We're Hiring!

Public Comments Analysis on HIPAA Security Rule Amendment for Cybersecurity

HIPAA Security Rule for Cybersecurity

Major cybersecurity breaches continue to plague the US healthcare industry, and on December 27, 2024, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule, titled "The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information". Comments were requested and over 4000 were received before the comment period ended on March 7 2025. This blog summarizes what the comments covered - and what comes next.

Comments were received from individuals, healthcare providers, professional organizations and cybersecurity vendors. We had a look through them and compiled this summary, so you don't need to.

Why Did the Security Rule Need to be Updated?

The proposal is actually a proposed upgrade of the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) which was initially issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and updated again with the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The declared intent of the HHS is to update the Security Rule in response to the evolving healthcare technology landscape, and to address new emerging threats. The purpose of the NPRM is specifically to strengthen cybersecurity protections for electronic protected health information (ePHI). 

What Did the Amendment Propose?

The proposed amendments aim to address the growing cybersecurity threats and vulnerabilities facing the U.S. health care system. The updated HIPAA Security Rule recommends that healthcare organizations implement advanced controls like mandatory encryption for all ePHI (both at rest and in transit), multi-factor authentication (MFA), network segmentation, regular vulnerability scanning and penetration testing, robust anti-malware protection, patch management, and configuration controls, while also conducting thorough risk assessments and maintaining strong access controls to limit unauthorized access to sensitive patient data. 

Who Submitted Comments?

There were 4,749 comments received, including a large number of uploaded documents. There was a lot of replication - For example, the American Psychological Association clearly instructed its members to upload a comment based on a provided template and hundreds of individual therapists duly obliged. 

Comments came from a broad range of concerned parties:

Healthcare Providers and Organizations: There were submissions from large entities involved in providing healthcare services such as Essentia Health, the Cleveland Clinic, University of Kansas Health System and others, as well as from rural hospitals and small specialised practices and clinics. 

Professional Organisations and Associations: These are groups representing a collection of professionals or organisations within the healthcare or related industries. Examples include HIMSS (Healthcare Information and Management Systems Society), ACOG (American College of Obstetricians and Gynecologists), NRHA (National Rural Health Association) as well as the Business Group on Health (representing large employers who sponsor group health plans) and organizations representing both insurance agencies and consumers.

Vendors and Technology Providers: These are companies that supply technology or services to the healthcare industry. Examples include Approov, No World Borders, Inc. (a technology company focusing on AI in healthcare) and Clearwater Security (a cybersecurity firm). Epic Systems submitted a 9 page comment

Individuals: These are comments submitted by people acting on their own behalf, often with specific expertise or experience. Examples include medical practitioners as well as executives in healthcare providers and IT vendors. 

This classification helps to understand the diverse perspectives and concerns being raised regarding the proposed changes to the HIPAA Security Rule. Many commenters represent specific interests and their feedback often reflects the unique challenges and considerations relevant to their sector.

Executive Summary of Comments Received

In summary, the comments indicate broad support for strengthening cybersecurity protections for ePHI but highlight significant concerns about the practicality, burden, and clarity of some of the proposed changes. Commenters are urging HHS to provide more specific guidance, consider the challenges faced by different types and sizes of regulated entities, and ensure that the requirements are feasible and effective in the current threat environment. 

Here are some of the key points which were raised:

Definition of Security Incident: Several commenters expressed concern about the proposed broad definition of a "security incident" which includes attempted unauthorized access. They argue that reporting every attempted intrusion, such as phishing emails, would be impractical, resource-intensive, and could overwhelm regulatory bodies with non-critical information. Recommendations include refining the definition to focus on successful breaches or significant threats that compromise the integrity and availability of ePHI. HIMSS specifically recommends excluding "unsuccessful attempts".

Reasonably Anticipated Threats: The Cleveland Clinic urged OCR to clarify that the requirement to protect against reasonably anticipated threats does not mandate the elimination of all threats, as this is often impossible with external actors. They suggest focusing on implementing reasonable and effective security measures and continuous improvement.

Patch Management Timelines: There is a request for comment on the appropriateness of the proposed timelines for applying patches, updates, and upgrades.

Workforce Access Termination Notification: Commenters are asked whether the 24-hour timeframe for notifying other regulated entities of a terminated workforce member's access to ePHI is appropriate, with a specific query on whether a shorter timeframe would be reasonable.

System and Data Restoration Timeframes: Several comments address the proposed requirement to restore critical electronic information systems and data within 72 hours. Some believe this is a laudable goal but argue that the timeframe should be case-dependent, particularly as forensic reviews might be necessary before restoration. WPHCA recommends removing the 72-hour timeframe. There are also questions on whether all systems and data should be restored within 72 hours or if different timeframes for different systems based on criticality are more appropriate.

Business Associate Verification: The proposed requirement for regulated entities to obtain written verification from business associates regarding the deployment of technical safeguards at least annually is a point of discussion. Some argue this is burdensome and potentially unnecessary, as business associates are already legally required to comply with HIPAA. There is a recommendation for Business Associate verification to encompass Administrative and Physical Safeguards in addition to Technical Safeguards. Clarification is sought on the level of "written analysis" required for this verification, suggesting the use of generally accepted cybersecurity principles and methods or NIST Special Publications as a guide. The burden estimate for this task is also questioned.

Clarity and Practical Guidance: Many commenters emphasize the need for clearer definitions of terms like "deploy" and specific technical controls, as well as more practical guidance and realistic expectations for implementation, especially for resource-constrained organisations.

Alignment with Existing Frameworks: There is a suggestion for HHS to continue using NIST guidance where feasible to establish a common baseline for compliance. One commenter details their use of NIST and other frameworks to create assessment tools

Burden and Cost: Concerns are raised about the potential financial and administrative burden of implementing the proposed revisions, particularly for solo and small practices. Some commenters feel the implementation timelines and cost projections are unrealistic

Multi-Factor Authentication (MFA): Clarification is requested on MFA methods, particularly the status of SMS-based MFA. There are also suggestions for allowing risk-based selective use of MFA and for allowing a single MFA to be durable for a reasonable period. 

Reporting Framework: A recommendation is made for a central reporting framework for entities subject to multiple federal agencies to avoid redundant reporting.

Definitions: Specific feedback is provided on the definitions of "electronic media" and "security or security measures," with concerns about technical feasibility and the concept of "direct management control" in cloud computing environments. Clarification is sought on how the definition of "information system" applies in cloud environments. The proposed amended definition of "malicious software" is generally seen as a positive improvement, with a suggestion to add specific guidelines for detecting and preventing firmware attacks

Business Associates and EHR Vendors: There are requests for clarification on whether offshore business associates are part of a Covered Entity's ePHI network map and on the status of EHR vendors as Business Associates.

Contingency Planning Notification: Feedback is sought on whether a plan sponsor should be required to notify a group health plan within 24 hours of activating its contingency plan

Security Incident Response: HIMSS expressed concern about the new requirement to "eradicate" all suspected or known security incidents, arguing it's unclear and potentially infeasible for unsuccessful attempts.

What will Happen Next?

In principle, the HHS will review the comments and issue a final NPRM. However, on January 20, 2025, President Trump signed an Executive Order (Regulatory Freeze Pending Review), requiring all executive departments and federal agencies to stop all pending rulemaking activity. 

In the wake of major cybersecurity breaches in the healthcare industry, data protection initiatives will hopefully be an opportunity for urgent bipartisan agreement. HHS fast-tracking and finalizing the Security Rule could provide a way forward but this is definitely a case of “watch this space”.

What to Do in the Meantime

Healthcare providers, and everyone else in the US healthcare ecosystem, should prepare for potential updates to the HIPAA Security Rule by carefully evaluating existing cybersecurity protocols to identify areas requiring enhancement in line with the proposed requirements, as well as planning for the financial implications of adopting the proposed security measures and allocate resources accordingly.

If the proposed Rule is reissued or the pause is lifted, it is likely that it will come with some revisions. Staying informed will also be essential for compliance and for ensuring protection of ePHI against evolving cyber threats.

Mobile Apps in Healthcare - the Approov Take 

We believe very strongly that in its current form the proposal does not adequately address the use of mobile apps in the Healthcare ecosystem, and submitted our own comments addressing the threat posed by widespread adoption of mobile healthcare apps.

 Mobile apps are widely used by patients for access to healthcare data and "telemedicine" services such as consultations, prescription refills, appointment scheduling, accessing test results, etc. They are also used by practitioners, increasingly from personal devices, outside the security provided by campus networks and enterprise mobile device management solutions. 

An additional evolving threat window is the mobile apps associated with medical devices, which have become a distinctly efficient means of device access and control. 

Moreover, government regulations promoting interoperability and patient ownership of data in the healthcare industry have led to the wide scale proliferation of APIs providing access to ePHI.

All of this presents an entire ecosystem of data-rich attack surfaces to hackers seeking to carry out multi-pronged attacks. These attack surfaces must be protected.

Mobile app code is uniquely exposed: even when obfuscation techniques are used app code can be decompiled and analysed and this means that specific defenses are required. Even implementing robust Transport Level Security (TLS) can be problematic, since device environments are exposed and especially when devops teams resist implementing certificate pinning due to performance and availability concerns.

The Security Rule does extend the previous definition of authentication to “technology assets” in addition to “persons”. Authentication in the new definition, means corroboration that either a person or technology asset is the one they are claiming to be. The document also modifies and strengthens the definition of “malicious software” in a way that can cover the types of tools which can be deployed on mobile devices (print page 926). However it is currently too general to address the specific issues presented by modified apps or weaponized software running on the devices people use.

Approov is not alone in highlighting this lack of clarity. In their feedback, Epic specifically requests guidance from OCR on which types of devices they expect anti-malware to be deployed on. They explicitly list iOS mobile devices and Android mobile devices as categories that should be included in this guidance. They also point out that the proposed anti-malware implementation specification could require deployment on devices like Apple Watches, for which such solutions might not be available, and request exceptions for such scenarios. Epic suggests that efforts should be limited to deploying anti-malware where it is most impactful, identifying Windows laptops and desktops and Windows servers as currently the most important platforms for this. This is dangerous from our perspective, and simply “kicks the can down the road” - much better to address the problem of personal devices head on. 

In conclusion, we believe that the updated HIPAA Security rule must address the specific risks presented by mobile healthcare apps running on personal devices.

Approov and US Healthcare

We have been very active in driving improvements to cybersecurity in US Healthcare, sponsoring major research on mobile healthcare app vulnerabilities and the risks to FHIR APIs. Read our Healthcare Mobile Security Brief and find more healthcare research here.

Approov are experts on app and API security. We would be happy to set up a call to see if we can help you quickly and effectively improve your healthcare app security.

 

George McGregor

- VP Marketing, Approov
George is based in the Bay Area and has an extensive background in cyber-security, cloud services and communications software. Before joining Approov he held leadership positions in Imperva, Citrix, Juniper Networks and HP.