In this week’s installment of our blog series on the U.S. Department of Health and Human Services’ (HHS) HIPAA Security Rule updates in its January 6 Notice of Proposed Rulemaking (NPRM), we discuss HHS’s proposed rules for vulnerability management, incident response, and contingency plans (45 C.F.R. §§ 164.308, 164.312). Last week’s post on the updated administrative safeguards is available here.
Existing Requirements
HIPAA currently requires regulated entities to implement policies and procedures to (1) plan for contingencies and (2) respond to security incidents. A contingency plan applies to responses to emergencies and other major occurrences, such as system failures and natural disasters. When needed, the plan must include a data backup plan, disaster recovery plan, and an emergency mode operation plan to account for the continuation of critical business processes. A security incident plan must be implemented to ensure the regulated entity can identify and respond to known or suspected incidents, as well as mitigate and resolve such incidents.
Existing entities — especially those who have unfortunately experienced a security incident — are familiar with the above requirements and their implementation specifications, some of which are “required” and others only “addressable.” As discussed throughout this series, HHS is proposing to remove the “addressability” distinction making all implementation specifications that support the security standards mandatory.
What Are the New Technical Safeguard Requirements?
The NPRM substantially modifies how a regulated entity should implement a contingency plan and respond to security incidents. HHS proposes a new “vulnerability management” standard that would require regulated entities to establish technical controls to identify and address certain vulnerabilities in their respective relevant electronic information systems. We summarize these new standards and protocols below:
Contingency Plan – The NPRM would add additional implementation standards for contingency plans. HHS is proposing a new “criticality analysis” implementation specification, requiring regulated entities to analyze their relevant electronic information systems and technology assets to determine priority for restoration. The NPRM also adds new or specifying language to the existing implementation standards, such as requiring entities to (1) ensure that procedures are in place to create and maintain “exact” backup copies of electronic protected health information (ePHI) during an applicable event; (2) restore critical relevant electronic information systems and data within 72 hours of an event; and (3) require business associates to notify covered entities within 24 hours of activating their contingency plans.
Incident Response Procedures – The NPRM would require written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents, as well as how the regulated entity should identify, mitigate, remediate, and eradicate any suspected or known security incidents.
Vulnerability Management – HHS discussed in the NPRM that its proposal to add a new “vulnerability management” standard was to address the potential for bad actors to exploit publicly known vulnerabilities. With that in mind, this standard would require a regulated entity to deploy technical controls to identify and address technical vulnerabilities in its relevant electronic information systems, which includes (1) automated vulnerability scanning at least every six months, (2) monitoring “authoritative sources” (e.g., CISA’s Known Exploited Vulnerabilities Catalog) for known vulnerabilities on an ongoing basis and remediate where applicable, (3) conducting penetration testing every 12 months, and (4) ensuring timely installation of reasonable software patches and critical updates.
Stay Tuned
Next week, we will continue Bradley’s weekly NPRM series by analyzing justifications for HHS’s proposed Security Rule updates, how the proposals may change, and areas where HHS offers its perspective on new technologies. The NPRM public comment period ends on March 7, 2025.
Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.