January 15, 2025: Kate Gamble is joined by Sarah Richardson to delve into the HHS-proposed updates to the HIPAA security rule, a move that promises to reshape healthcare cybersecurity. How will clarified security requirements, mandatory risk analyses, and technology inventories redefine the way healthcare organizations protect sensitive data?
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today in Health IT, we're discussing HHS proposes HIPAA update to boost healthcare cybersecurity. My name is Kate Gamble.
I'm Managing Editor at This Week Health, where we host a set of channels and events dedicated to transforming healthcare, one connection at a time. I've been interviewing CXOs for more than a decade, and I'm thrilled to bring that experience into this community. Today's episode is brought to you by Chrome OS.
Imagine a healthcare system where technology works seamlessly in the background. Keeping your data secure, your teams connected, and your patients at the center of care. Visit thisweekhealth. com to learn more. So today we're talking about HHS proposing HIPAA update to boost healthcare cybersecurity. And I'm joined by Sarah Richardson, President of This Week Health 229 Executive Development Community.
Sarah, thank you for being here. Always good to be with you, Kate. So let's get into it. We're cyber security right out of the gate. HHS has proposed update to the HIPAA security rule to enhance cybersecurity measures within the healthcare sector. This was a very hotly anticipated. And it's going to have a lot of implications.
So some of the key the proposal include clarified security requirements, which will provide more specific instructions on securing electronic health data, along with mandatory written policies with regular reviews, testing, and updates, technology asset inventory, including network map detailing the movement of protected health information, risk analysis enhancements, and the implementation of multi factor authentication. So a lot here to digest, but let's start with why this is so important.
Thank you for bringing this one up. And obviously we source content together, which is one of the fantastic things about the collaboration we have here at This Week Health. This one's been coming for a long time. There's been a lot of conversation about what it's going to mean. But what you mentioned in the beginning is, hey, we're kicking off the new year.
And of course, it's about cybersecurity. Let's be honest, it's always about cybersecurity. And with the key aspects of this proposal, if you can address some of the ambiguities in the current regulations, They talk about make sure you have written security policies, regular reviews, testing, et cetera.
Organizations that have robust cybersecurity programs are already doing this for those that struggle to get some of the support potentially or the funding that they need. This is an added layer of hopefully effectiveness that gets included. You've got all of your technology asset inventory capabilities.
And that ongoing risk analysis, the thinking, the what if scenarios, the inventory, your network map, threats, vulnerabilities, truly understanding where things are. And if you've ever had the task of mapping your network and mapping your application connections to everything in your org, this is why you'll always hear me go back to please have an enterprise architect, have that be their job and have them always be working with your security team.
And my goodness, if you are not using MFA, I appreciate that probably for several decades, we've been having these conversations, especially with physician and clinician workflows. And yes, I understand MFA should be a little bit of everywhere. So if you can get in front of your enhanced compliance obligations, You can access and get the allocated resources as needed, even if you're contracting or using a partner to do that.
And we have partners that do those fractional support roles in these cyber opportunities for you. Then you make the necessary operational adjustments and you're super pro active in risk management. If you go in with the lens of two things, we've always learned from Drex about being a little paranoid.
Assume the bad guys are already there, or are going to get in there pretty easily through a human, then what does that mean for the continuity of operations and the things that you need to be considering?
Yeah, it's always good to shout out Drex who covers cyber security so thoroughly for us.
ng how much has changed since:So we know that this is huge, but there's so many other aspects of this that we need to get into. We have to think about the impact this has on small to mid sized healthcare providers and how these resource constrained organizations can effectively implement enhanced security measures without compromising operational efficiency.
We have to think about balancing security with usability. You talked about MFA and there needs to be strategies to implement robust security like MFA while maintaining user friendly systems for healthcare professionals. And of course, training and awareness. It highlights the importance of staff training and recognizing and preventing cyber threats and ensuring that human factors don't become the weakest link in cybersecurity defenses.
I would say, too, when you consider what it means to future proof your security measures. Explore how your organization can design adaptable security frameworks that can evolve with emerging technologies and threat landscapes. It's a mouthful if you're going to the board. Simplify it into saying, if we do these things, we are more prepared for this.
So if this, then that, and what happens when these things could occur. And then it goes back to the whole compliance versus innovation. What are the potential challenges and opportunities that may arise when you're striving to meet the Stringent security regulations while fostering technological innovation in healthcare.
I have worked in organizations where we say, that's a great idea, yet so and so is not on board, or it's going to be too hard because of a security perspective. When you get creative about working with your security and compliance teams to make something happen, the first question is it the right thing to do for our patients and our providers?
That answer is yes. And let's just assume that your partner checks all the boxes to be a good partner from a security fabric perspective, then figure out how to do it in your org. And anytime there's roadblocks because of process, change the process, think about a new way to do it. And I literally have gone rounds and rounds in organizations to make sure we had the right technology.
That was best to breed in the organ in the industry to solve a problem we had. And what's fascinating is sometimes you think, Kate, the bigger the organization, that the more complicated it is to solve. Actually not what I've experienced in my career. Sometimes smaller organizations have a harder time because back to that resource allocation issue, you have one person doing five jobs.
So if that one person doing five jobs has to change one component of that widget in their universe, maybe they don't want to. Maybe it makes it even harder to figure out new ways to do things. So never assume that a big company can't make incremental changes needed. Sometimes it can be harder in the smaller orgs.
And so universally, The ability to be adaptive and think about creative ways to really get ahead of and be in lockstep with these new proposals in the HIPAA update. What an opportunity to reset some of the expectations and experiences you've had in your organizations, let's just say over the last decade since that was the last time the rule was updated.
Yeah, really good points. And when I heard the word ambiguity before, it just made me think it shouldn't be in there. There should be no ambiguity. This should be clear. So hopefully, these regulations or this recommendation, it's a long time coming. Hopefully, it will provide some clarity and some guardrails for how to protect data.
In what's become an increasingly complex environment, as we always hear, cyber safety is patient safety. So this is extremely important and going to do a shameless plug, but I encourage you to listen to Drex DeFord two minute drill, listen to his Unhack the News, he always has resources and the information that you need to stay on top of this.
Could not agree more. Don't forget to share this podcast with a friend or colleague. Use it as a foundation for 📍 daily or weekly discussions on the topics that are relevant to you and the industry. They can subscribe wherever you listen to podcasts. Sarah, thank you for joining and thanks to everyone for listening.
That's a wrap.