HHS Publishes HIPAA Cybersecurity NPRM
Medical Devices
On Monday the Department of Health and Human Services (HHS) published a notice of proposed rulemaking (NPRM) in the Federal Register (90 FR 898-1022) on “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information”. HHS is proposing to modify the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).
With its emphasis on Protected Health Information (PHI) the main focus of this proposed rule is on information technology, and generally falls outside the scope of this blog. Having said that, there are 52 mentions of the term ‘medical device’ in this NPRM, starting with the realization that:
“Almost every stage of modern health care relies on stable and secure computer and network technologies, including, but not limited to, the following: appointment scheduling, prescription orders, telehealth visits, medical devices, patient records, medical and pharmacy claims submissions and billing, insurance coverage verifications, payroll, facilities access and management, internal and external communications, and clinician resources. These tools and technologies are an integral part of the modern health care system, but they also present opportunities for bad actors to cause harm through hacking, ransomware, and other means.”
NOTE: A large number of those references to ‘medical device’ are found in the footnotes, providing links to informational documents relating to medical device cybersecurity issues.
This means that personnel interested in the cybersecurity of medical devices, facility access controls, and building maintenance controls are going to have to pay attention to these proposed HIPPA cybersecurity rules.
Medical Device Threats
In the opening discussion about the revised threats to PHI, the preamble reports that:
“It is not only the ePHI maintained in EHRs and other electronic recordkeeping systems that faces security risks. Medical equipment and devices are increasingly connected through one or more networks, which means that any issues affecting the network likely will affect the medical equipment and devices. And some medical equipment and devices rely on off-the-shelf operating systems, such as Windows, Linux, and similar third-party software; thus, the medical equipment and devices can experience the same vulnerabilities as personal computing devices.”
The discussion proceeds to examine:
A 2021 cyberattack on cloud-based systems,
Mayo Clinic hackathon with 40 medical devices,
Medical devices as a prime target for cybercriminals,
The increase in the number of breaches of unsecured PHI, and
Security Concepts
These revised threats in turn lead to a discussion about what sorts of regulatory changes should be expected. It addresses five concepts:
Congress and the Department anticipated that security standards safeguards would evolve to address changes in the health care environment.
National Committee on Vital and Health Statistics (NCVHS) believes that the security standards evolve to address changes in the health care environment.
A strengthened Security Rule would continue to be flexible and scalable while providing regulated entities with greater clarity.
Small and rural health care providers must implement strong security measures to provide efficient and effective health care.
A strengthened Security Rule is critical to an efficient and effective health care system
Revised Definitions
A significant portion of the proposed revisions to the Security Rules deal with definitions used in that rule. The following revised definitions (for existing 45 CFR 164.304) have been specifically modified include/apply the term ‘medical device’:
Availability (discussion and text), and
Workstation (discussion and text).
Unfortunately, there is no definition of ‘medical device’ (see 21 USC 321 for FDA definition; that would probably have to be modified for the purpose of this rule), nor has there been a modification of (or discussion about) the term ‘information systems’ or ‘electronic information system’ in reference to the specific inclusion of medical devices. Another term with a revised definition in the NPRM that could have included a specific reference to ‘medical devices’ is the term ‘technology asset’. In all three cases the term ‘hardware’ is used, but not further defined in the existing rule or this document. A definition of the term ‘hardware’ could include a specific reference to ‘medical device’; alternatively, a parenthetic reference to ‘including a medical device’ could be added following the term ‘hardware’ in those definitions.
Medical Device Exemptions
In §164.312 the proposed rule would provide certain exemptions to the encryption and decryption requirement proposed in the modified regulation. One of those exemptions {§164.312(b)(3)(iv)(C)} would specifically apply to a “technology asset in use is a device under section 201(h) of the Food, Drug, and Cosmetic Act, 21 U.S.C. 321(h) that has been authorized for marketing by the Food and Drug Administration”. This exception is justified by noting that:
“We understand that the FDA considers security during the review of medical device marketing submissions, including those for software that is approved as a medical device, and works with device manufacturers to ensure that appropriate cybersecurity protections are built into such devices, pursuant to FDA's authority under [§3305 of] the Consolidated Appropriations Act, 2023 [PL 117-328]. Thus, we do not believe it would be necessary or appropriate for the Security Rule to require encryption for an FDA-authorized medical device that has been authorized by the FDA for marketing pursuant to a submission received on or after March 29, 2023, where the device continues to be supported by its manufacturer.
Vulnerability Management
In the discussion about the standards for vulnerability management an interesting point is made about devices not owned by the facility:
“For example, a regulated entity should include a device owned by a person other than the regulated entity (e.g., the medical device manufacturer [emphasis added]) in its vulnerability management activities where the device is deployed on the regulated entity's network. The regulated entity should also include all workstations (e.g., desktop computers, mobile devices) that are part of its relevant electronic information systems in its vulnerability management activities.”
Similarly, HHS should probably have commented here about including other systems (building management, security management, etc) that may be connected with network access to the information systems containing, processing, or storing PHI.
Soliciting Comments
HHS is soliciting comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #HHS-OCR-0945-AA22). Comments should be submitted by March 7th, 2025.