This week on the HIPAA Insider Show, we delve into the recently proposed modifications to the HIPAA Security Rule aimed at bolstering cybersecurity measures within the healthcare sector. Join us as we unpack the implications of these changes, discuss their potential impact on organizations of all sizes, and explore strategies to ensure compliance in an evolving digital landscape.
Transcript
Adam Zeineddine
Hello, and welcome to the HIPAA Insider show, where we break down the latest in HIPAA compliance, healthcare data security, and cloud technology. I’m your co host, Adam Zinedine.
Gil Vidals
And I’m Gil Vidals, your other co host. Today, we’ve got some major developments to discuss that could reshape healthcare cybersecurity as we know it. Yeah.
Adam Zeineddine
At the end of last year and on December 27, 2024, specifically the Department of Health and Human Services, HHS dropped what you could call a cybersecurity bombshell, a notice of proposed rulemaking that would significantly update the HIPAA security rule. Gil, I’ve been reading through this, and it feels like one of the most substantial updates in years. What’s your initial take on it?
Gil Vidals
Adam? I did spend some time reviewing this because it did seem like a major shift. What strikes me the most about this is that the changes reflect the reality of modern or current healthcare attacks and ransomware, things that are numbing right now in the news. And we’re not just talking about tweaks to the existing rules. This is simply HHS acknowledging that the threat landscape has fundamentally changed. It’s at a new level, and there needs to be more things done in the regulations.
Adam Zeineddine
Yeah, 2024 was definitely a crazy year. Let’s break it down for our listeners. What are the key changes that they need to know about?
Gil Vidals
Okay, so one of the key changes they’re making is eliminating addressable versus required. So addressable means. Oh, you need to address this. In other words, you need to think about what you would do in this situation versus required, meaning you got to do this. So for the specifications, that’s important. And the flexibility the organization had is really being reduced considerably now. Things went from the maybe list to the have to list, and things are becoming mandatory with very few and limited exceptions.
Adam Zeineddine
Yeah, that’s a big change. I can already hear some of our listeners getting nervous about that one in terms of it becoming mandatory for a lot of the requirements.
Gil Vidals
Yeah, I think in today’s threat environment, those things that were under the maybe addressable category, those were really security best practices, so they should have been implemented anyway. So from that perspective, it’s something that hopefully our audience has been doing to begin with, so it won’t be a big shift for them. And essentially the rules are just catching up with what the security experts have been saying for a long time.
Adam Zeineddine
Okay, what else stands out to you?
Gil Vidals
One of the items they mentioned, there’s several things, a long laundry list. So one of them is keeping an inventory of Your assets. And that’s important to know. Map out the data like how the patient protected information flows and having that really a diagram, having that documented. The other one of course is encrypting patient data both when it’s stored and being transmitted. The third one is to use multi factor authentication. There’s so many companies, websites that don’t have multi factor enabled and that’s really something that should have been done already. And then the fourth one is run regulatory security tests. I’m sorry, I said regulatory, I meant run regular security tests. So vulnerability scans every six months, every year at a minimum, and then penetration testing at least once a year.
Gil Vidals
And then finally the fifth one is have clear plans for responding to security incidents. So you know how to handle it if there were to be a breach?
Adam Zeineddine
Okay, yeah, quite a few there. And as you mentioned, those are the standout ones on the inventory item. Can you explain why or give our listeners a practical example of why inventory matters?
Gil Vidals
Sure, sure. There was a mid sized clinic that got hit with ransomware where they the ransomware attackers will encrypt the data and the only way to decrypt it is if you pay them a lot of money and they’ll give you the key to decrypt it. So what happened in this case with this clinic? There was an old Windows server they had in their basement that no one really remembered. It was an old Windows Server 2012 and the hackers exploited that old operating system that wasn’t secure and we’re able to get into the network. And that’s an example of not being aware of where all your systems are that touch your patient information.
Adam Zeineddine
Yeah, you mentioned ransomware there. Let’s talk about the numbers. There’s an increase, looks like there’s an increase in attacks and it’s pretty staggering.
Gil Vidals
Yeah, it looks like there’s been a doubling of the attacks from say 2018 or so to the present time. That’s a big jump. And there were over 167 million individuals that had their healthcare data compromised. That’s a crazy number. That’s more than half the US population. So it’s really staggering these numbers now.
Adam Zeineddine
Yeah, speaking of numbers, let’s talk about smaller organizations. How are they supposed to handle these new requirements?
Gil Vidals
Yeah, that’s a particular challenging area because a startup, let’s say, or even maybe not a startup, but a small entity that may have developed a healthcare app, for example, that’s being used at just a few hospitals. Suddenly they say, wow, we got to spend a lot more time and effort and some money to meet all these regulations. So that’s probably one of the most precarious areas that we see with our custom. But I do think that you can start taking steps in the right direction. It always feels good, Adam, when you have a big challenge and instead of looking at the entire thing, you just chip away at it. So you got to start somewhere. A good place to start was document what you have. What are my systems, what do I have? Map your network.
Gil Vidals
That could just be on a piece of paper. If you say, well, I’m not good at this, I’m not a network engineer or whatever, you can work with your team and figure out how to document your network, what you have. There are also, by the way, tools that you can install. A lot of the cloud providers, including Google, Amazon, Azure, they have tools, third party tools that you can install that will do a surveillance of what’s. Or a survey, rather, of what systems exist in the network and then draw a picture of them and how they’re connected. So you could use tools like that.
Adam Zeineddine
Yeah, that’s. That’s a great tip. What other resources are available to help them?
Gil Vidals
The HHS has a few tools you could use. They have a security risk assessment tool that’s pretty comprehensive and I believe it’s free. You just go download it. But don’t be overwhelmed. You can’t try to do all this at one time. So break it down into manageable chunks. Maybe start with the asset inventory and then move on to updating your policies. And then maybe you could tackle some of the. Yeah. Or creating them, and then tackle the technical controls. You can, by the way, Adam, you can buy policies and stuff. So in some sense you could say, well, I fulfilled that. I went to some site and downloaded 50 policies. Now I’ve got 600 pages of policies and you put them in your filing cabinet or on your Google Drive and then there they are. But that doesn’t really. That’s not really compliance.
Gil Vidals
That’s just a checkbox. You’re supposed to be implementing what’s in the policies. So don’t be fooled into thinking that you could just simply buy a stack of paper and then you’re good to go.
Adam Zeineddine
Okay, well, as we wrap up then, with regards to these proposed changes, what are the key takeaways for our listeners?
Gil Vidals
Well, a key takeaway is that the regulators are behind. Right. You should have been already thinking about increasing the security, modernizing your security. And these regulations shouldn’t be as scary as what they might seem like because they’re. The regulators are catching up with current security practices, and it’s forcing those that haven’t implemented those modern security practices to get off their chair and start doing that work.
Adam Zeineddine
Yeah, no, definitely. All right, well, that brings us to the end of today’s episode. Thank you, Gil. And thank you, listeners, for joining us on the HIPPA Insider show. Remember to subscribe wherever you get your podcasts and join our newsletter, the HIPAA Insider, for ongoing updates about healthcare security and compliance. Until next time, stay compliant and stay secure.