Healthcare Focused Cybersecurity and Supply Chain Risk Management
HIPAA NPRM
HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information
Register now to download our summarized version of the HIPAA NPRM and stay informed with the latest updates on the development and adoption of the HIPAA ePHI security rules. Don’t miss key information that could impact your compliance efforts!
The 2025 HIPAA NPRM:
On January 6th, 2025, the Department of Health and Human Services published a Notice of Proposed Rulemaking (NPRM) to update the HIPAA ePHI security rules. Public comments were accepted from January 6th to March 6th, 2025. The next step is the adoption and publication of the new rules. Once finalized, regulated entities will have 180 days to comply. This update aims to address evolving security concerns and improve the protection of electronic health information.
Why did the Department of Health and Human Services publish a Notice of Proposed Rulemaking (NPRM) to update the HIPAA ePHI security rules? :
The Department of Health and Human Services proposed the NPRM to update HIPAA ePHI security rules due to several factors: changing healthcare environments, rising breaches and cyberattacks, common deficiencies found in OCR investigations, and evolving cybersecurity guidelines. Court decisions also impact Security Rule enforcement. Modern healthcare relies heavily on secure technologies across all stages, from appointment scheduling and telehealth to insurance verifications and medical records management. To safeguard this infrastructure, updates to HIPAA’s security rules are necessary to address these growing challenges and enhance protection against security threats.
Register now to receive a copy of our summarized version of the HIPAA NPRM and stay informed with the latest updates on the development and adoption of the HIPAA ePHI security rules.
In healthcare, there are many drivers aimed at ensuring a secure organization. From HHS/OCR's HIPAA Security/Privacy and Breach Notification Rules and the currently proposed NPRM, the OIG's General Compliance Program Guidance GCPG, and MIPS, the protection of the confidentiality, privacy and availability is paramount.
Within the auspices of Healthcare, including Business Associates, BorderHawk offers multiple tailored services. Primarily these revolve around the need for an organization to conduct an appropriate Risk Assessment and Manage risk associated with Business Associates. Both of these security and compliance programs are crucial in healthcare as they address different aspects of risk exposure and compliance requirements.
Cyber Risk Assessments & Supply Chain Risk Assessments
Cyber Risk Assessment: Evaluate the potential threats to an organization's IT systems and networks, focus on vulnerabilities such as software flaws, unauthorized access, data breaches, malware, and other cyber threats. This type of assessment helps telecom providers identify weaknesses in their digital infrastructure, including networks, applications, and data storage.
Key areas of focus: Asset Discovery, Inventory of PHI/ePHI, Data Flow Maps, Business Justification of Need, Policies, Network security, Data protection, Access control, Threat monitoring, proper Backups and Restoration within mandated timelines, breach analysis and response, breach notification, etc.
Supply Chain Risk Assessment - SCRM: A supply chain risk assessment focuses on the risks associated with third-party vendors and partners, known as Business Associates under HHS and the OCR. Healthcare delivery organizations rely heavily on suppliers for software, hardware, and services, and each vendor must be vetted to understand the impact of risk to the confidentiality, integrity and availability to patient data. As such, risk assessments must be conducted and documented, for each 3rd party supplier.
Key areas of focus: Third-party vendor security practices, Dependencies on suppliers for critical components, Risks related to outsourcing and subcontracting.
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA is a federal law that sets a national standard to protect medical records and other personal health information. The HIPAA Security Rule establishes national standards for the protection of electronic PHI (ePHI) and requires covered entities to implement a variety of safeguards to ensure the confidentiality, integrity, and availability of ePHI.
Regular assessments ensure adherence to these rules and reduce the risk of non-compliance, which could lead to significant penalties, fines, and legal consequences.
The BorderHawk HIPAA assessment involves a thorough review of an organization’s administrative, physical, and technical safeguards to identify vulnerabilities, gaps, and areas that may pose risks to the security of ePHI. The goal is to determine if the entity is meeting the necessary requirements to protect sensitive health data and avoid potential breaches.
-
Healthcare Providers: Doctors, hospitals, clinics, nursing homes, pharmacies, and other medical professionals who transmit health information electronically.
-
Health Plans: Insurance companies, HMOs, and employers who provide health benefits.
-
Healthcare Clearinghouses: Organizations that process health information and act as intermediaries between healthcare providers and health plans.
-
Business Associates: Any third-party service providers who handle, store, or transmit ePHI on behalf of covered entities. Examples include IT vendors, cloud service providers, billing companies, and medical transcription services.