To better protect patient records, the Department of Health and Human Services’ HHS Office for Civil Rights is proposing substantial cybersecurity requirements for all covered entities and their business associates be added to the HIPAA Security Rule (enacted in 1996). The Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information is set to be published on January 6, 2025.
A 300+ page working draft for public comment is currently in the Federal Register: https://public-inspection.federalregister.gov/2024-30983.pdf
Ted Miracco, CEO, Approov had this to say:
“The proposed updates to HIPAA are an overdue response to the escalating cybersecurity attacks on the healthcare sector, especially with regards to mobile devices and API attacks. Enforcing stricter security measures such as encryption, MFA, attestation and network segmentation, is a strong start as HHS aims to enhance the protection of patient data significantly. However, for mobile app developers, this will mean adapting much more advanced security practices to meet these emerging standards. Rebuilding user trust and safety remain critical priorities, given the extensive number of data breaches that have occurred in recent years, and their devastating impacts.”
Lawrence Pingree, VP, Dispersive follows with this:
“For HIPAA/HITECH, this guides organizations to more prescriptive controls – e.g. not just “you need to protect your data and users” – it’s now bringing more specific controls around multi-factor authentication and data protection strategies. In security, the more prescriptive the controls, the better since this reduces the variance of approaches that might not adequately address current threats. The grand challenge is for prescriptive guidance not to become outdated, so much be continuously uplifted to address modern threats.”
Given how often the health care sector gets pwned by hackers, it’s about time that something like this has come down the pipe. Because if the health care sector wasn’t going to do protect themselves on their own, they need to forced to protect themselves.
Like this:
Like Loading...
Related
This entry was posted on January 2, 2025 at 3:05 pm and is filed under Commentary with tags HIPPA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
HIPAA to Mandate MFA, Risk Analysis, Vulnerability Scanning Among Other Items In The Wake Of Breaches
To better protect patient records, the Department of Health and Human Services’ HHS Office for Civil Rights is proposing substantial cybersecurity requirements for all covered entities and their business associates be added to the HIPAA Security Rule (enacted in 1996). The Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information is set to be published on January 6, 2025.
A 300+ page working draft for public comment is currently in the Federal Register: https://public-inspection.federalregister.gov/2024-30983.pdf
Ted Miracco, CEO, Approov had this to say:
“The proposed updates to HIPAA are an overdue response to the escalating cybersecurity attacks on the healthcare sector, especially with regards to mobile devices and API attacks. Enforcing stricter security measures such as encryption, MFA, attestation and network segmentation, is a strong start as HHS aims to enhance the protection of patient data significantly. However, for mobile app developers, this will mean adapting much more advanced security practices to meet these emerging standards. Rebuilding user trust and safety remain critical priorities, given the extensive number of data breaches that have occurred in recent years, and their devastating impacts.”
Lawrence Pingree, VP, Dispersive follows with this:
“For HIPAA/HITECH, this guides organizations to more prescriptive controls – e.g. not just “you need to protect your data and users” – it’s now bringing more specific controls around multi-factor authentication and data protection strategies. In security, the more prescriptive the controls, the better since this reduces the variance of approaches that might not adequately address current threats. The grand challenge is for prescriptive guidance not to become outdated, so much be continuously uplifted to address modern threats.”
Given how often the health care sector gets pwned by hackers, it’s about time that something like this has come down the pipe. Because if the health care sector wasn’t going to do protect themselves on their own, they need to forced to protect themselves.
Share this:
Like this:
Related
This entry was posted on January 2, 2025 at 3:05 pm and is filed under Commentary with tags HIPPA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.