The Department of Health and Human Services (HHS) proposed a major cybersecurity update to HIPAA, aimed at enhancing the protection of sensitive health information. Learn how organizations can use Microsoft security tools to address the new requirements and stay compliant with the updated regulations.
Author: Nathan Berger,
Director of Security @ Cyclotron
On December 27th, 2024, the Department of Health and Human Services (HHS) proposed a major cybersecurity update to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), thOn December 27th, 2024, the Department of Health and Human Services (HHS) proposed a major cybersecurity update to HIPAA, aimed at enhancing the protection of sensitive health information. This blog explains how organizations can use Microsoft security tools to address the new requirements and stay compliant with the updated regulationse privacy and security rules that protect sensitive health information in the United States.
Good news – If your organization runs on Microsoft tools, almost all of the proposed cybersecurity requirements can be addressed by a tool in the Microsoft security stack. In this blog, we’ll explain the relationship between the proposed HIPAA update and the different Microsoft security tools you can use to address the proposed new requirements.
Even with the best tools, staying compliant can be complicated. Cyclotron, the 2024 Microsoft Compliance Partner of the Year, has a special offer specifically tailored for HIPAA implementations and the expertise needed to accelerate your deployment with ease.
What is changing?
Below, we’ll dive into the proposed technical configuration changes and how they can be addressed with tools from the Microsoft security stack.
The Update: Require the development and revision of a technology asset inventory and a network map that illustrates the movement of electronic Protected Health Information (ePHI) throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
How to Address it: To develop an asset inventory and network map, leverage Microsoft Purview in Azure. Data mapping and lineage features in Purview’s governance portal help health organizations demonstrate and classify information flows across assets.
The Update: Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things: A review of the technology asset inventory and network map; Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI; Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems; An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
How to Address it: This type of risk analysis is great to examine through the combined lens of Microsoft Defender Exposure Management and Microsoft Defender Vulnerability Management. Exposure Management will help you map attack paths based on your attack surface, automatically assembled based on intelligence across your Defender suite. Vulnerability Management provides prioritized risk analysis across misconfigurations and patching of devices and applications. Together, these tools can map direct threats to ePHI, provide risk levels for each identified threat, and provide quick remediation methods to secure your environment. These by default apply to your devices, AD domain, Entra identities and Microsoft 365 apps. It’s important to also extend these capabilities to cover your Electronic Health Record (EHR) infrastructure containing ePHI databases and services.
The Update: Require encryption of ePHI at rest and in transit, with limited exceptions.
How to Address it: In your Microsoft 365 tenant, data is encrypted by default at rest and in transit. However, protecting your ePHI requires extending encryption to all databases, storage, and applications. Some organizations may get excited about using Microsoft Purview’s auto-labeling features to encrypt ePHI at rest, but you should be careful about how that affects end-user workflows related to patient experience. Recipients might not understand how to decrypt a file or email outside your org, so infrastructure-level and transit-level encryption should be your primary focuses, with file-level encryption only as a fallback option.
The Update: Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include: Deploying anti-malware protection; Removing extraneous software from relevant electronic information systems; Disabling network ports in accordance with the regulated entity’s risk analysis.
How to Address it: Microsoft Defender for Endpoint (MDE) and Microsoft Intune are your two best options for deploying these controls. MDE will address the anti-malware protection using both its included Endpoint Detection & Response (EDR) agent and the built-in Antivirus (AV) features. Today, AV itself won’t secure your environment nearly as effectively as EDR+AV will, given the increased behavior anomaly detection capabilities and response features. Intune software reports and MDE’s built-in Vulnerability Management features will highlight extraneous software and help you remove it. If you want to harden your desktop to prevent extraneous software outright, consider using Intune to enforce Defender Application Control, which has new features like Smart App Control to accelerate your implementation.
The Update: Require the use of multi-factor authentication (MFA), with limited exceptions.
How to Address it: Hopefully, you have already enrolled all your users in Entra MFA. The key change here is to ensure MFA is enforced on all your applications, not just critical apps. This includes your EHR system, your Microsoft tenant, your cloud infrastructure, your on-premises infrastructure, and even those pesky legacy applications with old Active Directory (AD) authentication. Luckily, new features available in Entra Suite provide the ability to enforce MFA on any application, even legacy apps using AD auth.
The Update: Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
How to Address it: Vulnerability scanning is another area that Defender Vulnerability Management is well suited to address. However, you’ll need to make sure you have a penetration testing vendor as well to fulfill this requirement.
The Update: Require network segmentation.
How to Address it: If only it were as easy as that sentence sounds! Network segmentation threatens to upend the entirety of your infrastructure setup if your designs haven’t prioritized it. You have two options here: You can do a comprehensive implementation of network segmentation to fundamentally segregate users, applications, and services (high effort), or you can take a light approach to network segmentation by minimizing your end-user AD population and moving them to cloud-only state (similar effort, but many more user & security benefits). Both ways, you’ll still segment your infrastructure and networks, but your users will have a much more positive, cloud-friendly experience. If you have to put in the same amount of effort either way, we think it’s worthwhile to at least make users happy during the change. For more, see our post on Removing Active Directory: Cloud-Native Migration.
The Update: Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
How to Address it: Microsoft 365 Backup gives you a simple yet comprehensive implementation approach while maintaining strong backup principles such as immutability, physical redundancy, point-in-time restore within hours, and simple management.
Note: This is not an exhaustive list, as it does not include several new operational requirements. The full list of all proposed cybersecurity requirements can be found here.
When will these changes happen?
This is a Notice of Proposed Rulemaking (NPRM), so before these changes are finalized, they are open to public comment for 60 days. This period ends in March 2025, at which time the new administration will determine whether to enact, amend, or abandon the rules. Then there will be at least a few months before the rules are enforced.
If you want help implementing these controls, Cyclotron’s Security practice provides total implementation services for any tools named here. Reach out to sales@cyclotron.com or visit cyclotron.com/get-started to gain professional help with your HIPAA control implementation. Need more than an implementation? Cyclotron’s Compliance as a Service platform, Kapton, offers full-service compliance management provided by a team of award-winning compliance experts so you can rest easy knowing your organization is compliant.