On January 6th, the Department of Health and Human Services (HHS) issued the first proposed changes to the HIPAA Security Rule since 2013. There have been significant changes in healthcare, technology and security practices in the past twelve years. Given the critical state that healthcare cybersecurity is in, with an average of two breaches per day and technological shortfalls in many areas compared to other industries, these proposed changes are long overdue.
The proposal in its current state is posted to the Federal Register, and the comment period remains open until March 7th. The final rule may have varying outcomes: the proposal be tabled, have some recommended changes removed, or undergo a complete overhaul. Regardless, now is the time for healthcare organizations to step up their security and compliance stance. With breaches impacting healthcare organizations big and small it is imperative to act now. Those who act in good faith can not only achieve compliance, but greatly reduce their risks
Risk Analysis: Are You Really in Compliance?
According to the Office for Civil Rights (OCR), the failure to perform compliant risk analyses is a significant issue, and it's becoming increasingly clear that many healthcare providers are not meeting the necessary standards.
One of the major findings from the OCR is that only a small fraction of healthcare organizations is currently in compliance with the necessary security standards. Specifically, just 14% of covered entities and 17% of business associates are meeting the required compliance benchmarks. That means a staggering 86% of covered entities and 83% of business associates are likely out of compliance. These numbers highlight a critical disconnect – many healthcare leaders believe their organizations are compliant, yet the reality suggests otherwise.
The good news? Healthcare organizations can get back on track with the right tools and expertise. A risk analysis is fundamental to identifying vulnerabilities and ensuring compliance. If your organization hasn't conducted a thorough risk analysis, it’s time to do so. This is not just a matter of checking a box—it’s about protecting patient data and avoiding costly future problems that can arise from noncompliance.
The Importance of Asset Inventory
While maintaining an asset inventory may not be explicitly required under the current HIPAA Security Rule, the OCR emphasizes that it is a critical component of conducting a thorough risk analysis. Many healthcare organizations fail to maintain a detailed asset inventory, which can hinder their ability to identify and mitigate risks effectively. It’s easy to overlook this step, but without it, you're essentially flying blind when it comes to knowing where protected health information is located, and therefore, where extra security measures need to be taken. If you’re not already maintaining an asset inventory, it’s important to begin immediately. Fortunately, expert help is available to assist you in creating and maintaining an inventory that aligns with compliance requirements.
Changing Healthcare Cybersecurity and Compliance Standards for Small and Rural Healthcare Providers
For years, small and rural healthcare providers have had more leeway when it comes to compliance. The flexibility built into HIPAA was meant to accommodate organizations of varying sizes and resources. However, the OCR is now emphasizing that small and rural providers need to implement robust security measures just as much as larger organizations. Unfortunately, all healthcare organizations are being targeted by bad actors, regardless of size, and patient data must be protected across the board.
With the rising sophistication of cybersecurity attacks, security risks don’t discriminate based on size. Every healthcare organization, no matter how small, is a potential target. HIPAA’s evolving regulations are pushing toward greater standardization, meaning the same security requirements apply to all organizations, large and small. Now more than ever, small and rural providers must prioritize compliance to avoid falling victim to data breaches.
The True Cost of Data Breaches
The financial impact of a data breach is something healthcare organizations cannot afford to ignore. According to the National Institute of Health (NIH), healthcare data breaches are more expensive than breaches in other industries. IBM’s 2024 Cost of a Data Breach report states the average cost of a breach in the healthcare industry is a staggering $9.77 million. Healthcare organizations must realize that, in the event of a breach, they will not only face the costs of fixing vulnerabilities but also potential legal fees and fines for noncompliance.
Looking Ahead: Preventive Measures Are Key
The NIH’s study reveals a sobering trend—data breaches and their associated costs are projected to increase in the future. This underscores the importance of prioritizing preventive measures now. For healthcare organizations, cybersecurity isn’t just a matter of avoiding fines; it’s about safeguarding sensitive patient data and ensuring that your organization remains operational in the face of rising threats in order to effectively care for patients.
Conclusion
Healthcare organizations must take a proactive approach to cybersecurity and compliance. Whether it’s conducting a risk analysis, maintaining an asset inventory, or ensuring that small and rural providers are not left behind, the stakes are high. Data breaches are costly—both financially and reputationally—and they are becoming more frequent. By prioritizing security, organizations can not only comply with regulations but also protect themselves from significant financial and operational consequences.
Fortunately, All Covered can help. Reach out today for a free consultation, or download our Healthcare Cybersecurity Essentials Tool Kit for more tips on keeping data secure.
