US takes aim at healthcare cybersecurity with proposed HIPAA changes – Source: www.csoonline.com

The major update to the HIPAA security regulations also requires healthcare organizations to strengthen security incident response plans and procedures, carry out annual penetration tests and compliance audits, among other measures. Many of the proposals cover best practice enterprise security guidelines foundational to any mature cybersecurity program.

Industry feedback on the rule changes — which are due to become effective in June — is welcomed before a March 7 deadline.

Health care revamp ‘long overdue’

Security and legal experts polled by CSO on the proposals were broadly supportive while noting that implementing these changes will require significant resources, costs, and personnel.

Lisa Sotto, a partner at US law firm Hunton Andrews Kurth, and leader of its cybersecurity and data privacy practice, told CSO that updates to the HIPAA Security Rule are “long overdue.”

“The cyber threat landscape has evolved dramatically in the last 20 years — but the rule has remained static, essentially two decades behind the current threat to healthcare systems,” Sotto said. “The proposed rule would require measures that are already considered a security must — for example, it is no longer considered optional to have multi-factor authentication in place, and the proposed rule would mandate that covered entities implement MFA.”

Lack of multi-factor authentication played a key role in the Change Healthcare ransomware catastrophe last year.

“The proposed changes are extensive and would help HIPAA-covered entities focus on the security safeguards they should have in place to protect against the nefarious threat actors who have been relentlessly attacking healthcare entities,” Sotto said.

[ See also: The cyber assault on healthcare: What the Change Healthcare breach reveals ]

Cybersecurity experts praised the shift to a risk-based approach covered by the security rule revamp, while some expressed concerns that the measures might tax the financial resources of smaller clinics and healthcare providers.

“The security measures called for in the proposed rule update are proven to be effective and will mitigate many of the risks currently present in the poorly protected environments of many healthcare payers, providers, and brokers,” said Maurice Uenuma, VP & GM for the Americas and security strategist at data security firm Blancco. “This new rule update will drive much needed improvement by being more specific, prescriptive, and enforceable.”

Uenuma added: “The challenge will be to implement these measures consistently at scale.”

Trevor Dearing, director of critical infrastructure at enterprise security tools firm Illumio, praised the shift from prevention to resilience and the risk-based approach implicit in the rule changes, which he compared to the EU’s recently introduced DORA rules for financial sector organizations.

“For years the guidance was to follow frameworks like the NIST, CSF, and CISA; however, implementation has been inconsistent at best,” Dearing told CSO. “The new approach in the rule changes is similar to what we saw in DORA in the EU, introducing more prescriptive mandates on security controls like segmentation, while also allowing organizations to tailor security efforts to their specific risks so they’re more effective and efficient.”

However, early returns on DORA, which went into force on Jan. 17, have shown that midsize organizations in particular have been challenged to keep pace with the mandate and that the regulation could further strain cybersecurity skills gaps.

Greg Notch, chief security officer at managed detection and response vendor Expel, struck a more cautious tone pointing out practical problems such as the difficulty of retrofitting MFA controls in environments full of legacy healthcare technology.

“The updates predominantly require seemingly basic security hygiene, including things such as mandatory MFA, vulnerability management practices, asset inventories, audits, and encryption,” Notch told CSO. “These appear on the surface to be basic, but for smaller regional hospitals and service providers these could be cost prohibitive or otherwise difficult to implement.”

[ See also: 8 critical lessons from the Change Healthcare ransomware catastrophe ]

Notch continued: “For example, some healthcare equipment is quite expensive, with long duty cycles which make managing risk more difficult — and expensive. Some systems do not support MFA directly, and require additional and expensive technology to be implemented.”

Still, the expense necessary should prove a wise investment, Illumio’s Dearing argued.

“While small and rural providers may struggle to upgrade, ignoring the problem is not an option, as cyberattacks on these devices could lead to significant long-term costs,” he said.

Cultural shift

Some experts argued that mandating additional security controls is unlikely to be effective unless it comes alongside changes in cybersecurity culture within healthcare providers.

“Merely introducing new rules without a cultural shift in how companies prioritize and implement robust security measures can render these updates ineffective,” said Borja Rodriguez, manager of threat intelligence operations at cybersecurity vendor Outpost24. “Companies must not only comply with the rules but also embed cybersecurity into their core operations and invest in proactive strategies.”

Imposing stricter rules and fines could “unintentionally provide leverage to ransomware groups,” as these fines are often cited in ransom demands to pressure organizations into paying, Rodriguez warned.

“To mitigate this, the government should consider balancing enforcement with incentives for genuine improvement in cybersecurity posture, such as funding, support programs, or recognition for achieving high security standards,”  Rodriguez said.

Doing so could help dissuade healthcare organizations from viewing the issue entirely from a cost-analysis perspective.

“Historically, healthcare providers felt it was better to pay a HIPAA fine rather than hire a security team and put all of the controls in place to protect patient data,” said Bryan Marlatt, chief regional officer at cybersecurity consulting firm Cyxcel. “Today, so many federal regulatory bodies are more empowered to take action on those not meeting data protection requirements.”

Political uncertainty

The Trump administration has signalled a desire to reduce regulations, which leaves some uncertainty about what this will mean for the US Department of Health and Human Services and its proposed rule changes.

“Topics like cybersecurity, data privacy, and national security tend to have more bipartisan support compared to other issues,” said Brian Arnold, director of legal affairs at managed detection and response firm Huntress. “I think this situation creates an opportunity for tweaks and adjustments that might not have been possible if it had been proposed and adopted under the same administration. I don’t expect these to be the final versions of the rules.”

Cyxcel’s Marlatt said that some of the requirements are unrealistic and not likely to make it into the final version of the updated Security Rule.

[ See also: 6 biggest healthcare security threats ]

“Some of the proposed changes go beyond what most organizations are able to provide today,” Marlatt argued. “One item is the 24-hour notification period for changes in user access, modified or terminated, for anyone who can access ePHI [electronic protected health information] data. Another item includes the recovery of systems and data within 72 hours following a security incident.”

Marlatt warned: “Posing such strict timelines on a healthcare, or other, organization drives incident responders to make mistakes.”

By contrast other measures such as vulnerability management, multi-factor authentication, malware protection, and data encryption should be required of any entity that maintains sensitive data and “should be easier to stand up, if they don’t already exist,” according to Marlatt.