Advertisement

2024 – a pivotal point for health care sector cybersecurity reform

| December 20, 2024

2024 – a pivotal point for health care sector cybersecurity reform

This year, federal policymakers have taken an increased interest in cybersecurity in the wake of the devastating cyberattack on Change Healthcare in March and other high-profile attacks on health care operating systems. The Advocacy Council continues to monitor congressional cybersecurity efforts as they relate to health care.

An Advocacy Insider article published in October highlighted a health care cybersecurity proposal introduced in the Senate. By and large, this proposal was seen to be difficult to implement and unnecessarily burdensome for allergy practices. This bill lacks bipartisan support and is unlikely to receive consideration by either the House or Senate.

However, Congress has remained dedicated to improving health care sector cybersecurity.

New bipartisan legislation, the Health Care Cybersecurity and Resiliency Act of 2024, was introduced in the Senate on Nov. 25 that would be less burdensome on medical practices. The bill includes policies that would directly impact medical practices by establishing new minimum cybersecurity standards for systems that engage with PHI, such as multifactor authentication and encryption. However, it is largely focused on reforming how federal agencies respond to cyberattacks. For example, the bill aims to improve cybersecurity in the health care and public health sectors by mandating coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA).

It also requires HHS to develop a cybersecurity incident response plan, enhance breach reporting protocols, and establish minimum cybersecurity standards for HIPAA-covered entities and business associates. The bill emphasizes guidance and resources for rural entities and authorizes grants to support the adoption of cybersecurity best practices. These new standards would be accompanied by an audit program to ensure compliance.

The bill is now awaiting further action by the Senate Health, Education, Labor and Pensions (HELP) Committee and the House Energy and Commerce Committee. However, with the current Congress quickly approaching its conclusion, it is unlikely that Congress will consider and pass this bill before the end of the year. The bill, or specific provisions from the bill, could be reintroduced in the new Congress as it continues to prioritize health care cybersecurity.

HHS compliance audits are inadequate
Beyond this legislative proposal, there are other actions the government is taking on this matter.

For instance, the Office of Inspector General (OIG) conducted an audit of the Office of Civil Rights’ (OCR) HIPAA audit program to assess how effective the program has been in protecting electronic protected health information (ePHI). The program is designed to ensure compliance with the HIPAA Security Rule across HIPAA-covered entities and business associates. The OIG audit was conducted in response to the increase in cyberattacks targeting health care provider IT systems. In 2022, the OCR received 64,593 reported breaches affecting 42 million individuals, and the number of reported breaches increased between 2018 and 2022. As a result, the OIG has raised concerns about the adequacy of OCR’s efforts to ensure compliance with the HIPAA Security Rule.

The OIG’s audit revealed that although OCR fulfilled its requirement under the HITECH Act to conduct periodic HIPAA audits, it did not assess a majority of the required protections and was too narrowly focused on assessing ePHI protections. The OCR’s audits only evaluated eight of the 180 elements in the audit protocol. Additionally, the OCR did not require audited entities to correct the identified deficiencies, failed to monitor the outcomes of its audits, and did not document the frequency of its HIPAA audits as of 2020.

The OIG has provided recommendations aimed at improving the effectiveness of the OCR’s HIPAA audit program. Recommendations include expanding the scope of audits to evaluate compliance with physical and technical safeguards under the HIPAA Security Rule, documenting and implementing processes that will ensure timely correction of deficiencies, and defining metrics to monitor the effectiveness of the OCR’s HIPAA audits.

New cybersecurity regulation expected soon
An OCR proposed rule updating the HIPAA Security Rule is expected before the end of the year. It is not known what will be included in this proposed regulation. It is also unclear if the incoming Trump administration will embrace what is proposed or seek to change (or withdraw) the proposed rule.

The end of 2024 continues to mark a pivotal point for health care sector cybersecurity reform. The Advocacy Council will continue to advocate for reasonable cybersecurity protections that protect allergy practices and patients without imposing excessive and unreasonable burdens on allergists.

The Advocacy Council – ADVOCATING FOR ALLERGISTS AND THEIR PATIENTS.

Advertisement