Big changes are on the horizon for healthcare. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) just dropped a Notice of Proposed Rulemaking (NPRM) on December 27, 2024, to revamp the HIPAA Security Rule.  

If you’re thinking, “Why should I care?”, let’s break it down: cybersecurity in healthcare has gone from being a technical nuisance to a full-blown crisis. 

Why These Updates Are a Big Deal 

When the HIPAA Security Rule first hit the scene in 2003 (and got a small tweak in 2013), the healthcare landscape was unrecognizable compared to today. Back then, electronic health records (EHRs) weren’t as widely adopted, and cyberattacks weren’t the monster they’ve become. 

Fast forward to now: EHRs dominate, and along with them comes a Pandora’s box of vulnerabilities. Cybercriminals are getting bolder, smarter, and more destructive. Need proof? Look at the ransomware attack on Change Healthcare. It exposed the electronic protected health information (ePHI) of up to 100 million people and remains the largest healthcare data breach in U.S. history. And sadly, it’s not a one-off. 

According to OCR’s Breach Portal, which logs reported breaches impacting 500+ people: 

• • 859 breaches from January 2023 to December 2024 are still under investigation. 
  • Of those, a jaw-dropping 87% are categorized as “Hacking/IT Incidents”.  

The takeaway? The current HIPAA Security Rule can’t keep up with today’s threats. 

What’s Changing? 

Here’s a breakdown of the key proposed changes aimed at modernizing the rule and fortifying cybersecurity defenses: 

1. Mandatory Standards: Say goodbye to optional implementation specifications. OCR wants to make most of these mandatory, with only a few exceptions. 
2. Comprehensive Documentation: Covered entities will have to keep detailed written policies, procedures, plans, and analyses. 
3. Technology Asset Inventory and Mapping: Annual updates to a complete inventory of technology assets and network maps will be required to track ePHI. 
4. Enhanced Risk Analysis: Detailed, written risk assessments for threats, vulnerabilities, and risks to ePHI will become the norm. 
5. Incident Response and Contingency Plans: New rules will require restoring systems within 72 hours of an incident and regularly testing response plans. 
6. Encryption & Safeguards: Encryption for ePHI (both at rest and in transit), multi-factor authentication, and regular vulnerability scanning will all be required. 
7. Annual Compliance Audits: Covered entities and business associates will need to prove compliance with the HIPAA Security Rule standards every year. 

What’s Next? 

If you’re ready to dig deeper, here are some helpful resources: 

• • HHS Fact Sheet: A quick overview of what’s proposed. 
  • Full NPRM Text: The Federal Register will publish it on January 6, 2025. 
  • OCR’s Breach Portal: Track healthcare data breaches here. 

Heads up: once the NPRM is published, the 60-day public comment period begins. If you’ve got opinions or skin in the game, now’s your chance to weigh in. 

The Bottom Line 

Cybercriminals aren’t hitting pause, and neither is OCR. These updates to the HIPAA Security Rule are long overdue and could be a game-changer for protecting sensitive health information in today’s digital age. 

Stay tuned – change is on the way, and it’s about time.