HIPAA New Rules – What You Need to Know

hipaa new rules
Share article
twitter linkedin medium facebook

HIPAA new rules are on the way in what looks to be a direct response to rising cybercrime attacks on the American healthcare sector. The HIPAA Security Rule was first released in 2003 and last revised in 2013, so an update is overdue, given that technology and cybersecurity have moved on hugely since then.

From 2018-2023, hacking and ransomware attacks targeting healthcare providers were responsible for a doubling of large data breaches (those affecting 500 people or more) and a tenfold increase in the number of people affected—over 167 million patients. In 2024, the average cost of a breach was $9.77 million, the highest of any industry.

This is driven by the high potential value of stolen patient records to ransomware gangs.

Healthcare records command a high price on the black market, with a single record potentially selling for $250. This is significantly more valuable than other types of personal information, such as credit card data.

Ransom Demands

Ransomware gangs have made substantial demands from healthcare organizations:

  • Ransom amounts have varied from $4,000 to $10 million.
  • From January to October 2023, the estimated total ransom demanded from U.S. healthcare organizations reached $137.3 million.
  • The average ransom demand in 2024 was $1.5 million. The Change Healthcare breach in February 2024 affected approximately 100 million individuals’ records. UnitedHealth Group reportedly paid $22 million in an attempt to recover data from this attack.

Reasons for High Value

Healthcare records are particularly valuable because:

  • They contain comprehensive personal data, including Social Security numbers, financial information, and medical histories.
  • The information can be used for various fraudulent activities, such as identity theft, obtaining medical services, and filing false tax returns.
  • Misuse of healthcare data is harder to detect compared to financial fraud, allowing criminals to exploit the information for longer periods.
  • Healthcare organizations are more likely to pay ransoms, with 61% paying to retrieve decryption keys—almost 20% higher than the global average.
  • The high value of healthcare records has led to a significant increase in attacks, with one cybersecurity firm reporting 44 healthcare-targeted ransomware incidents in just one month following the Change Healthcare attack.

Mindful of the increase in breaches affecting 500 or more patients, the cost to businesses, and the potentially deadly consequences of these large-scale disruptions to medical care, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is proposing HIPAA new rules to keep electronic patient records safer. All covered entities and their business associates that handle electronic protected health information (ePHI) will be required to meet the rules, but providers using Reflectiz will already have many of them covered.

This is good to know because the maximum penalty for violating HIPAA new rules is currently $635,581 per incident, up to a maximum of $2,134,831 per violation category per year!

A near-400-page Notice of Proposed Rulemaking (NPRM) called The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information was published on January 6, 2025, marking the start of the 60-day public consultation period. After review and consideration, and once HHS publishes the final rule in the Federal Register, the HIPAA new rules will go live (assuming the new administration agrees).

HIPAA New Rules and Reflectiz

The consultation document contains many HIPAA new rules. In this section, we look at some of those that Reflectiz can help organizations to meet. We’ve taken these from examples mentioned here by the HHS, so it seems reasonable to anticipate that the final wording will be close to these examples:

Removal of the word “addressable.”

The OCR looked into HIPAA compliance across the healthcare industry and found that requirements were being applied inconsistently. Some providers interpreted the word “addressable” to mean “optional” while others didn’t. To remove doubt, security measures to be implemented under HIPAA new rules are now described as “required” (apart from some limited exceptions).

An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.

This requirement could almost be a description of what the Reflectiz exposure rating tool does. This dynamic grading system identifies risks to a website based on how it is structured and what first, third, and fourth-party applications and domains it connects to.

The term “dynamic” applies because the tool considers the risk level of each vulnerability in context, i.e., the same component may be rated differently on different parts of the site.

For example, the tool will assign a higher risk level to a tracking pixel embedded in a payment page compared to one embedded in a page that only contains static text because there is more scope for it to steal lucrative patient billing information from the payment page. It summarizes its current findings as a grade on an A-F scale, and since Reflectiz gathers similar information from industry peers it’s ideal for benchmarking purposes.

Remove extraneous software from relevant electronic information systems.

Reflectiz onboarding begins with a comprehensive mapping of the customer’s entire web infrastructure, which it then regularly updates. Once it has established an inventory of every connected digital asset and domain, and once the user has established the baseline behaviors they consider to be acceptable, the system prioritizes warnings about those that present the greatest risk in line with the organization’s risk appetite.

For instance, the business may consider tracking pixels to be indispensable for marketing and analytics purposes. It considers six per page to be the acceptable limit, but Reflectiz reports that it is using eight, so it can meet this requirement under the HIPAA new rules by removing two.

Regulated entities must conduct a compliance audit at least once every 12 months to ensure their compliance with the HIPAA new rules.

OCR investigations revealed a few common deficiencies. One of them was that organizations were applying risk assessments inconsistently. To remedy this, they will need to ensure that they are regularly assessing risks in line with the requirements, and they will need to show that they’re doing this once a year.

Reflectiz users will benefit from the platform’s ability to generate reports on identified risks and show how the organization responded to them. This will help them to demonstrate their compliance. It’s been estimated that the cost of implementing the updated Security Rule will be $15 billion over five years. It isn’t clear what proportion of that expense will fall on the shoulders of healthcare organizations, but a security solution that makes reporting easier and cheaper will no doubt be welcome.

Develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.

The system revises the digital asset inventory and network map on an ongoing basis, alerting users when apps try to access such sensitive information or forward it to suspicious domains.

More Precision in Risk Assessments

The HIPAA new rules are now more precise about what an organization should cover in its risk analysis. Written risk assessments should contain, among other things:

A review of the technology asset inventory and network map and identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.

Again, Reflectiz’s automated inventory and network mapping functionality simplifies the user’s ability to identify and record risks that may threaten ePHI.

Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems

Attackers often look for ways to compromise tracking technologies, because even when healthcare providers follow security best practices, third parties providing scripts, apps, and frameworks may be less diligent. That’s why the system continuously monitors all online tracking technologies that may be at risk of gaining unauthorized access to PHI, including pixels, cookies, trackers, and beacons.

An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.

This is another requirement that’s covered by the risk assessment tool, which rates the risks it discovers and suggests ways that the user can mitigate them.

Regulated entities are required to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner.

The Reflectiz solution itself comprises a set of technical controls for configuring the web infrastructure of healthcare providers. It continuously discovers assets, detects vulnerabilities, and prioritizes risks for faster threat mitigation.

Conclusion

Although we don’t yet have an implementation date for the HIPAA new rules, meeting them should be the number one priority for healthcare providers and their business associates. Implementing these more stringent security practices will help protect these organizations and the health records entrusted to them from escalating cyberthreats. For better threat visibility, improved compliance with HIPAA new rules, and outstanding protection across the entire attack surface, sign up with Reflectiz today.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free