required to meet regulations and avoid non-compliance fees. As it stands today, the HIPAA Security Rule is full of loopholes, which is why so many organizations lack basic cybersecurity.
The current guidelines make a distinction between “addressable” and “required” rules. For addressable rules, organizations must assess whether each implementation specification is “a reasonable and appropriate safeguard in its environment,” as it relates to protecting ePHI. That means organizations can avoid implementing a security requirement because they’ve deemed it unreasonable or inappropriate due to the organization’s size, budget, capabilities, and perceived threats.
The new proposed amendment essentially does away with addressable rules and has, instead, made each implementation specification required. This is a significant change that will force all healthcare entities to become cyber resilient, it also means many formerly compliant healthcare organizations could shortly have significant work to do to remain compliant. Companies can no longer rely on loopholes to avoid building up their cybersecurity department – the work is now unavoidable.
Not only are many of the previously recommended security guidelines now required, but the OCR is more explicit in terms of what companies must do to protect patient data. The 400-page document with proposed changes lays out specific cybersecurity processes, policies, plans, and tactics companies must have in place to protect themselves and patients against cyber attacks. The new rules also call for significantly more documentation of security processes and plans. In essence, it now requires companies to invest in foundational cybersecurity if they haven’t already. Some of the notable requirements include:
These proposed changes mark a major shift from the 2013 edition of Security Rule, essentially requiring healthcare organizations to implement a full cybersecurity program. The HHS is clearly stating that cybersecurity basics are no longer optional, and organizations can’t take a piecemeal or iterative approach to security initiatives.
Organizations that do not currently have a security program in place have significant work to do and will likely need the help of an experienced CISO or outsourced security provider to ensure their organization becomes — and remains — compliant.
The requirements outlined here aren’t set in stone but rather are proposed changes to the current iteration of HIPAA. They are still subject to approval and may be altered before they officially go into effect. However, the new administration hasn’t given any indication that it would oppose these changes, so it’s safe to assume they will be approved with minimal adjustments.
The proposed changes are open to public comment until March 7. After reviewing the comments received, the Department of Health and Human Services (HHS) will publish a final version of the rule that all covered entities must meet. Once that has been published, healthcare organizations will have 180 days to comply.
Given the magnitude of these changes, it would be a miracle for organizations to stand up a compliant security program within six months unless they already have a fairly robust security program in place. These changes will also be expensive, costing some organizations millions to implement and costing the industry $9B in the first year alone, according to the HHS’ own estimates.
To ensure compliance in 2025, organizations need to start planning and securing resources now. This may include hiring an experienced CISO, expanding their security department, bringing in a fractional CISO to work with their team, or working with a managed security partner. For many organizations, this last option will be the fastest and most cost-effective way to stand up a security program that is compliant in time.
While these proposed changes may have some executives panicked about how they will build and sustain a compliant security program, they come with a rather significant silver lining. Following the proposed rules will make an organization truly cyber resilient. Many healthcare organizations are currently open to dangerous and costly risks, but meeting these requirements will significantly reduce those risks. By investing in a security program, healthcare organizations will not only keep patient information safe, but they will also set themselves up to meet new threats — and new regulations — that may arise in the future.
By addressing these proposed regulations early on, organizations are taking a proactive approach to regulatory requirements, threats, and future financial risk.
To learn more about how to develop a comprehensive cybersecurity strategy that will be HIPAA compliant, contact the experts at SolCyber. With our 24/7 detection and response services and Foundational Coverage, businesses can ensure their digital environments are protected against threats and ready to meet these new regulations once they go into effect. Reach out today.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
