Proposed rule strengthens cyber protections

WASHINGTON – A new proposed rule related to electronic protected health information would enforce measures that HME providers should already be working toward in an environment of unrelenting cyberattacks, say industry consultants. 

The Office for Civil Rights at the Department of Health and Human Services in late December issued a Notice of Proposed Rulemaking to modify the Health Insurance Portability and Accountability Act of 1996 Security Rule to strengthen cybersecurity protections for ePHI. Among the technical recommendations: Require encryption of ePHI at rest and in transit and require the use of multi-factor authentication. 

“Multi-factor authentication is something providers should be ready to put in place, and it’s probably one of the easier ones,” said Kelly Grahovac, general manager of the Atlanta-based van Halem Group. 

In all, the proposed rule contains about two dozen recommendations and clarifications for strengthening existing security standards, including removing the distinction between “required” and “addressable” implementation specifications and making all implementation specifications required with specific, limited exceptions. 

Grahovac recommends that providers, in addition to having a compliance plan in place, conduct regular security risk analyses and tests, including vulnerability scans. 

“There are a lot of things you assume your provider is doing but obviously they are not, or this wouldn’t be such a big deal,” she said. “It goes beyond just the technology to a lot of administrative safeguards that providers are going to have to put in place.” 

The backdrop for the new requirements, according to the OCR: A 102% increase in the number of large cyberattacks between 2018-23 and the largest cyberattack in history in 2024 (Change Healthcare). 

“Every time you turn around there’s another ransomware attack,” says Denise Leard, shareholder with Amarillo, Texas-based Brown & Fortunato. “It’s in the news and I think that’s really what’s driven this. Much more of our information is electronic now than it was five or 10 years ago, and you really need to make sure that you’ve done everything you need to protect that.” 

Big or small, providers are going to have invest in cybersecurity, says Leard. 

“This is going to have some cost, but really, we should have already been doing it,” she says. “In the long run, spending a little bit of money ahead of time to make sure you’re in compliance could save you a lot of money on the back end if you can prevent a breach.” 

• To read a press release on the proposed rule, go here.  
• To view the proposed rule, go here.