Why the HIPAA Security Rule Needs Updating

The HIPAA Security Rule, which was written years ago before the emergence of sophisticated cyberthreats, is in urgent need of an update, says security expert Tom Walsh.

"It really needs to be modernized for all the issues we're dealing with, and they're coming at us fast and furious," says Walsh, president and founder of the security consulting firm tw-Security. "Regulations always lag what's going on in the trends, as well as the attacks and breaches. We really need to get the HIPAA Security Rule modernized as soon as possible."

In an interview with Information Security Media Group, Walsh says that the Department of Health and Human Services' Office for Civil Rights, which is responsible for HIPAA enforcement, is reportedly considering updating the security rule "because they now understand some of the risks with cloud computing, mobile devices - technologies that weren't even around in 1998 when the first proposed security rule came out."

OCR did not immediately respond to ISMG's request for comment on whether it's planning to update the rule.

Walsh argues that the regulation needs to reflect the technologies used today to access protected health information. "There's nothing in [the rule] about mobile devices. It just talks about device and media controls, but it's so vague that it's open for interpretation. So we have some specific threats that are not being addressed in the HIPAA Security Rule. I'm hoping to see more controls surrounding endpoint security in particular."

Updating the rule would also push more compliance-minded healthcare providers, especially physicians' offices and business associates, to step up their security efforts, he says. "Unless we can specifically prove where it is written as a requirement in a rule, they're not going to do it. They're doing the minimum they feel that they need to do. Some of it's driven by economics and some is because they just don't want to have to do more work."

Glimmers of Progress

Nevertheless, this past year was a turning point for data security awareness in the healthcare sector because of the string of massive cyberattacks that were revealed, Walsh notes.

That includes cyberattacks on health plans Anthem Inc., affecting 78.8 million individuals, and Premera Blue Cross, which affected 11 million individuals.

"The biggest progress we've seen in information security in the healthcare sector this year has been information security becoming a board issue," he says. "It was never really an issue we could even raise to senior leadership at hospitals, and now it's becoming a board issue. So we see senior leaders' attention, which we haven't seen in a long time."

In the interview, Walsh also discusses:

• His predictions about health data breach and other cyber trends for 2016;
• His advice for covered entities and business associates on how to prepare for the next round of HIPAA compliance audits that OCR officials say will launch in 2016;
• The importance of having comprehensive incident response and disaster recovery plans.

Walsh is founder and president of tw-Security, an Overland Park, Kan.-based firm that advises healthcare organizations on risk management strategies. He has more than 22 years of information security experience. Walsh is also a frequent healthcare industry speaker and is the authors of four books on healthcare information security.