Cybersecurity May Be OCR’s New Year’s Resolution

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) appears to have made cybersecurity its New Year’s resolution. The first few weeks of 2025 have already brought with them proposed amendments to the HIPAA Security Rule and five enforcement actions alleging inadequate risk analyses.

Proposed Rulemaking to the HIPAA Security Rule

On January 6, 2025, OCR published a notice of proposed rulemaking to modify HIPAA’s Security Rule. OCR described the proposed rule as intended to address common deficiencies; better protect the confidentiality, integrity, and availability of electronic protected health information (ePHI); and address technological changes since the Security Rule’s last revision in 2013. OCR stressed the increased role of technology in modern health care, the risks posed by artificial intelligence, and the rising costs of data breaches, which have increased by more than 50% since 2020 to an average cost of almost $10.1 million per breach. It cited sobering statistics that between 2018 and 2023, the number of breaches of unsecured protected health information increased by 100% and the number of individuals affected by breaches increased by 950%.

The proposed rule, in notable part:

• Removes the distinction between “addressable” and “required” implementation specifications to clarify that the Security Rule’s flexibility does not make compliance optional.
• Explicitly requires risk analysis practices that many health care entities may already have in place, including:
  • Maintaining a written technology asset inventory and network map;
  • Implementing a written risk management plan for reducing risks to ePHI;
  • Implementing written policies and procedures for applying patches, updating configurations, controlling access to ePHI, and sanctioning workforce members who fail to comply with security policies and procedures;
  • Ensuring suspicious activity is identified quickly;
  • Identifying in writing the security official responsible for the establishment and implementation of cybersecurity policies and procedures;
  • Implementing technical controls and written policies and procedures ensuring that workforce members have appropriate access controls;
  • Regularly training workforce members on threats to ePHI, how to use technology, and the specific procedures workforce members must follow to protect ePHI;
  • Utilizing technical access controls, segmentation, encryption, multifactor authentication, and data backup systems; and
  • Conducting vulnerability scanning no less than once every six months.
• Provides a more specific risk analysis standard, including the following implementation specifications:
  • Review the technology asset inventory and the network map;
  • Identify all reasonably anticipated threats, potential vulnerabilities, and predisposing conditions;
  • Create an assessment and documentation of security measures in use;
  • Make a reasonable determination of the likelihood and impact of each identified threat;
  • Create an assessment of risk level for each identified threat and vulnerability; and
  • Create an assessment of risks to ePHI by entering into or continuing a business associate agreement or other written arrangement with any prospective or current business associate.

Comments on the proposed rule are due by March 7, 2025, and its effective date would be 60 days after publication, after which regulated entities would have 180 days to comply.

2025 Cybersecurity Enforcement Actions Regarding Risk Analysis

Although the new year has just begun, OCR has already announced five enforcement actions. In every instance, the entities involved were victimized by criminals whose attacks resulted in a data breach of ePHI, and OCR alleged that the covered entities had failed to conduct sufficient risk analyses. The settlements included corrective actions, ongoing monitoring, and settlement payments ranging from $10,000 to $3 million. These actions are a stark reminder to health care entities of the importance of risk assessments and the worthwhile nature of prophylactic cybersecurity readiness.