Janelle Drolet is vice president of operations and sales for Towerwall, a cybersecurity consulting firm based in Framingham.
Updated: April 7, 2025
Advice
Updated HIPAA rules aim to bolster healthcare security
By Janelle Drolet
To bolster security for healthcare workers and patients, the U.S. Department of Health and Human Services has proposed updates to HIPAA regulations. The proposed adjustments come amid rising worries about the growing frequency and sophistication of cyberattacks that have compromised sensitive patient records and disrupted operations.
The draft HIPAA Security Rule has been released in the Federal Register for public input. A finalized rule is expected to be issued by year’s end. Covered entities will be given a 180-day window to comply.
One proposed change is the requirement for encrypting sensitive medical data. By mandating encryption for both data at rest and in motion, the HHS intends to minimize the risk of data breaches and unauthorized entry to patient data. Encryption is a crucial security measure to help protect patient confidentiality and shield healthcare providers from breaches.
Proposed changes also call for adopting multi-factor authentication to strengthen access controls and authentication procedures. At this point in our digital lives, MFA should be all too familiar and ubiquitous. Consumers should never hesitate to activate MFA in all online accounts. Asking for two forms of verification before accessing any private system is a no-brainer.
The proposed changes include the need for integrating more resilient firewalls, intrusion detection systems, and security information and event management software. The idea is simply to enhance the overall cybersecurity posture of healthcare entities and level up their game to better thwart security incidents.
While cybersecurity experts generally welcome the proposed changes as a positive step, there are worries about the practical execution of these new orders, particularly for smaller healthcare clinics. Retrofitting security controls from aged healthcare systems is a steep mountain to climb, necessitating substantial investments in technology, training, and trained staff.
Another challenge is the need for a cultural shift within healthcare organizations toward prioritizing cybersecurity and ingraining it into core operations. This involves fostering a supportive security culture, conducting routine cybersecurity awareness exercises for employees, and establishing policies and procedures for incident response and remediation.
By incentivizing cybersecurity measures, such as conducting regular risk assessments, penetration testing, and vulnerability preparedness, healthcare entities are likely to take a more responsible stance toward safeguarding patient data and mitigating cyber threats. We have found this to be true while observing the October merger of UMass Memorial Health with Milford Regional Medical Center.
The proposed changes to the HIPAA security rules represent a big effort by HHS to bolster patient privacy and data defenses. While the changes are a step in the right direction, there are concerns about the feasibility of implementation. Moving forward, it will be crucial for healthcare providers to prioritize cybersecurity, invest in the necessary resources, and nurture a culture of security awareness.
WBJ Web Partners
Most Recent
Most Recent
0 Comments