The HIPAA security rule made its debut 20 years ago, and it's time for a refresh to reflect the changing cyberthreat landscape and technological evolution that's taken place over the past two decades, says security expert Tom Walsh.
The Department of Health and Human Services issued the proposed HIPAA security rule on Aug. 12, 1998. The final rule was published more than four years later, in February 2003.
"The rule itself is heavily weighted toward compliance things that are evidence-based, which would be policies, procedures, plans and other forms of documents," Walsh says in an interview with Information Security Media Group.
But, "as far as I know, no hackers have ever been thwarted by a set of well-written policies," he says.
"We need to take another look at the security rule to see what areas we can beef up, and in particular, the areas of technical safeguards."
For instance, "when the rule came out, we didn't have mobile phones in the sense we have today - back then they were just cellular phones ... and texting wasn't even around. Cloud in 1998 were white puffy things in the sky, not a place to store data."
So revising the rule -"or at least providing some better guidance" - is critical, he says.
However, part of the challenge in updating the HIPAA Security Rule's technical controls is that the federal government "tries to be technology neutral," he says.
"When you start specifying controls, you have to be very careful not to specify a particular technology that would make or break a particular vendor."
By contrast, "the Payment Card Industry Security Data Standard has a lot of technical requirements. So I think it is feasible [for regulators] to write something generic enough - but be a little more specific - when it comes to today's technology."
In the interview, Walsh also discusses:
- How many covered entities and business associates are finally moving beyond compliance-minded strategies and are implementing more robust "cybersecurity strategies;
- Security technologies that are most underutilized by healthcare sector entities;
- Why he thinks insiders are the top security threat facing healthcare organizations;
- Why HHS should consider broadening the type of sensitive data covered under HIPAA as federal regulators also hammer out potential changes to the HIPAA privacy rule, as called for under provisions in the 21st Century Cures Act.
Walsh is founder and managing partner of tw-Security, an Overland Park, Kan.-based firm that advises healthcare organizations on risk management strategies. He has more than 25 years of information security experience. Walsh is also a frequent speaker at healthcare industry events and is the author of several books on healthcare information security.