Citing a dramatic increase in large health data breaches, DHHS has issued a notice of proposed rulemaking for modifications to the HIPAA Security Rule to enhance cyber security protections for electronic protected health information (ePHI). Some of the major proposed changes include:
- new definition for "electronic information system"
- new definition for "multi-factor authentication" and adding an MFA mandate
- new standards for updating technology asset inventories and network maps illustrating movement of ePHI
- for physical safeguards, removing the distinction between "required" and "addressable" implementation specifications
The rule updates are intended to bolster the resilience of healthcare providers against ongoing cyber attacks. The proposed rule is open for comment until March 7, 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.