On December 27, 2024, the Department of Health and Human Services proposed a new HIPAA Security Rule (“the Proposed Rule”). The Proposed Rule is significant in scope, retains the current Security Rule’s requirements for “reasonable” safeguards while making many specific practices required visa-vi HIPAA’s implementation specifications, requires the implementation of several industry standard practices (e.g. multi-factored authentication), and makes a few misplaced organizational recommendations.
The broader context of the Proposed Rule from HHS’s perspective is the, frankly put, awful state of data breaches.[1] Every year it seems like there is an unabating wave of new breaches. In the past twenty-four months, OCR has seen 888 breaches affecting 247,175,118 individuals. That’s most of the US population, although there are certainly duplicates in those reports. That number is exceptionally high because of one breach in particular, Change Healthcare’s (owned by United Health). Change Healthcare is a clearinghouse that was brought down by a ransomware attack, which the American Hospital Association reports led to the exposure of 190 million people’s data.
“Why did this happen?” I am going to go out on a limb and say it happened because there is a collection of criminals and hostile state actors who continue to go unpunished for any attempts – successful or not – at stealing Americans’ data and/or disrupting their businesses.[2] That is, of course, a more philosophical answer. The House Department of Energy and Commerce would more likely point to the failure to implement multi-factor authentication to secure one of their systems. United itself blamed the attack on “aged technology systems.”
And now, we have a shiny, new Proposed Rule. On the good side, requiring MFA is… GOOD. Every incident responder I have talked to looks for whether MFA was installed on the compromised technology as a first step of any breach investigation. It’s … the first question every, single, time. This is so important that HHS has gone so far as to define what MFA means. The Proposed Rule defines it as authentication of the user’s identity through verification of at least two of the following:
- Information known by the user, including but not limited to a password or personal identification number (PIN).
- Item possessed by the user, including but not limited to a token or a smart identification card.
- (3) Personal characteristic of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.c
In case you are wondering, my friends in incident response would also ask HOW you do the MFA. SMS is out these days, and authenticators are in because hackers have found it relatively easy to spoof your SIM card and phone number. The Proposed Rule also requires folks who manage PHI to map their network, and how PHI moves through it. It’s probably, important to do that now, anyways. If you are breached, you will end up figuring out how PHI moves through your systems in a whole new, awful set of workflows and projects. Another one I love is regularly checking your network ports, and disabling the ones you don’t need or ones that present a security risk. Requiring encryption for data in transit and at rest is also quite good. Much of what’s in here should not be a surprise for those following HHS’s Cybersecurity Framework.
On what I think is the bad (and really burdensome) side is a requirement that business associates notify covered entities of when an individual employee or subcontractor no longer has access to a Covered Entity’s PHI, and within 24 hours of that right being revoked. Vendors should read that and be rightfully appalled. This means that customers will have near live-time transparency into your workforce, and in some cases, before your workforce itself. I also am not sure what it means if you have a company where support is distributed across a team or floor and there is no single dedicated “squad” assigned to each account. This sort of live view into employment practices is something vendors should push back on.
On the confused side of things, the Proposed Rule specifically calls out clearinghouses and asks that those functions be isolated and treated with special attention. I call this confused because, frankly, what makes clearinghouse data so special? It’s insurance claims. What else stores insurance claims? Frankly, everything. The entire health IT ecosystem is built around them. Predominately, they’re also hosted on the providers’ PMS/EMR. What makes that specific data more sensitive than other health data? I couldn’t tell you. I think this is misplaced reaction to Change Healthcare, and if it had been a different component of the IT ecosystem that been hit, then this would be that category’s section. You could go with: electronic prescribing, sending and receiving secure messages between providers with a patient’s summary of care (specifically a C-CDA), a compromised patient portal (with all the clinical data, EOBs, a patient’s credit card information, and potentially more), or health information exchanges like those that are participating in TEFCA? All these are transactional systems with attachments – like a clearinghouse. All this data is more or less, hyper-sensitive clinical, financial, and billing information.
For next steps, there is much, much more in the Proposed Rule and I recommend you really sit down with it and figure out what your organization does today, what suggestions you could take from it and would want to implement whether or not it is finalized (MFA), and identify what would be burdensome for your organization. Then feed that perspective through the policy lens of the current administration, and write it down in the form of a comment letter by March 7, 2025.
You can submit comments, identified by RIN Number 0945-AA22, by either of the following methods.:
- Federal eRulemaking Portal: Submit electronic comments at https://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA22. Follow the instructions at https://www.regulations.gov for submitting electronic comments. Attachments should be in Microsoft Word or Portable Document Format (PDF).
- Regular, Express, or Overnight Mail: You may mail written comments to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HIPAA Security Rule NPRM, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201. Please allow sufficient time for mailed comments to be timely received in the event of delivery or security delays.
This is a rare opportunity for health IT developers to submit comments during a fresh change of administrations on a topic of bipartisan concern. I encourage you to take it!
[1] To lay this at the feet of healthcare would be deeply misplaced, of course. We live in a world where apparently the major telecommunications carriers were hacked, exposing the data of hundreds of millions of Americans. https://thehill.com/policy/technology/5022838-salt-typhoon-encryption-apps-cyberattack/; https://www.cisa.gov/news-events/news/cisa-nsa-fbi-and-international-partners-publish-guide-protecting-communications-infrastructure; https://www.forbes.com/sites/zakdoffman/2024/12/05/fbi-warns-iphone-and-android-users-stop-sending-texts/
[2][2] I happen to agree with John Strand, the author of Offensive Countermeasures, that a strategy of “all defense” is a game for suckers. In a striking illustration of that concept, Change Healthcare PAID the thieves who stole their patients’ data, and in return, it got published to the Dark Web anyways.
Image by https://unsplash.com/@imattsmart
eHealth Law Blog 