The White House’s lead regulatory office is reviewing a proposed rule that would upgrade the cybersecurity protections required under the Health Insurance Portability and Accountability Act (HIPAA).

The White House Office of Information and Regulatory Affairs (OIRA) received the proposed rule on Oct. 18.

The changes to the HIPAA security rule will “improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats,” according to a rule abstract published by OIRA.

OIRA is charge of reviewing major agency rulemakings before they are published. Once the HIPAA updates clear White House review, the Department of Health and Human Services would be able to release the Notice of Proposed Rulemaking for public comment.

During a HIPAA security conference on Wednesday, a top official with HHS’ Office of Civil Rights (OCR) said officials “anticipate publication of the security rule NRPM this year.”

The rule comes in response to a massive uptick in cyber attacks targeting the healthcare sector, especially so-called electronic protected healthcare information (ePHI), which is regulated by HIPAA.

“We’ve seen tremendous increases in the use of ransomware and hacking to obtain unauthorized access to ePHI, and since 2003 there’s been an evolution in technical capabilities of record systems that are used to maintain health information, and there have been changes in the costs of variety of security measures,” Marissa Gordon Nguyen, HHS OCR senior advisor for health information privacy, data and cybersecurity, said during a conference today hosted by HHS and the National Institute of Standards and Technology.

“The changes we think support updating the security rule to help ensure that it can continue to provide a baseline of security standards to meet current and emerging security risks and threats to ePHI,” Nguyen added.

The HIPAA cybersecurity requirements haven’t been substantially updated in more than a decade. In that time, the healthcare sector has become the top target for ransomware actors. In the wake of the Change Healthcare ransomware attack earlier this year, lawmakers have pushed HHS to update its cybersecurity requirements for the healthcare sector.

While Nguyen and other officials did not detail the changes in the proposed rule, HHS previewed the HIPAA updates last year in a cybersecurity concept paper.

In that paper, HHS said it would seek to incorporate new “cybersecurity performance goals” or “CPGs” into existing regulations and programs “that will inform the creation of new enforceable cybersecurity standards.”

HHS subsequently released the CPGs as voluntary practices in January. The HHS goals are a slimmed down version of the Cybersecurity and Infrastructure Security Agency’s cross-sector cybersecurity performance goals, which are based on the National Institute of Standards and Technology’s widely used Cybersecurity Framework.

HHS’ CPGs include 10 “essential” goals, such as multifactor authentication and cybersecurity training, as well as 10 “enhanced” goals.

During a separate discussion at today’s conference, Brian Mazenec, deputy director of the Center for Preparedness within HHS’s Administration for Strategic Preparedness and Response, discussed the development of the CPGs.

“We view them as not everything you should do, but it’s a great place to start,” Mazanec said. “And there are simple things like mitigating known vulnerabilities, patching those in your systems. That’s one of the essential practices. So really basic stuff, but this is the punch list of the 10 core ones we think are most important to have a high impact in bolstering your cyber posture. Since we published them, these have been the animating lens for a lot of the activity we’ve undertaken.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.