Get Started

HHS’ proposed HIPAA Amendment to Strengthen Cybersecurity in Healthcare and how Private AI can Support Compliance

Share This Post

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to enhance the cybersecurity measures required under the HIPAA Security Rule. This Notice of Proposed Rulemaking (NPRM) seeks to bolster the defenses of the U.S. healthcare system against the rising tide of cyberattacks, particularly those targeting electronic protected health information (ePHI). The changes aim to address critical weaknesses, clarify obligations, and align the Security Rule with modern cybersecurity practices.

This article examines the motivation behind the proposed amendments and focuses on the risk assessment component. We also highlight how Private AI’s technologies can help meet the proposed obligations.

The State of Cybersecurity in Healthcare

OCR’s data is sobering: from 2018 to 2023, reports of large breaches grew by 102 percent, while the number of individuals affected skyrocketed by 1002 percent. These increases stem primarily from hacking and ransomware attacks. In 2023 alone, over 167 million individuals were impacted by large breaches, underscoring the urgency of revisiting the Security Rule to combat external and internal threats to ePHI.

The NPRM proposes a series of updates to the Security Rule, including new requirements for regular testing of policies and procedures, mandatory encryption of ePHI, and multi-factor authentication. These measures would also include a risk analysis standard that shifts from high-level guidelines to detailed mandates. Organizations will be required to maintain a written inventory of technology assets, develop network maps, and conduct assessments that identify potential threats and vulnerabilities.

Risk Analysis 

Central to the NPRM’s objectives is the enhanced risk analysis process, a critical foundation for all other cybersecurity measures. Covered entities and their business associates must assess the confidentiality, integrity, and availability risks associated with ePHI. Specific focus areas include:

  • • Inventorying all technology assets and mapping ePHI movement across systems.
  • • Identifying reasonably anticipated threats, such as hacking attempts and phishing schemes.
  • • Assessing vulnerabilities, including risks from legacy devices.
  • • Estimating the likelihood and potential impact of specific threats exploiting identified vulnerabilities.
  • • Documenting all findings to guide mitigation and compliance efforts.

Citing the proposed rule, basic questions that a regulated entity would consider when conducting a risk analysis that is compliant with the Security Rule include:

  • • Have you identified all the ePHI that you create, receive, maintain, or transmit?
  • • What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain, or transmit ePHI?
  • • What are the human, natural, and environmental threats to information systems that contain ePHI?
  • • What are the risks posed by legacy devices, including any risks that would be posed by replacing legacy devices with new ones?

How Private AI Facilitates Risk Assessment

Private AI’s advanced privacy-enhancing technologies can play a vital role in helping healthcare organizations comply with these proposed changes. With machine-learning models capable of identifying over 50 types of personal information across structured and unstructured data, Private AI automates the detection and classification of ePHI. This capability ensures that risk assessments are comprehensive and precise.

Private AI identifies sensitive data across diverse systems, including databases, documents, and network drives, helping organizations map and secure ePHI. This capability is vital for assessing the impact on individuals whose data may be exposed in the event of a breach. Together with the determination of the likelihood of a threat occurrence, the impact analysis determines the overall risk and is thus a crucial aspect of the required analysis.

Additional Compliance Support

Beyond the actual risk analysis, Private AI can further facilitate several HIPAA Security Rule requirements:

  1. Mitigating Vulnerabilities in Unstructured Data: From scanned PDFs to emails, Private AI’s tools analyze and redact ePHI, reducing the risk of exposure from unstructured data sources.
  2. Real-Time Compliance Monitoring: Organizations can deploy Private AI’s solutions for continuous monitoring, ensuring that ePHI remains protected against newly discovered threats.
  3. Enhanced Incident Response: Should a breach occur, Private AI enables rapid identification of ePHI in compromised systems or databases, simplifying reporting and remediation efforts​​​.

Conclusion

The NPRM provides a nudge for healthcare organizations to reassess and fortify their cybersecurity strategies. With data breach threats escalating at an unprecedented rate, implementing robust security measures is no longer optional—it is imperative, regardless of the final language of the amended Security Rule. Private AI stands ready to support organizations in meeting these evolving requirements with innovative, privacy-enhancing technology.

Discover how our solutions can help safeguard ePHI, reduce risk, and streamline compliance efforts. Try our web demo today or contact us.

Contact us to learn more

Subscribe To Our Newsletter

Sign up for Private AI’s mailing list to stay up to date with more fresh content, upcoming events, company news, and more! 

More To Explore

Download the Free Report

Close Window

Request an API Key

Fill out the form below and we’ll send you a free API key for 500 calls (approx. 50k words). No commitment, no credit card required!

Close Window

Language Packs

Expand the categories below to see which languages are included within each language pack.
Note: English capabilities are automatically included within the Enterprise pricing tier. 

French
Spanish
Portuguese

Arabic
Hebrew
Persian (Farsi)
Swahili

French
German
Italian
Portuguese
Russian
Spanish
Ukrainian
Belarusian
Bulgarian
Catalan
Croatian
Czech
Danish
Dutch
Estonian
Finnish
Greek
Hungarian
Icelandic
Latvian
Lithuanian
Luxembourgish
Polish
Romanian
Slovak
Slovenian
Swedish
Turkish

Hindi
Korean
Tagalog
Bengali
Burmese
Indonesian
Khmer
Japanese
Malay
Moldovan
Norwegian (Bokmål)
Punjabi
Tamil
Thai
Vietnamese
Mandarin (simplified)

Arabic
Belarusian
Bengali
Bulgarian
Burmese
Catalan
Croatian
Czech
Danish
Dutch
Estonian
Finnish
French
German
Greek
Hebrew
Hindi
Hungarian
Icelandic
Indonesian
Italian
Japanese
Khmer
Korean
Latvian
Lithuanian
Luxembourgish
Malay
Mandarin (simplified)
Moldovan
Norwegian (Bokmål)
Persian (Farsi)
Polish
Portuguese
Punjabi
Romanian
Russian
Slovak
Slovenian
Spanish
Swahili
Swedish
Tagalog
Tamil
Thai
Turkish
Ukrainian
Vietnamese

Rappel

Testé sur un ensemble de données composé de données conversationnelles désordonnées contenant des informations de santé sensibles. Téléchargez notre livre blanc pour plus de détails, ainsi que nos performances en termes d’exactitude et de score F1, ou contactez-nous pour obtenir une copie du code d’évaluation.

99.5%+ Accuracy

Number quoted is the number of PII words missed as a fraction of total number of words. Computed on a 268 thousand word internal test dataset, comprising data from over 50 different sources, including web scrapes, emails and ASR transcripts.

Please contact us for a copy of the code used to compute these metrics, try it yourself here, or download our whitepaper.

Close Window