Page 71 - Cyber Defense eMagazine September 2025
P. 71

A Heavy Lift

            Industry support for the HIPAA Security Rule overhaul is broad, as are concerns that the compliance
            burden will be too high for many organizations affected by it. There was a consensus throughout the
            nearly 4,750 letters submitted to OCR during the proposed rule’s two-month public comment period that
            many  requirements  would  be  nearly  impossible  for  some  organizations  to  meet  without  resource
            assistance. These include:

               •  Documenting all Security Rule policies, procedures, plans, and analyses.
               •  Developing and maintaining a technology asset inventory and network map of ePHI movement.
               •  Identifying potential vulnerabilities and predisposed conditions.
               •  Notifying changes to or termination of an employee’s ePHI or information system access within
                   24 hours.
               •  Establishing written procedures to restore the loss of specific information systems and data within
                   72 hours.
               •  Conducting annual compliance audits and regular risk assessments.
               •  Collecting annual written verification of compliance from BAs.
               •  Encrypting ePHI when it is at rest and in transit.
               •  Establishing technical controls for consistent configuration of information systems.
               •  Use multifactor authentication (MFA).

            Additionally, the proposed rule converts many addressable implementation specifications to required,
            which eliminates a core flexibility aspect of the rule. Finally, for many, compliance with the updated HIPAA
            Security Rule will not be feasible with their existing technical infrastructure. It would necessitate significant
            investments in new technologies capable of protecting ePHI as mandated by the rule.



            Lessening the Burden

            The good news is that compliance does not have to come at the cost of financial ruin. Small steps toward
            anticipated mandates can be taken now—many of which are common-sense protective measures that
            should be deployed regardless of the requirements in the final rule.

            For example, even organizations with limited budgets can implement MFA, which is a highly effective yet
            reasonably priced protection against phishing and other forms of infiltration. Regularly backing up data
            now will ensure continuous access to information in the event of a system outage. At the same time,
            ransomware or exfiltration protection that goes beyond encryption can prevent bad actors from exploiting
            vulnerable access points once they are inside a system.

            Other actions healthcare organizations can (and should) take now include conducting a security risk
            assessment and drafting a mitigation and remediation plan. Doing so allows for the prioritization of limited
            resources.

            It is also likely that even well-resourced healthcare organizations will find it infeasible to implement these
            early steps or achieve compliance within the timeframes outlined in the final security rule without third-





            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          71
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
   66   67   68   69   70   71   72   73   74   75   76