Readers Write: HIPAA Security Rule Update: Why Basic Compliance Isn’t Enough

HIPAA Security Rule Update: Why Basic Compliance Isn’t Enough
By Jason Ward

Jason Ward is VP of IT and tech support at Collette Health.

The healthcare sector has become an increasingly attractive target for cybercriminals, with attacks growing in both frequency and sophistication. The scale of healthcare data breaches nearly tripled in 2023, with 140 million individuals affected compared to 51 million in 2022, highlighting the rapidly growing threat to patient privacy. 

In response to these escalating threats, the US Department of Health and Human Services (HHS) has proposed the first major update to the HIPAA Security Rule since 2013. This update reflects a growing recognition that current security measures are insufficient to protect modern healthcare systems. 

While these proposed changes represent a significant step forward, they should be viewed as minimum requirements rather than comprehensive security solutions. In today’s healthcare environment, where increasingly interconnected systems create multiple attack vectors and expand the potential attack surface, organizations need to think beyond basic compliance.

The current security landscape demands a more proactive and robust approach. Many of the proposed requirements — such as annual audits, basic encryption, and standard access controls — are practices that security-conscious organizations have already implemented, and in many cases, exceeded. As we examine these updates, it’s crucial to understand that they represent a foundation upon which to build more comprehensive security measures.

Key Changes and Why They Matter

• Mandatory security documentation and regular auditing. Previously optional security measures will now become mandatory, with few exceptions. Organizations must document all security policies and procedures. Annual compliance audits will be required to verify adherence to these requirements.
• Enhanced asset management and network visibility. Organizations must maintain and regularly update a technology asset inventory and network map. These must be reviewed at least annually and updated whenever there are changes that might affect protected health information.
• Strengthened access controls and authentication. Multi-factor authentication becomes mandatory for accessing systems containing protected health information. Organizations must notify relevant parties within 24 hours when workforce access changes or is terminated.
• Robust incident response and recovery. Organizations must establish documented incident response plans and procedures. Systems and data must be restorable within 72 hours, with clear procedures for reporting and responding to security incidents.
• Comprehensive technical controls. Organizations must implement encryption for data at rest and in transit, deploy anti-malware protection, establish network segmentation, and conduct vulnerability scanning every six months. Penetration testing must be performed annually.
• Enhanced business associate accountability. Business associates must verify their compliance annually through a written analysis by a subject matter expert. They must notify covered entities within 24 hours of activating contingency plans.

Beyond Compliance: Adopting a Shared Security Model

While these updates represent significant progress, healthcare organizations must recognize that meeting compliance requirements alone doesn’t ensure adequate security. True cybersecurity in healthcare requires a shared security model where:

• Everyone plays a role. Security isn’t just an IT problem. It requires active participation from every department and role within the organization. From clinical staff to administrative personnel, everyone must understand their part in protecting patient data.
• Continuous evolution. Cyber threats evolve faster than regulations. Organizations must stay ahead by continuously updating their security measures and adapting to new threats, rather than waiting for regulatory requirements to catch up.
• Cultural transformation. Building a security-first culture means making security considerations part of every decision and process. This includes fostering open communication about security concerns, celebrating security-conscious behaviors, and ensuring that security is viewed as an enabler rather than a barrier to healthcare delivery.

We’re only as secure as our weakest link. By working together and viewing these new requirements as a starting point rather than an end goal, we can build a stronger, more resilient healthcare security ecosystem that truly protects patient data and maintains trust in our healthcare system.