Next month, the Department of Health and Human Services is expected to finalize the first major update to HIPAA in more than a decade, which will require hospitals to adopt more robust security measures.
With this update, HHS seeks to eliminate the distinction between “required” and “addressable” implementation specifications. Currently, HIPAA provides two types of security rules to protect sensitive health information: “mandatory” rules that must be followed and “addressable” rules that providers can choose not to obey.
By removing these two categories, HHS aims to make all cybersecurity rules mandatory for healthcare organizations. Below the department’s proposalseveral cybersecurity protocols will be required for all providers, such as two-factor authentication, data encryption and network segmentation.
Kumar Sokka, CEO of the cybersecurity platform Acre of securitybelieves the biggest impact of the HIPAA update is that physical security measures will no longer be optional or flexible.
Suppliers will no longer be able to simply document their policies: they will have to demonstrate the effective implementation of tools focused on access control, intrusion detection and visitor management, he explained.
He doesn’t have confidence in hospitals’ ability to comply with the new requirements. Sokka said most vendors still rely on fragmented, siled security tools and lack the connected infrastructure needed to meet the updated rule’s more rigorous integrated standards.
“There are different ways to meet needs based on the different budgets that these hospitals have. And I think unification is an important goal, as well as moving to the cloud and modernizing technology,” he noted.
Sokka emphasized that a hospital’s physical security and cybersecurity are deeply intertwined.
Weak physical security, such as unsecured server rooms, can directly enable cyberattacks, he added. For example, someone physically accessing a server and plugging in a USB device can bypass even the strongest cyber defenses.
“There’s always a chance that people will pass by,” Sokka said. “That’s why a visitor management tool is important, because you want to make sure that you’re doing background checks, you’re doing compliance checks to ensure that the right people are coming into the hospital. There are a lot of pain points – things are constantly changing, with guests coming to visit and accessibility to come to the hospital.”
Under the updated HIPAA rule, these types of physical vulnerabilities will no longer be treated as secondary issues, but as fundamental security requirements that providers must actively address.
However, this change is likely to reveal how many providers are still not ready to deploy a stricter security framework, Sokka said.
Photo: MoMo Productions, Getty Images
