Next month, the Department of Health and Human Services is slated to finalize the first major update to HIPAA in more than a decade, which will force hospitals to adopt more robust security measures.
With this update, HHS is seeking to eliminate the distinction between “required” and “addressable” implementation specifications. Currently, HIPAA has two types of security rules for protecting sensitive health information — “required” rules that must be followed and “addressable” rules that providers can choose not to obey.
By getting rid of these two categories, HHS is aiming to make all cybersecurity rules mandatory for healthcare organizations. Under the department’s proposal, several cybersecurity protocols will be required for all providers, such as two-factor authentication, data encryption and network segmentation.
Kumar Sokka, CEO of cybersecurity platform Acre Security, thinks the biggest impact of the HIPAA update is that physical security safeguards will no longer be optional or flexible.
Providers won’t be able to just document policies anymore — they will have to demonstrate actual implementation for tools focusing on access control, intrusion detection and visitor management, he explained.
He isn’t confident in hospitals’ ability to comply with the new requirements. Sokka said that most providers still rely on fragmented, siloed security tools and lack the connected infrastructure needed to meet the updated rule’s more rigorous, integrated standards.
“There are different ways to meet the needs based on the different budgets that these hospitals have. And I think unification is a big one, and also moving to the cloud and modernizing technology,” he remarked.
Sokka noted that a hospital’s physical security and cybersecurity are deeply intertwined.
Weak physical security, like unsecured server rooms, can directly enable cyberattacks, he added. For instance, someone physically accessing a server and plugging in a USB device can bypass even strong cyber defenses.
“There’s always the chance of people walking through,” Sokka stated. “That’s why a visitor management tool is a big deal, because you want to make sure you’re running background checks, you’re doing compliance checks to ensure that the right people are entering the hospital. There’s a lot of weak points — things are just in flux, with guests coming in to visit and the accessibility of coming to a hospital.”
Under the updated HIPAA rule, these types of physical vulnerabilities will no longer be treated as secondary concerns — but as core security requirements that providers must actively address.
However, this shift is likely to expose how many providers are still unprepared to deploy a more stringent security framework, Sokka said.
Photo: MoMo Productions, Getty Images
