top of page

Cybersecurity-Focused HIPAA changes are coming to the Healthcare Industry

Writer's picture: Greg MeyersGreg Meyers



Stricter rules for safeguarding electronic health records (EHRs) are crucial, especially given the increasing threats to cybersecurity and the sensitivity of the data involved. The move by the U.S. Department of Health and Human Services (HHS) likely reflects a growing recognition of the need for stronger protections as healthcare data becomes more digital and accessible.


According to the article from CSOonline.com entitled "US takes aim at healthcare cybersecurity with proposed HIPAA changes" author John Leyden takes a deep dive into the extensive obstacles that have faced the Healthcare Industry for decades.


Here's a breakdown of how those measures could help:

  1. Encryption of Sensitive Medical Data: Encryption is one of the most fundamental ways to protect data. Even if cybercriminals manage to breach a network, they won't be able to use or sell the data if it's encrypted. This move is especially important in healthcare, where patient information is both sensitive and valuable.

  2. Multi-Factor Authentication (MFA): Adding an extra layer of security through MFA would help block a lot of phishing attempts. Even if a hacker gets hold of a password, they still won’t be able to access an account without the second factor. It's good to see this becoming a standard, particularly in healthcare where accounts can have access to highly confidential information.

  3. Network Segmentation: By segmenting the network, healthcare organizations can create "firewalls" between different parts of their IT systems. If one part of the system is compromised, the breach won't necessarily spread to other areas. This is especially important in healthcare, where a breach of medical records can have cascading effects across various departments and systems.


Cybersecurity Gets Political

The regulatory climate around healthcare—especially in areas like data privacy and cybersecurity—has been a bit of a rollercoaster over the past few years. The Trump administration did indeed focus on reducing regulations across industries, and that could create some uncertainty around how the HHS will move forward with stricter cybersecurity rules for healthcare data.

If there is a shift in policy, it could mean a few things:


  1. Delays or Modifications to the Proposed Rules: If there's a push for deregulation, we might see the implementation of these tougher cybersecurity requirements delayed, or even softened. They could decide that certain provisions, like mandatory encryption or network segmentation, aren't feasible for smaller healthcare providers or might be too costly to enforce across the board.

  2. Challenges in Enforcement: A shift away from stringent regulations could also lead to less oversight of how healthcare entities implement security measures. This might reduce the effectiveness of the rules if there’s less of a push to ensure compliance.

  3. Voluntary Compliance Over Mandatory: There could be a shift towards making some of these measures voluntary rather than mandatory, which might still encourage some organizations to adopt them but would likely result in less widespread action.


However, cybersecurity concerns are becoming so critical that even under a deregulatory administration, it's possible that the HHS might find it difficult to back away from addressing these risks. Healthcare systems have been increasingly targeted by ransomware attacks and data breaches, and the consequences for patient care and privacy are huge. The pressure from both public opinion and the healthcare industry itself may be enough to push forward stricter measures regardless of the political climate.

Comments


bottom of page