HHS Office for Civil Rights Proposes Significant Expansion of HIPAA Security Rule to Encompass Medical Devices

The latest updates to HIPAA serve as a crucial pulse check for IoMT security, raising the bar for healthcare organizations.

On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a long-anticipated Notice of Proposed Rulemaking (NPRM). It expands the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and strengthens the electronic protected health information (ePHI) protections expected from US hospitals.

In HHS’s own words from the NPRM: “Most of the modifications we are proposing would provide regulated entities with greater clarity and specificity regarding how to fulfill their obligations and the Department’s expectations.”

This change is a big deal – as it addresses some of the key security issues in the connected medical device ecosystem.

The fact sheet is here and the current full text of the proposed changes is available and will be updated here.  While HIPAA has been around since 1996 and can be updated up to once a year, substantial updates are few and far between. The most notable recent changes include the introduction of the HIPAA Privacy Rule and Security Rule itself in 2003, new enforcement provisions in 2006, and the HITECH Act in 2009 encouraging standardization to ease appropriate information sharing.

Historically, Notices of Proposed Rulemaking (NPRM) regarding HIPAA often closely mirror the final regulation. Understanding this before the final regulation is enacted serves healthcare organizations well to ensure future compliance. Asimily experts reviewed the 393-page document to summarize some of the most important takeaways for organizations frequently working with medical devices and their cybersecurity. 

The Crucial Implications for Medical Device Cybersecurity

With the proliferation of connected medical devices in healthcare, this NPRM incorporates clearer definitions of what medical devices need to be protected and how. Now, instead of just systems that ‘store’ ePHI, devices such as medical imaging modalities and patient health monitors that generate much of the ePHI will be expected to be protected. Quoting from the NPRM: “To protect the ePHI as required, a regulated entity must also protect the electronic information systems that create, receive, maintain, or transmit ePHI and the electronic information systems that otherwise affect the confidentiality, integrity, or availability of ePHI”, which includes medical devices, not just the servers and systems which receive their data.

For operators of medical devices (IoMT), protections become more clear and stringent under this NPRM – including specific language around:

Risk & Threat Detection  – Outlined in this NPRM, an organization’s cybersecurity risk would be defined more clearly, particularly in the context of risk analysis. The NPRM includes specific callouts to assess risk based on identified threats and vulnerabilities in terms of the likelihood of exploitation. 

Incident Recovery  – the definition of security incidents – both those that access ePHI and those that interfere with system function would gain clarity. From the NPRM: “Incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.”

Asset Visibility – Accurate device inventory is addressed in the NPRM as well, specifically one that “maintain[s] an accurate and thorough written technology asset inventory and a network map of its electronic information systems and all technology assets that may affect the confidentiality, integrity, or availability of ePHI.“

Resiliency – The ability to restore function after a security event is explicitly listed as a goal for healthcare organizations. From the notice: “Thus, the Department proposes to require a regulated entity to consider the ability of its implementation of a particular security measure to aid it in preventing, withstanding, and recovering from an emergency or other occurrence that affects the confidentiality, integrity, or availability of ePHI, including a successful security incident.”

Anomaly Detection – Information system activity reviews, specifically in terms of anomalous behavior, would need to be documented and conducted with a specified frequency.

System and Device Configuration – Configurations would need to have a security baseline “for each relevant electronic information system and technology asset in its relevant electronic information systems and to maintain such information systems and technology assets according to those secure baselines” according to the NPRM.

Device Patching –  becomes more important, as some requirements for implementation of multi-factor authentication (MFA) would trigger based on the date of a device’s approval (based on the March 29, 2023, FDA updated guidelines) and whether it has had appropriate patches implemented or not.

Vulnerability Scanning – Perhaps borrowing a page from PCI-DSS, vulnerability scanning (for known vulnerabilities or missed patches) would have to occur no less frequently than six months.  

In addition, there are numerous administrative, auditing, and documentation changes, rounding out this significant update to the current state of HIPAA. Clarifications and some small exceptions are made for corner cases that have come up for HHS, such as when a patch harms the confidentiality of ePHI or when physical protections provide substantial cybersecurity protections as a side benefit. Testing becomes an expected part of good cybersecurity practice. Even quantum computing’s potential cybersecurity risks are considered.

Going into 2025, regulatory bodies are echoing the clear need for better cybersecurity in healthcare. They’re also doing what only a government body can do: de-risk and lower implementation costs for covered entities by being explicit and clear. Throughout the proposed rules, it was clear that the authors understood the challenges of implementing additional requirements and sought balance for the needs of different groups – such as large and small hospitals. Further, there was an acceptance of the incredible heterogeneity of the assets to be more strongly regulated by the Security Rule – from legacy devices with no updates and only outboard compensating controls to the most modern devices explicitly under the post-March 29, 2023 FDA guidelines.

At its core, this notice showcases a new normal for the breadth and depth of cybersecurity scrutiny organizations should prepare for to truly reduce risk and remain compliant. The painful lack of cybersecurity in IoT and IoMT underpins the reality that most organizations cannot expect to meet these requirements without a trusted partner securing their device ecosystem. Asimily was built specifically to meet these major requirements, with specific capabilities that address these core changes. 

To learn more about how Asimily works to address each of these challenges in your unique organization, please request a meeting with one of our experts.