Among
myriad
acronyms
in
the
healthcare
industry,
HIPAA
is
one
of
the
most
referenced.
At
the
end
of
last
year,
the
Department
of
Health
and
Human
Services
proposed
major
updates
to
this
law
—
named
the
Health
Insurance
Portability
and
Accountability
Act
—
for
the
first
time
in
more
than
a
decade.
HHS
said
its
proposal
is
designed
to
“better
protect
the
U.S.
healthcare
system
from
a
growing
number
of
cyberattacks.”
The
announcement
was
made
at
the
end
of
a
year
in
which
several
high-profile
cybersecurity
incidents
occurred
in
healthcare,
such
as
the
ransomware
attacks
Change
Healthcare
and
Ascension
—
the
former
exposed
more
than
100
million
patient
records,
and
the
latter
exposed
more
than
5
million.
These
proposed
changes
seek
to
strengthen
cybersecurity
protocols
for
electronic
health
data
by
standardizing
certain
security
processes
among
providers.
HHS
is
accepting
comments
on
its
proposal
until
March
7.
Healthcare
cybersecurity
leaders
are
mainly
in
favor
of
the
proposed
changes,
as
the
regulation
will
force
providers
to
address
longstanding
gaps
in
their
data
infrastructure
and
security
preparedness.
However,
the
experts
interviewed
for
this
article
noted
that
smaller
providers
may
struggle
with
the
financial
and
operational
burdens
of
compliance.
What
changes
is
HHS
seeking
to
make?
HHS’
proposal
seeks
to
make
several
changes
to
the
way
providers
manage
health
data
under
HIPAA,
with
a
key
change
being
the
elimination
of
the
distinction
between
“required”
and
“addressable”
implementation
specifications.
Currently,
HIPAA
has
two
types
of
security
rules
for
protecting
sensitive
health
information
—
“required”
rules
that
must
be
followed
and
“addressable”
rules
that
providers
can
choose
not
to
obey.
By
getting
rid
of
these
two
categories,
HHS
is
aiming
to
make
all
cybersecurity
rules
mandatory
for
healthcare
organizations,
as
well
as
emphasizing
the
need
for
comprehensive
security
measures
across
all
health
data.
This
means
several
cybersecurity
protocols
will
be
required
for
all
providers,
such
as
two-factor
authentication,
data
encryption
and
network
segmentation.
If
instated,
these
changes
would
help
providers
get
on
the
same
page
and
follow
shared
cybersecurity
standards,
pointed
out
Aaron
Neiderhiser,
CEO
of
open-source
healthcare
data
platform
Tuva
Health.
This
standardization
will
be
beneficial
for
the
healthcare
industry
—
because
any
provider
that
isn’t
using
protocols
like
multi-factor
authentication
and
data
encryption
is
“not
protecting
data
to
the
extent
that
they
should
be,”
Neiderhiser
said.
But
other
changes
are
“more
esoteric”
and
will
be
more
difficult
for
some
providers
to
implement,
he
noted.
For
instance,
the
proposed
changes
to
HIPAA
would
also
require
providers
to
maintain
detailed
written
documentation
for
all
of
their
cybersecurity
policies
and
procedures.
HHS
wants
providers
to
continually
maintain
documents
for
asset
inventory,
network
mapping
and
risk
analyses.
The
main
goal
behind
these
new
documentation
requirements
is
to
ensure
providers
can
effectively
map
out
the
way
their
data
is
being
stored
and
transferred,
noted
Mitesh
Rao,
CEO
of
OMNY
Health,
a
national
data
ecosystem
that
facilitates
medical
research.
“That
goes
beyond
cybersecurity
—
that’s
almost
into
the
infrastructure
space,”
he
said.
“[HHS]
is
saying,
‘Look,
you
guys
are
sitting
on
a
lot
of
data,
you
need
to
really
have
your
hands
wrapped
around
it.
You
need
to
know
where
it
is,
know
how
it’s
moving,
know
how
everything
is
set
up.’”
The
changes
reflect
the
fact
that
data
“is
now
driving
everything”
in
healthcare,
but
many
organizations
lack
a
comprehensive
understanding
of
where
all
their
data
sits
and
how
it
can
best
be
leveraged,
Rao
explained.
Gaining
this
understanding
is
no
easy
task,
he
pointed
out.
Health
systems
house
massive
amounts
of
data
that
sprawls
across
various
systems
and
divisions,
such
as
inpatient
services,
surgery,
pharmacy,
imaging
and
clinical
trials.
Still,
having
a
strong
grasp
on
data
mapping
is
crucial,
Rao
declared.
Once
a
provider
knows
exactly
where
all
of
its
information
sits
and
how
that
data
can
best
be
leveraged,
data
“becomes
more
of
an
asset
and
less
of
a
liability,”
he
said.
How
prepared
are
providers
to
meet
these
new
requirements?
Last
year
was
the
sector’s
worst
year
in
history
in
terms
of
breached
healthcare
records,
with
more
than
200
million
patient
records
exposed.
Healthcare
providers
are
well
aware
of
what
a
problem
data
breaches
have
become
in
the
past
few
years,
and
most
organizations
realize
that
they
need
to
work
on
shoring
up
their
defenses,
Rao
noted.
In
order
to
do
this,
providers
have
to
partner
with
tech
companies,
he
said.
“The
infrastructure
that
exists
right
now
across
the
provider
world
isn’t
really
designed
to
meet
a
lot
of
these
capabilities
—
but
there
are
a
lot
of
great
platforms
that
are
designed
to
do
this.
So
it’s
a
question
of
who
to
partner
with,”
Rao
remarked.
Neiderhiser
of
Tuva
Health
also
highlighted
the
fact
that
providers
aren’t
tech-savvy
enough
to
meet
new
cybersecurity
regulations
on
their
own.
These
responsibilities
sit
outside
providers’
core
competency.
“Some
organizations
that
we
work
with
will
say
things
like,
‘We
don’t
know
how
to
log
into
AWS.’
They’re
provider
organizations
—
their
business
is
not
technology,
it’s
care
delivery,”
Neiderhiser
stated.
Larger
organizations
can
easily
strike
partnerships
with
tech
companies
that
have
expertise
in
data
management
and
security.
For
smaller
healthcare
organizations
that
may
not
have
deeply
established
relationships
with
tech
partners,
there
could
be
a
longer
adjustment
period,
Neiderhiser
said.
A
large
health
system
may
have
already
had
its
IT
personnel
preparing
for
a
potential
change
in
HIPAA
for
months
—
but
a
small
rural
hospital
probably
didn’t
have
the
resources
or
staff
to
account
for
this,
he
noted.
In
his
view,
smaller
providers
will
certainly
face
a
bigger
burden
when
it
comes
to
complying
with
these
new
regulations.
What
about
the
cost
of
compliance?
The
smaller
provider
organizations
that
Neiderhiser
mentioned
often
operate
on
tight
margins
—
meaning
it
might
be
a
struggle
to
come
up
with
the
cash
to
pay
a
tech
company
to
manage
their
cybersecurity
compliance
functions.
Another
cybersecurity
expert
—
Sean
Kelly,
chief
medical
officer
at
health
IT
security
company
Imprivata
—
noted
that
he
is
worried
about
the
cost
of
compliance.
“It’s
difficult
just
to
put
forth
unfunded
mandates
—
and
it’s
really
difficult,
without
any
kind
of
funding
or
incentivization,
to
just
put
penalties
in
front
of
hospital
systems
that
already
have
limited
budgets,
particularly
when
you
look
at
critical
care
access
hospitals
and
rural
practices,”
Kelly
declared.
If
the
proposed
changes
to
HIPAA
are
instated,
Kelly
said
he
hopes
the
federal
government
establishes
a
system
in
which
hospitals
with
fewer
resources
can
qualify
for
grant
money
or
“some
sort
of
incentivization”
for
compliance.
For
instance,
perhaps
these
hospitals
could
obtain
Medicare
payments
more
quickly
as
an
incentive,
he
stated.
He
also
pointed
out
that
if
Congress
conducted
an
analysis
of
the
cost
of
cybersecurity
breaches
versus
the
cost
of
a
pool
of
money
going
toward
preventive
cybersecurity
measures
at
hospitals,
it
would
find
that
the
breaches
are
much
more
expensive.
“The
cost
of
these
breaches
is
enormous
—
not
just
for
the
hospitals
and
the
patients
that
go
through
it,
but
even
for
the
local
hospitals
around
it.
When
a
hospital
shuts
down,
then
the
ambulances
go
elsewhere,
and
patients
get
seen
elsewhere.
There’s
unnecessary
tests,
there’s
morbidity,
mortality,
lawsuits,
and
costs
associated
with
the
local
area
around
a
hospital
that
goes
down,”
Kelly
explained.
In
2024,
the
average
cost
of
a
healthcare
data
breach
was
$9.77
million,
according
to
research
from
IBM.
What
are
the
potential
risks
of
these
changes?
HHS’
proposed
changes
to
HIPAA
may
adversely
affect
clinicians’
workflows
at
times,
Kelly
pointed
out.
If
a
provider
doesn’t
execute
its
staff
cybersecurity
training
flawlessly,
employees
might
fail
multi-factor
authentication
tests
or
run
into
other
mishaps
that
lock
them
out
of
their
systems,
he
noted.
In
other
words,
if
any
small
aspect
of
the
training
is
inadequate,
such
as
the
training
not
happening
quickly
enough
for
new
employees
or
not
being
detailed
enough,
there
are
risks
that
staff
members
won’t
be
able
to
access
critical
information.
“That
means
they
can’t
access
systems
to
do
things
like
look
up
medical
records,
and
they
don’t
have
the
interoperability
between
different
record
sets
to
properly
diagnose
and
treat
patients,”
Kelly
added.
Getting
locked
out
of
an
account
due
to
cybersecurity
protocols
can
be
annoying
as
a
consumer,
but
it’s
a
whole
different
situation
as
a
clinician,
he
explained.
“If
I’m
locked
out
as
an
ER
doctor,
then
I
can’t
see
your
records.
I
don’t
know
that
you’re
on
a
blood
thinner,
and
I
can’t
order
the
CT
to
show
me
that
you
have
an
intracranial
hemorrhage.
I
can’t
treat
you
properly
for
a
stroke
or
for
whatever
your
symptoms
are
—
so
there
are
very
real
consequences
for
the
workflow
aspects
of
security,”
Kelly
declared.
He
also
highlighted
that
it’s
quite
difficult
to
ensure
all
employees
across
an
entire
health
system
receive
adequate
cybersecurity
training.
Hospitals
are
complex
environments
with
thousands
of
workers
spanning
various
roles,
and
sometimes
staff
members
aren’t
even
directly
employed
by
the
provider,
Kelly
said.
There
are
potential
ways
to
address
this,
such
as
single
sign-on
methods,
he
stated.
Single
sign-on
is
an
authentication
method
that
allows
people
to
access
multiple
applications
or
systems
with
a
single
set
of
credentials,
like
a
username
and
password.
For
instance,
a
hospital
may
give
clinicians
a
badge
they
can
tap
as
a
single
sign-on
token
to
make
log-ins
easier,
Kelly
explained.
“You
can
use
two
factors
once
in
the
day,
but
then
for
the
rest
of
the
day,
you
can
tap
in
and
out.
There
are
ways
to
automate
the
workflow
so
it’s
faster
to
get
into
the
medical
records,”
he
remarked.
Hospitals
may
also
be
able
to
use
facial
recognition
as
a
daily
single
sign-on
key
for
clinicians,
Kelly
added.
Vendor
management
will
become
a
bigger
priority
Through
its
proposal,
HHS
is
seeking
to
ensure
providers
have
a
good
grasp
on
all
the
different
ways
their
data
is
being
used
and
transferred
—
and
having
this
clear
view
will
likely
influence
providers’
vendor
selection
for
their
various
tools
and
devices,
Kelly
noted.
The
concept
of
third-party
risk
shot
to
the
forefront
of
many
healthcare
leaders’
minds
last
year
amid
the
Change
Healthcare
data
breach,
he
said.
Change
Healthcare
may
have
been
the
only
entity
hit
by
a
ransomware
attack,
but
its
thousands
of
customers
suffered
the
operational
and
financial
consequences
of
the
incident
for
months.
This
disaster
underscored
the
risks
healthcare
providers
face
by
relying
on
external
partners.
Healthcare
providers
won’t
ever
be
able
to
maintain
their
daily
operations
without
their
network
of
vendor
partners,
so
it’s
imperative
that
they
master
their
vendor
management
and
data
protection
strategies,
Kelly
remarked.
HHS’
proposed
legislation
injects
some
urgency
into
these
efforts,
he
said.
“There
needs
to
be
a
risk
assessment
before
providers
even
select
vendors.
Beyond
that,
providers
need
to
be
making
sure
that
[vendors]
stay
compliant
and
that
every
action
taken
by
those
third
parties
is
secure,”
Kelly
stated.
This
increased
emphasis
on
vendor
management
may
ultimately
lead
to
fewer
breached
records
down
the
road,
he
noted.
Kelly
—
along
with
Neiderhiser
and
Rao
—
believes
that
despite
the
potential
cost
and
workflow
concerns,
HHS’
proposal
is
a
step
in
the
right
direction,
as
the
changes
seek
to
underscore
the
importance
of
third-party
vendor
management
and
comprehensive
cybersecurity
staff
training.
All
three
experts
agree
that
the
proposed
changes
will
likely
become
finalized
in
the
near
future.
Photo:
traffic_analyzer,
Getty
Images