HHS Proposes HIPAA Security Rule Update to Strengthen Healthcare Cybersecurity

The Department of Health and Human Services (HHS) has proposed a significant update to the HIPAA security rule, marking the first revision in over a decade. The proposed changes aim to address escalating cybersecurity threats in the healthcare sector, which has seen a dramatic rise in data breaches and cyberattacks. Notable updates include mandatory creation and annual revision of a technology asset inventory and network map, detailed risk analyses with written documentation, the use of multi-factor authentication (MFA) to protect system access, and biannual vulnerability scans coupled with annual penetration testing. These measures aim to clarify existing HIPAA requirements and enhance protections for electronic health data.

This proposal follows an alarming trend: from 2018 to 2023, large healthcare data breaches have more than doubled, with ransomware and hacking incidents driving the increase. The Change Healthcare breach, the largest in U.S. history, exemplifies the urgent need for improved safeguards. While HHS has introduced voluntary cybersecurity goals and published a sector-wide cybersecurity strategy, many organizations continue to underinvest in protections, leaving them vulnerable. The proposed HIPAA update, alongside legislative efforts for minimum cybersecurity standards and financial support, represents a critical step in fortifying healthcare systems against cyber threats.