Due to rising cyberthreats, several data privacy laws have emerged over the past few years, including the GDPR, HIPAA, and the CCPA.

These laws are designed to protect your data and give you the right to know what is being done with it and for what purposes. This article focuses on HIPAA and a new amendment that has been added to it.

What Is the New Amendment?

The new amendment is officially called the “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information,” commonly referred to as the “NPRM” (Notice of Proposed Rule Making). It was passed on December 27th, 2024, through the Office of Civil Rights (OCR). It requires the following entities to adopt stricter controls:

  • Healthcare Exchanges
  • Health Insurance Companies
  • Insurance Companies
  • Healthcare Providers

This amendment was introduced due to the recent increase in ransomware attacks targeting the healthcare industry. For example:

  • The total number of security breaches affecting the entities mentioned above increased by 102% from 2018 to 2023.
  • The number of individuals impacted by these breaches increased by 1002% in the same period, with 2023 seeing a record of at least 167 million people affected.
  • Since 2019, the number of ransomware attacks on the healthcare industry has increased by 102%.

What The Amendment Covers

The amendment mandates several cybersecurity measures, including:

  • Changes in patient treatment areas to offer privacy shields, preventing others from overhearing conversations between doctors and patients.
  • Updates to existing HIPAA provisions that are outdated, ensuring the healthcare industry keeps up with the evolving cyber threat landscape.
  • Development of new standards and best practices that all health-related entities must adopt and implement. Non-compliance could result in audits and financial penalties.
  • Immediate creation and regular assessment of written security policies by all health-related entities.
  • Implementation or upgrade of controls to address potential cyber threats from both external and internal environments, including insider attacks.
  • Maintenance of a real-time inventory of all IT assets, both digital and physical, with automatic updates as new devices and endpoints are added.
  • Creation and regular updating of a detailed map of the network infrastructure.
  • Regular risk assessments using established frameworks, especially those set forth by NIST.
  • Creation, implementation, and regular rehearsal of incident response and disaster recovery plans.
  • Adherence to a regular software/firmware patch and update schedule.
  • Vulnerability scanning at least once every six months and penetration testing at least once a year.

For more details on the new amendment, you can visit the official HIPAA Security Rule NPRM factsheet.

Conclusions

Since this amendment is still new, the healthcare industry is working to understand all its provisions. We are here to help you understand it and strengthen your security defenses to ensure full compliance. Contact us today.

You can access the exact language of the amendment here: https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information