While your organization has been serving the needs of the patients that depend on you, the U.S. Department of Health and Human Services (HHS) has been working on updating the present HIPAA regulations to better protect the data of those patients you are serving. While the current HIPAA changes are currently in the “proposal” stage, your organization still must begin to prepare for these changes. For instance:

  • Do you have procedures in place to be able to revoke access of an employee within one hour of termination?
  • Can your organization demonstrate the ability to restore critical systems within 72 hours following an incident?
  • Does your organization have a team in place that can conduct vulnerability scans at least every six months?

While no one knows what the exact new HIPAA proposals are going to be, the new proposals will be finalized later this year. At that point, the clock begins ticking for your organization.

A Core Theme of the New HIPAA Security Rule Proposals

While many specifics of the proposed HIPAA Security Rule updates are still under review, one theme is clear when it comes to security controls:

  • They must exist
  • They must function
  • They must be demonstrably documented

This shift aligns with the change in key terminology from “addressable” to “required.” No longer will organizations be able to document exceptions. Regulators will expect these required security controls to be actively implemented and maintained, and they will expect you to produce the documentation to prove it. It is all part of a broader regulatory trend that is moving beyond checkbox compliance. To be compliant, you now need real-world evidence to prove your compliancy.

Technology Asset Inventory

Another clear theme is the expectation that organizations will soon be required to maintain a comprehensive and accurate inventory of their technology assets. Just as a retailer relies on precise inventory data to remain profitable, healthcare organizations must know exactly which devices and systems exist within their environment. This goes beyond servers and laptops. It includes medical devices, applications or anything that creates, receives, or transmits electronic ePHI. Achieving this level of visibility cannot be accomplished through a one‑time spreadsheet exercise. A modern asset inventory is a living, dynamic system that is incrementally updated, validated regularly, and tightly integrated with security operations.

ePHI Network Mapping

You have a comprehensive understanding of how patients flow through your organization on a daily basis, but do you have the same clarity about how their ePHI flows across your network? Do you know every system, device, and individual that has access to patient data? This shift towards the actionable, detailed mapping of ePHI allows organizations to clearly show where it is stored, how it is transmitted, and who interacts with it. This level of visibility not only strengthens security controls, but it also enables faster breach containment, more accurate reporting, and a defensible compliance posture.

Rigorous Risk Analysis

Handling sensitive data inherently exposes your organization to the risk of some type of cyber incident. The new HIPAA proposals reinforces the principle that risk evaluation can no longer be a periodic, checkbox-style exercise. Instead, organizations must adopt a model of continuous, rigorous assessment that reflects evolving threats, emerging vulnerabilities, and changes in the environment. This requires a shift in mindset from one of a from static assessment to an ongoing analysis. This requires attention and discipline.

Business Associate Oversight

Business associate oversight doesn’t just include your internal employees. It includes any third party with access to the ePHI flowing through your organization, from contracted staff to technology vendors and service providers. These partners are required to perform their own due diligence, and your organization must be able to demonstrate to regulators how associated risks are identified, monitored, and mitigated.

This means your organization needs a formalized vendor security management program that is open to periodic reassessments. If the pattern isn’t clear yet, the new HIPAA proposals push healthcare organizations toward a far more proactive, continuous approach to risk management, including the risks introduced by third parties.

How Halock

We may not know the exact details of the upcoming HIPAA changes, but we do know they will be substantial. The regulator push is moving organizations from periodic compliance to a proactive security mindset. The challenge is preparing for this inevitable shift while still giving your full attention to patients or customers.

Halock Security Labs isn’t driven by creating one-time assessments. What we do is help organizations create a proactive, principles-based security program that treats risk analysis as an ongoing operating discipline, not a one-time assessment. We design and implement strategies that ensure all critical controls are implemented, functional, and supported by documented evidence that can be audited, tested, and defended. That’s because security isn’t theoretical. It is about protecting against real threats. Contact Halock today to learn how we can help transform your organization into the proactive, security-minded entity that today’s regulations and landscape require.