Is increased regulatory oversight the prescription for mitigating continued breaches in healthcare delivery? Let’s explore cybersecurity’s place in the typical healthcare organization and the Health and Human Services’ (HHS) recent Notice of Proposed Rule Making (NPRM) that would make significant changes to current HIPAA requirements.
The Caremark Doctrine
With cyber breaches on the rise in healthcare and other sectors, how does cybersecurity accountability at the board level play into recent government actions? As in other sectors, will the board of non-profit and for-profit healthcare enterprises fall under the Caremark Doctrine, under which the board is expected to have sufficient knowledge and oversight mechanisms to actively monitor the organization’s regulatory and legal compliance? A recent NPRM designed to strengthen existing HIPAA requirements suggests that may be the trend.
What Does the Notice of Proposed Rule Making (NPRM) Mean for Healthcare Delivery Organizations?
In December of 2024, the HHS released a Notice of Proposed Rule Making (NPRM) that would change the HIPAA security rule for first time in decades. The goal of the NPRM is to “strengthen cybersecurity protections for electronic protected health information (ePHI).” A summary of the requirements in the NPRM can be found here.
The “new” requirements proposed are built on current HIPAA requirements, retrofitted to provide a more prescriptive outlook on the security rule itself. For example, while HIPAA states that vulnerability scanning and penetration testing are “recommended,” vulnerability scanning would be required at least every six months, while penetration testing would be required at least every 12 months under the NPRM. While this would mean more responsibility, it would also mean more accountability, both from a board and middle management level (along with an expectation for more communication between the two). The individuals responsible for conducting, documenting, and monitoring these scans and tests would also need to be responsible for communicating the results up to the board level and out across the organization.
What Are Some Potential Challenges Within the NPRM?
As currently written, the NPRM may pose potential challenges, especially for rural and small-to-medium-sized hospitals. The first issue pertains to cost and the second pertains to the resources that would be needed to implement these updated requirements.
While many existing HIPAA requirements are recommended as remediation in security risk assessments or maturity assessments, many organizations continue to struggle when implementing and upholding said requirements. As the NPRM is more prescriptive, the proposed changes highlight the importance of enforcement and accountability. If finalized as currently written, a resource within an organizational environment would need to take point on communicating, implementing, upholding, reporting on, and monitoring each one of these controls.
There is also the challenge of balancing both privacy and security in relation to timely and efficient care for patients. The push to more prescriptive security controls may inadvertently slow down processes – and therefore providers when attempting to access health records – potentially affecting prompt decision making for patient care.
Many organizations may struggle with scalability under the proposed changes in the NPRM, reaching to mesh other frameworks within the new guidelines. Ensuring consistent practices across an entire healthcare organization is a large lift that may seem challenging in rural and small-to-medium-sized organizations.
The Bottom Line
With the publication of the NPRM – and the final version of the rule eventually looming – Impact Advisors offers services to help you and your organization stay ahead of the curve. With comprehensive security risk assessments as well as VCISO services, we can help you better understand and prepare in the everchanging cybersecurity landscape. Our comprehensive Security Risk Assessments will help you identify and communicate strengths, challenges, and areas of improvement while highlighting the impact of potential threats and vulnerabilities to your organization. Our deep dive into your governance, risk, and compliance efforts will help you better understand how to cultivate a culture of communication across the enterprise. We are ready to help you each step of the way with additional long-term support through our virtual CISO services.
Our Experts' Thoughts
Will your executive leadership team and board soon be expected to have sufficient knowledge and oversight mechanisms to actively monitor your organization’s regulatory and legal compliance? We believe the answer is yes. Will hospitals and health systems be able to insulate themselves with only the provisions in HIPAA alone? We believe the answer is no. Boards will have an obligation to establish and monitor internal compliance and reporting systems to detect potential regulatory violations or misconduct.
In order to comply with both HIPAA and the Notice of Proposed Rule Making (NPRM) to the security rule, it is important to review and update your business continuity, disaster recovery, and incident response plans. Careful consideration must be given to reporting, investigating, mitigating, containing, and eradicating any threats that may come up within your hospital or health system. Impact Advisors offers professional services backed by a skilled team of experts, ready to keep your organization compliant, secure, and proactive in identifying the risk you are facing.
