
Brittany Brown
Manager, Healthcare Advisory, Coalfire
Healthcare GRC


On December 27, 2024, The Office for Civil Rights at the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rule making (NPRM) to the HIPAA Security Rule to strengthen the protection of electronic protected health information (ePHI).
The Notice of Proposed Rulemaking for the HIPAA Security Rule introduces significant changes to the framework protecting electronic protected health information, requiring regulated entities to implement comprehensive security measures, conducting annual penetration testing, performing automated vulnerability scans every six months, and mandating multi-factor authentication across all systems accessing ePHI. All these measures must be documented and periodically reviewed. With the removal of addressable standards, all safeguards are now mandatory, demanding a stricter compliance approach. Healthcare organizations must adapt to these updated requirements while managing risk in a complex and dynamic healthcare environment. Throughout the NPRM, the Department of HHS emphasized that a thorough risk analysis should drive the implementation of technical controls to ensure they are reasonable and appropriate for the size and complexity of the organization. This highlights the critical importance of conducting a risk analysis, as it helps entities tailor security measures based on their unique risks and operational environment.
To effectively manage the new requirements and reduce the risks posed by the complex healthcare environment, organizations must adopt a Governance, Risk, and Compliance (GRC) program. Coalfire assists clients with constructing and refining well-structured GRC programs that offer a balanced, structured, and scalable approach to building organizational processes to manage risk and comply with regulatory requirements while achieving business operational goals and objectives. This type of program ensures that organizations meet current legal and regulatory obligations and establish sustainable processes for addressing future challenges. By integrating risk management practices with operational goals, a GRC program helps healthcare organizations balance compliance with achieving broader business objectives, fostering a culture of security and compliance.
Due to the extensiveness of the changes to the Security Rule, Coalfire has developed a series of six white papers that divide the changes into the subsections of the HIPAA Security Rule NPRM: definitions, general rules, administrative safeguards, physical safeguards, security safeguards, organizational requirements, documentation requirements, and emerging issues: hot topics. The series will go into depth with the proposed changes to the Security Rule as outlined in the NPRM.