While your organization has been serving the needs of the people that depend on you, the U.S. Office for Civil Rights (OCR) has been working to update the present HIPAA Security Rule to better protect personal data. Upcoming HIPAA changes are currently “proposed rules,” that your organization still must begin to prepare for. Some key issues:

  • Do you have procedures in place to be able to revoke access of an employee within one hour of termination?
  • Can your organization demonstrate the ability to restore critical systems within 72 hours following an incident?
  • Does your organization have a team in place that can conduct vulnerability scans at least every six months?

When the proposed HIPAA Security Rule is finalized later this year, organizations will have just 180 days to comply. The requirements taking shape now are specific enough that waiting for the final rule to begin preparing is not a strategy.

A Core Theme of the Proposed HIPAA Security Rule

While many specifics of the proposed HIPAA Security Rule updates are still under review, themes are clear when it comes to security controls:

  • They must exist
  • They must function
  • They must be demonstrably documented
  • They must be demonstrably reasonable

Regulators will expect these required security controls to be actively implemented and maintained, and they will expect you to produce the documentation to prove it. It is all part of a broader regulatory trend that is moving beyond checkbox compliance. To be compliant, you now need real-world evidence to prove your reasonability.

Technology Asset Inventory So You Know Where Your Risks Are

Another clear theme is the expectation that organizations will soon be required to maintain a comprehensive and accurate inventory of their technology assets. Just as a retailer relies on precise inventory data to remain profitable, healthcare organizations must know exactly which devices and systems exist within their environment. This goes beyond servers and laptops. It includes medical devices, applications or anything that creates, receives, or transmits electronic ePHI. Achieving this level of visibility cannot be accomplished through a one‑time spreadsheet exercise. For years, OCR has been saying that you can’t conduct comprehensive risk analysis if you don’t know what your assets are. This change to the regulation intends to make that ambiguity clear.

PHI Network Mapping So You Know Where PHI Goes

You have a comprehensive understanding of how patients flow through your organization on a daily basis, but do you have the same clarity about how their ePHI flows across your network? Do you know every system, device, and individual that has access to patient data? This shift towards the actionable, detailed mapping of ePHI allows organizations to clearly show where it is stored, how it is transmitted, and who interacts with it. This level of visibility not only strengthens security controls, but it also enables faster breach containment, more accurate reporting, and a defensible compliance posture.

Rigorous Risk Analysis Determines Reasonability

OCR has said for many years that covered entities and business associates most often fail at risk analysis. If you don’t know your risks, you can’t determine the reasonability of your controls. And if you don’t know whether your controls are reasonable, you can’t take advantage of HIPAA’s “flexibility of approach.” Hospitals, pharmacies, insurance carriers, insurance brokers, and radiologists all serve patients’ needs. But they all operate very differently. As a result, no two organizations use the same exact cybersecurity controls. HIPAA built in a “flexibility of approach” that organizations take advantage of when they conduct their risk analysis. OCR is trying to help the public understand how to use risk analysis by being more explicit about this standard.

Manage Your Third-Party Risk

Business associate oversight doesn’t just include your internal employees. It includes any third party with access to the ePHI flowing through your organization, from contracted staff to technology vendors and service providers. These partners are required to manage PHI risk, and your organization must be able to demonstrate to regulators how associated risks are identified, monitored, and mitigated.

This means your organization needs a formalized vendor security management program that is open to periodic reassessments. If the pattern isn’t clear yet, the new HIPAA proposals push healthcare organizations toward a far more proactive, continuous approach to risk management, including the risks introduced by third parties.

Why Halock

The proposed rules are pushing organizations from periodic compliance to a proactive security mindset. The challenge is preparing for this inevitable shift while still giving your full attention to your core mission.

Halock Security Labs isn’t driven by creating one-time assessments. We help organizations create a proactive, reasonable  security program that treats risk management as an ongoing operating discipline, not a one-time assessment. We design and implement strategies that ensure all critical controls are implemented, functional, and supported by documented evidence that can be audited, tested, and defended.

No regulator knows your business. So no regulator knows the controls you should use. The current and proposed HIPAA Security Rule provides the flexibility of approach and risk analysis to help you find the controls that are reasonable for you.

Contact Halock today to learn how we can help transform your organization into the proactive, security-minded entity that today’s regulations and landscape require.