HIPAA Security Rule Update Aims to Strengthen Medical Device, Data Protections

The U.S. Department of Health and Human Services (HHS) hopes to strengthen the security of electronic protected health information (ePHI) with the most significant proposed update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in more than a decade. Should the new requirements go into effect later this year, they are expected to profoundly impact how healthcare delivery organizations manage and secure their connected medical devices.

Many healthcare industry watchers see the changes as constructive. Martin Fisher, managing partner at security advisory firm Kiraso Partners and longtime healthcare security executive, said that he sees the intent behind the proposed changes as a positive move to improve healthcare security, "but the potential implementation is going to be costly for smaller or less sophisticated healthcare providers, and will take time for larger providers to implement the requirements," Fisher said.

The proposed rules require encryption for all ePHI (there are limited exceptions), "reasonably appropriate" network segmentation, multi-factor authentication (MFA) for accessing ePHI, periodic penetration testing, and vulnerability scanning. Covered entities must also maintain an accurate inventory of all technology that stores or processes ePHI. Staff with access to ePHI whose employment ends must have their access terminated within an hour. HHS also plans to remove the regulatory distinction between "addressable" and "required" controls within the rule and other mandates.

"There will be challenges, especially for smaller healthcare providers and those with legacy medical equipment that is difficult to upgrade quickly."

—Michael Farnum

Michael Farnum, advisory CISO at technology services provider Trace3, agrees and adds he sees HHS guiding HIPAA away from a risk assessment-oriented regulation to a controls-focused regulation, such as NIST's Cybersecurity Framework. Farnum views mandating specific baseline security controls such as encryption and MFA as necessary to address increased security threats facing the healthcare industry. 

"There will be challenges, especially for smaller healthcare providers and those with legacy medical equipment that is difficult to upgrade quickly," he said. 

A Focus on Balancing Patient Care with Securing ePHI

Kurt Osburn, director of risk management and governance at NCC Group, a cybersecurity advisory firm, said the security of medical devices has been an imminent risk in healthcare for years. 

"Medical devices have had outdated and un-patchable operating systems and allow none of the cyber protections, but they are increasingly being added to the networks in hospitals, clinics, pharmacies," he added. "Network management is going to be required now, as will all addressable controls."

Many connected medical devices are built on legacy systems that may not easily accommodate new security protocols. Updating or replacing these devices can be costly and time-consuming, potentially leading to operational disruptions. CISOs must navigate these challenges while ensuring patient care is not compromised during the transition. Osburn added that hospitals will have to secure legacy devices behind with firewalls and network controls until they can be upgraded. 

"Many of them do not have any security protection for the modern environments they operate," Osburn said.

The proposed rule is open for public comment until March 7, 2025. Given the change in administration, the fate of this proposed rule remains uncertain, and it may be subject to revisions or withdrawal.

If finalized, entities will have 180 days to comply with the revised Security Rule. HHS estimates the first-year cost of compliance to be approximately $9 billion, with annual fees of $6 billion for years two through five.

"Many [medical devices] do not have any security protection for the modern environments they operate."
—Kurt Osburn

By mandating stricter encryption and authentication requirements, healthcare providers may face challenges in implementing these measures on older or legacy medical devices that lack the necessary technical capabilities. The new rules' emphasis on network segmentation and continuous monitoring could also strain resources, particularly for smaller healthcare organizations with limited IT staff. The shift from "addressable" to mandatory implementation specifications may also force rapid changes to existing security protocols, potentially disrupting critical medical device operations and patient care workflows. 

"Healthcare companies will face significant challenges if these rules move forward, especially when securing older medical devices with features like encryption and APIs. I hope there will be reasonable exceptions or guidance from regulators, but the true impact won't be known until the rules are enforced through audits," Fisher said.