Page 70 - Cyber Defense eMagazine September 2025
P. 70

The Evolution of HIPAA Security

            In  the  executive  summary  of  its  HIPAA  Security  Rule  to  Strengthen  the  Cybersecurity  of  Electronic
            Protected Health Information proposed rule, published to the Federal Register in January 2025, OCR
            was clear about the catalyst for change, writing that technology has reshaped the healthcare industry
            and the environment in which care is provided.

            “Cybersecurity is a concern that touches nearly every facet of modern healthcare, certainly more so than
            it  did  in  2003  or  even  2013.  Almost  every  stage  of  modern  healthcare  relies  on  stable  and  secure
            computer and network technologies … Thus, cyberattacks, malfunctions, and inadvertent errors can
            negatively affect the provision of health care, as well as the efficiency and effectiveness of the health
            care system,” writes the OCR.

            Adding  to healthcare’s  risk profile  are  covered  entities  (CEs)  and  business  associates  (BAs),  where
            unintentional and nefarious events can endanger electronic protected health information (ePHI) and other
            sensitive data. Thus, OCR determined that it was time to update the rule to address:



               •  Technology advancement.
               •  Shifting trends in breaches and cyberattacks.
               •  OCR’s greater enforcement experience.
               •  Improvements  in  guidelines,  best  practices,  methodologies,  procedures,  and  processes  for
                   protecting ePHI.
               •  Legal decisions impacting Security Rule enforcement.



            The goal is also to re-address one of OCR’s most significant challenges when it comes to regulating
            security: the rapid advancement of both health IT and the methods employed by malicious actors.

            Too-prescriptive mandates would necessitate updating the rule—an onerous, costly, and time-consuming
            process—more frequently than is realistic. Previous iterations of the HIPAA Security Rule attempted to
            address  this  by  being  flexible  with  compliance.  Many  security  measures  were  also  classified  as
            “addressable implementations,” meaning they were strongly recommended but not explicitly required.

            For  example,  the  current  rule  requires  any  organization  touching  ePHI  to  conduct  a  security  risk
            assessment  to  evaluate  potential  risks  and  vulnerabilities,  resolve  any  identified  vulnerabilities,  and
            document the steps taken. OCR even provides a tool for use in conducting the evaluation. But beyond
            that,  there  is  no  prescriptive  guidance.  As  a  result,  many  healthcare  organizations  that  lacked  the
            resources  or  technical  knowledge  to  conduct  a  comprehensive  risk  assessment  wound  up  taking
            shortcuts.

            The  lack  of  prescriptive  guidance,  coupled  with  limited  verification  requirements,  led  to  unintended
            consequences, including non-compliance. The increased specificity and expanded requirements in the
            proposed rule should close those loopholes and harden security around health information.






            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          70
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   65   66   67   68   69   70   71   72   73   74   75