Avalon Blog

All Categories

see all

What You Need to Know about the HIPAA Security Rule Changes

Posted on January 27, 25 by Kyle Cavalieri
    Share this Post:

HIPAA healthcare cybersecurity-2

Healthcare is facing some major changes thanks to the latest proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. These changes are a big deal: they’re the biggest updates we’ve seen in years and they’re all about keeping patient data safer in today’s digital world.

So, what’s new? For starters, healthcare organizations now need to take a broader, more holistic approach to protecting patient information. It’s not just about checking a few boxes; it’s about building a strong, all-around strategy that aligns with modern cybersecurity trends. Think: stronger compliance rules, better tools, and smarter ways to manage risks.

Among the most significant updates to the regulation are mandatory end-to-end encryption deployments, multi-factor authentication (MFA), and enhanced risk assessments. The amendments also require continuous monitoring and logging as mandatory cybersecurity practices. Automated systems must now be used to track all access to electronic protected health information (ePHI), monitor network activity, and identify security incidents in real time.

The scope of responsibilities is also expanding beyond covered entities to their business associates and subcontractors too. Because of the interconnectivity between modern healthcare organizations and their vendors, it’s critical that third parties are appropriately managing sensitive information. Covered entities will be required to update their business associate agreements to reflect these new standards. Contracts should now explicitly require encryption, access controls, incident reporting, and regular compliance monitoring.

Why now? Frankly, healthcare data breaches are getting out of hand. According to IBM’s annual “Cost of a Data Breach Report,” the average cost of a healthcare data breach has reached over $9.77 million per incident. Organizations face significant expenses, including penalties, forensic investigation costs, breach notification, and remediation efforts. Beyond those direct costs, healthcare organizations face reputational damages, loss of patient trust, and patient attrition.

But here’s the tricky part: smaller healthcare providers are worried. For them, these changes are going to be difficult to keep up with. New tools, audits, and security measures are expensive and time-consuming, which could put a real strain on smaller teams and budgets. The U.S. Department of Health and Human Services (HHS) estimates that the first-year cost of the new security rule will total approximately $9 billion with annual costs of $6 billion for years two through five. However, break-even analysis estimates that if the changes in the proposed HIPAA security rule reduce the number of individuals affected by breaches by 7 to 16 percent, the revised security rule would pay for itself.

From a practical standpoint, healthcare organizations should start by conducting a thorough assessment of their current security measures and identify gaps against the new standards. From there, organizations should:

  • Conduct a risk assessment – Organizations should identify gaps in compliance with the new HIPAA standards.
  • Implement encryption and MFA – These are table stake requirements in today’s digital world. Data should be encrypted whether at rest or in-transit and the use of MFA should be utilized to strengthen access controls.
  • Update business associate agreements – Ensure contracts align with new compliance standards.
  • Develop incident response (IR) plans – Nothing is worse than being completely unprepared in the event of a devastating business event. Having an IR plan should outline the roles and responsibilities of members of the incident response team and how and when members should be engaged as the incident unfolds, as well as establish guidelines for communication inside and outside the organization.
  • Network and security testing – With a “never trust” mentality, regularly schedule and conduct network and system security testing to ensure your systems are free of critical vulnerabilities that could lead to a cyber incident and possible compromise.
  • Asset inventory – It’s hard to protect what you don’t know you have. Ensuring you have an accurate inventory is an important step in having a more robust security program.
  • Governance and compliance – Leverage tools to track controls, measure compliance, and track progress.

Still, the bottom line is clear: healthcare organizations need to step up. That means getting serious about cybersecurity, investing in the right tech, and making sure everyone on the team knows how to keep data safe. If they can pull it off, they won’t just meet the new HIPAA standards, they’ll also be much better equipped to handle the challenges of today’s complicated digital landscape.

If you have any questions or need assistance preparing for the new HIPAA security rule, contact our cyber experts.
    Share this Post:

Posted in Cybersecurity, Advisory Services

Contact Our Team Now

Recent Posts

What You Need to Know about the HIPAA Security Rule Changes
January 27, 2025
ChatGPT Prompts in Litigation: Are They Discoverable?
January 20, 2025
Navigating Data Privacy Regulations in eDiscovery
January 14, 2025
Collaboration between AI & Humans: Making Document Review Smarter
January 07, 2025
Avalon Appoints Anthony Quartaro as Chief Financial Officer
December 02, 2024

Tags

see all

Get news and tips sent to your inbox

Sign me up!

Syracuse: 315.471.3333Rochester: 585.242.9999Buffalo: 716.995.7777Cleveland: 216.592.9999Tampa: 813.221.3266Michigan: 248.955.9200Omaha: 402.885.8800Phoenix: 602.975.4001

©2023 Avalon Document Services. All rights reserved. | Privacy Policy | Terms of Use