WEDI Responds to Proposed HIPAA Security Rule Changes

WEDI Responds to Proposed HIPAA Security Rule Changes, Urges Flexibility and Collaboration

The Workgroup for Electronic Data Interchange (WEDI) has outlined its response to the proposed changes to the HIPAA Security Rule, particularly those aimed at strengthening cybersecurity protections for electronic protected health information (ePHI).

Key Takeaways from WEDI’s Response

• Growing Threat of Ransomware: WEDI acknowledges the increasing threat of ransomware attacks on the healthcare sector, emphasizing the need for enhanced cybersecurity measures and business continuity planning.
• Office of National Cybersecurity Policy: WEDI proposes the creation of a new federal office dedicated to cybersecurity policy, advocating for a more coordinated and authoritative approach to cyber incident response.
• National Health Care Cyber “Fire Drill”: WEDI suggests implementing a designated week for a national health care cyber “fire drill” to promote awareness and action among healthcare organizations.
• Audits and Education: WEDI supports proactive audits of the health care sector to identify vulnerabilities but recommends that these audits focus on education and improvement rather than strict enforcement.
• Ransomware as Data Breach: WEDI argues against automatically classifying ransomware attacks as data breaches, citing inherent differences and potential disincentives for reporting.
• Voluntary Audit Program: WEDI proposes a voluntary audit program modeled after OSHA’s VPP to allow covered entities to proactively identify and correct security weaknesses.
• Accreditation Programs: WEDI encourages the development and support of private sector accreditation/certification programs to ensure consistent security practices.
• “One Size Fits All” Approach: WEDI cautions against a “one size fits all” approach, emphasizing the need for scalability and flexibility in regulatory requirements.
• Implementation Glidepath: WEDI urges HHS to establish a minimum two-year implementation period for the proposed changes.
• Staggered Implementation: WEDI recommends a staggered implementation of regulatory provisions, prioritizing high-priority baseline controls.
• Business Associate Agreements: WEDI calls for allowing a continuation of existing Business Associate Agreements until their renewal date.
• Assistance for Small Organizations: WEDI suggests deploying Regional Extension Centers (RECs) to assist smaller organizations in understanding and implementing cybersecurity requirements.
• Centralized Website: WEDI proposes developing a centralized website with educational materials and guidance for covered entity compliance.
• Reduce Implementation Costs: WEDI identifies opportunities to reduce industry implementation costs, including reducing the number of requirements and extending timeframes.
• Regular Updates: WEDI recommends establishing a regular cadence for updating security standards.
• Balance Cybersecurity and Burden: WEDI stresses the importance of striking a balance between mandating effective cybersecurity requirements and avoiding undue burden on stakeholders.
• Addressable vs. Required: WEDI believes that compliance with implementation specifications currently designated as addressable should not be optional.
• Technology Asset Inventory: WEDI supports the need for a technology asset inventory and network map.
• Software Patching: WEDI believes that policies related to software patching can be done through business associates agreements.
• Multi-Factor Authentication: WEDI recommends MFA requirements apply when accessing internal networks with ePHI data from external networks, rather than applying universally.
• Incident Response: WEDI believes that incident response policies are critical to an organization’s overall cyber hygiene.
• Restoration of Critical Systems: WEDI recommends the Department not impose an arbitrary and overly aggressive time requirement for the restoration of critical systems.
• Audit Timing: WEDI is concerned with the overly prescriptive auditing requirement.
• Business Associate Verification: WEDI recommends HHS remove the requirement that the covered entity obtain written verification from business associates.
• Documentation Requirements: WEDI recommends that the Department provide clear guidance regarding specific types of documentation that typically need to be retained to support OCR investigations.
• Encryption: WEDI recommends modifying the language of this requirement by eliminating the word “all” to allow encryption flexibility based on risk and data protection strategy.
• Network Segmentation: WEDI believes additional guidance from HHS is needed if the network segmentation requirement is finalized.
• Penetration Testing: WEDI urges HHS to consider the potential cost of mandating that penetration testing be completed by covered entities every 12 months.
• Group Health Plan Requirements: WEDI disagrees with requiring the plan document to contain obligatory clauses.
• Estimated Costs: WEDI has concerns with the estimated cost to the industry of implementing this regulation.
• Workforce Training: WEDI recommends covered entities be given 2 years to implement any final rule.
• Risk Analysis: WEDI supports the NPRM’s focus on covered entities conducting a thorough risk analysis.
• Termination Procedures: WEDI is concerned with the overly prescriptive requirement that the termination of a workforce member’s access occur within one hour of the termination and the requirement that other entities be notified within 24 hours.
• Written Verification Proposal: WEDI recommends that HHS eliminate the requirement that covered entities obtain written verification from business associates.

WEDI’s response highlights the complexities and challenges involved in updating the HIPAA Security Rule to address modern cybersecurity threats. The organization’s emphasis on flexibility, collaboration, and a risk-based approach underscores the need for a balanced and practical regulatory framework that protects ePHI without imposing undue burdens on healthcare organizations.