A Feb. 3 blog post by Coronis Health discusses the proposed changes and their aim to strengthen cybersecurity, improve compliance and align with modern security practices.
Five takeaways:
- Elimination of “required” vs. “addressable” specifications
Previously, organizations could choose to implement certain security measures. The proposed rule removes the distinction between “required” and “addressable” security measures. All implementation specifications must be adopted, with limited exceptions. This shift increases accountability and ensures more comprehensive protection of electronic protected health information (ePHI). - New documentation requirements for asset inventory and risk analysis
Regulated entities must maintain a written inventory of all technology assets and a network map outlining how ePHI moves within and outside their systems. Risk analyses must be more detailed, including a review of anticipated threats, vulnerabilities and potential impacts on ePHI.
- Stronger incident response and contingency planning
Organizations must establish a formal security incident response plan and test it at least annually. Contingency plans must ensure critical systems and data restoration within 72 hours of a loss. Business associates, meaning partners or vendors an organization works with, must notify covered entities within 24 hours when activating contingency plans.
- Increased oversight of business associates
Covered entities must verify that business associates comply with security requirements by obtaining an annual written verification of their safeguards and risk analyses. Similar requirements apply to business associates overseeing subcontractors handling ePHI.
- Expanded security controls and compliance audits
The proposed rule mandates new security controls, including encryption of ePHI, multi-factor authentication, network segmentation, vulnerability scanning and penetration testing. Similarly, organizations must also ensure their technology is regularly patched to comply with regulations. The proposed rule establishes specific timeframes of when these patches must occur. Regulated entities must conduct and document an annual audit of their security compliance and workforce sanctions if breaches happen.
The proposed rule is open for comment until March 7. To see the full text of the proposed rule, visit: Federal Register :: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information.
