HHS published a Notice of Proposed Rule Making on December 27th, 2024, that included extensive new requirements for cybersecurity related to PHI records.

While the list of new requirements is long, it contains many great things that you should have been doing already. Many of these are just common sense, but often ignored in healthcare because they aren't directly part of the archaic Security Rule controls.

These include:

• Formal documentation of all policies, procedures, plans, and analyses.
• Use of multi-factor authentication.
• Regular vulnerability scanning and penetration testing.
• Centralized control of all workstations and servers to ensure consistent configurations and implementation of security tools.
• A formal security risk assessment every 12 months.
• Encryption of all ePHI both in-transit (e.g., HTTPS, TLS) and at-rest (e.g., BitLocker).
• Business Associates relationships (e.g., BAAs) verified at least once annually.

There are many more, but these are the heavy hitters in the list. The proposed rule also removes the distinction between "required" and "addressable" implementation specifications, making all required.

We already assess to many of these as they are considered Recognized Security Practices and many are included in the HICP recommended controls. However, for those who have only assessed to the letter of the Security Rule law, you have some work to do.

Want some help updating your HIPAA controls? Give us a call.