In our earlier post, we wrote:

“Through December 20, 2024, 575 security incidents involving unsecured protected health information affecting 500 or more individuals had been reported to Health and Human Services. Through the same date in 2023, 265 incidents had been reported. On December 27, 2024, the Office of Civil Rights at HHS issued a Notice of Proposed Rulemaking to modify the HIPAA Security Rule. In addition, healthcare cybersecurity legislation seems likely, if not almost certain, in 2025.”

An update to the HIPAA Security Rule – last updated in January 2013 – is probably long overdue. The World Economic Forum’s Global Cybersecurity Outlook 2025 report found that “Cyberspace is more complex and challenging than ever due to rapid technological advancements, growing cybercriminal sophistication, and deeply interconnected supply chains.” To keep pace with these changes, security rules and other legislation must evolve. Comments on the Notice of Proposed Rulemaking regarding the Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information (Proposed Rule) are due on March 7, 2025; as of January 12, 2025, seventeen comments have been published on Regulations.gov.

The proposed changes can be conceptualized in a few ways. First, the current regulations distinguish between required and addressable specifications, to standards in the Security Rule. Addressable does not mean optional; it means that if a covered entity or a business associate chooses not to implement the specified control, the organization must document how it otherwise effectively addresses the corresponding risk. Encryption is probably the best-known addressable specification. As an example, a covered entity or business associate could decide not to implement whole-disk encryption on a device that is air-gapped (no network interface with any other devices, whether that be internally or via the Internet) and physically secured. However, even with strong physical security controls in place, there’s still a risk that data on the unencrypted device could be accessed as the result of a physical break-in and theft, or if the device is not properly sanitized when it’s retired or replaced. The proposed update to the Security Rule removes the distinction between required and addressable specifications – now detailing the controls required to achieve compliance. Under the new proposed rules, encryption would be mandatory, subject to limited exceptions (which, depending on the comments received, may become a bit broader).

Second, new, required standards (e.g., patch management) and specifications (multi-factor authentication, network segmentation, closing unused ports, anti-malware protection, vulnerability scanning, monitoring, and penetration testing) are introduced. Some, if not many, of these standards and specifications have already been implemented by covered entities and business associates. For those, implementation of the Proposed Rule would have an incremental impact; the question would be the extent to which the current implementation, or review cadence, differs from the proposed rules. For others, especially smaller covered entities and business associates, the impact would be more profound. These organizations are unlikely to have the in-house expertise necessary to digest and implement the new requirements, increasing the risk of non-compliance.

This, then, brings us to the third way to conceptualize the new proposed changes: cost. The Proposed Rule contains, as it must, an explanation of the New Burdens Resulting from Program Changes. For example, the projected burden for each regulated entity to conduct penetration testing is estimated at three hours. While automated penetration testing solutions could potentially provide very basic external reporting in that timeframe, in our experience, thorough penetration testing conducted by a credible external cybersecurity firm – or as defined in the proposed implementation specification, “by qualified person(s)” – is typically a multi-day exercise that can take weeks to finalize, at considerable cost to the regulated entity. Clarity on the format and degree of penetration testing required to meet this new specification will be necessary to ensure compliance. New federal funding does not appear to be available to offset the costs associated with the new standards and specifications.

While additional security measures will help reduce the risk and impact of a cybersecurity incident, they do not and cannot reduce the risk to zero. Thus, a regulated entity may be fully compliant with the Proposed Rule, but still suffer a cybersecurity event and bear the related response and recovery costs, including the risk of privacy class action litigation.

We will continue to track the Proposed Rule, and we will report on the final Security Rule. In the meantime, we recommend that regulated entities of any size review their information security and cybersecurity plans and budgets and determine whether creating and implementing a more comprehensive cybersecurity program, likely through a combination of internal and external resources, may be necessary.