George McGregor, VP of Marketing for Approov

乔治·麦格雷戈，Approov的市场副总裁

Major cybersecurity breaches continue to plague the US healthcare industry, and on December 27, 2024, the U.S. Department of Health and Human Services (HHS), via its Office for Civil Rights (OCR), issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule, titled “The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information”.

重大网络安全漏洞继续困扰着美国医疗保健行业，并且在2024年12月27日，美国卫生与公众服务部 (HHS) 通过其民权办公室 (OCR) 发布了一项拟议规则制定通知 (NPRM)，以修订《HIPAA安全规则》，标题为“加强电子保护健康信息网络安全的HIPAA安全规则”。

Comments were requested and over 4000 were received before the comment period ended on March 7 2025. Let’s dissect the comments received, discusses what could come next, and offers recommendations on how to prepare for the regulatory road ahead. .

在2025年3月7日评论期结束之前，已收到4000多条评论。接下来我们将分析收到的评论，讨论可能的后续发展，并提供关于如何为未来的监管之路做好准备的建议。

What’s Driving the Update

更新的驱动因素是什么

The

The

updated HIPAA Security Rule

更新的HIPAA安全规则

presents a proposed upgrade of the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) which was initially issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and updated again with the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)..

提出了对《电子保护健康信息保护安全标准》（“安全规则”）的拟议升级，该标准最初根据《1996年健康保险可携性和责任法案》（HIPAA）发布，并在《2009年经济和临床健康信息技术法案》（HITECH法案）中再次更新。

The declared intent of the HHS is to update the Security Rule in response to the evolving healthcare technology landscape, and to address new emerging threats. The purpose of the NPRM is specifically to strengthen cybersecurity protections for electronic protected health information (ePHI).

美国卫生与公众服务部 (HHS) 声称其目的是响应不断发展的医疗技术环境及应对新的威胁，对《安全规则》进行更新。拟议规则制定通知 (NPRM) 的目的具体为加强电子保护健康信息 (ePHI) 的网络安全保护。

The proposed Security Rule update can be seen as an evolution of previous work:

所提出的安全规则更新可以看作是之前工作的演变：

The

The

Healthcare Sector Cybersecurity Strategy

医疗保健行业网络安全战略

document published in December 2023 proposed a framework to help the healthcare sector address cybersecurity threats. This set voluntary cybersecurity goals for the healthcare sector, and set out an HHS-wide strategy to support greater enforcement and accountability.

2023年12月发布的文件提出了一个框架，以帮助医疗保健部门应对网络安全威胁。该框架为医疗保健部门设定了自愿的网络安全目标，并制定了一个涵盖整个卫生与公众服务部（HHS）的战略，以支持更强的执行力度和问责机制。

In  January 2024, OCR published its

2024年1月，OCR发布了其

HPH Sector Cybersecurity Performance Goals

HPH行业网络安全绩效目标

(CPGs) in collaboration with CISA ( U.S. Cybersecurity and Infrastructure Security Agency) These align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework functions and recommend cybersecurity practices aimed at improving security at HIPAA-regulated entities to combat cyberattacks, improve incident response, and minimize risk..

(CPGs)与美国网络安全和基础设施安全局 (CISA) 合作开发，这些指南与国家标准与技术研究院 (NIST) 网络安全框架功能保持一致，并推荐旨在提高受HIPAA监管实体的安全性的网络安全实践，以应对网络攻击、改进事件响应并降低风险。

The newly updated security rule enforces some of the voluntary “best practices” laid out in  the CPGs, such as use of encryption and multifactor authentication (MFA).  Clearly OCR does not believe voluntary goals will be sufficient to drive the behavioral change needed to improve cybersecurity to the level required. .

新更新的安全规则强制执行了CPG中列出的一些自愿“最佳实践”，例如使用加密和多因素身份验证 (MFA)。显然，OCR认为自愿目标不足以推动改善网络安全所需的行为改变。

What Has Been Proposed

拟议内容

The proposed amendments aim to address the growing cybersecurity threats and vulnerabilities facing the U.S. healthcare system. The

拟议的修正案旨在应对美国医疗保健系统面临的日益严重的网络安全威胁和漏洞。

updated HIPAA Security Rule

更新的HIPAA安全规则

recommends that healthcare organizations implement advanced controls like mandatory encryption for all ePHI (both at rest and in transit), multi-factor authentication (MFA), network segmentation, regular vulnerability scanning and penetration testing, robust anti-malware protection, patch management, and configuration controls, while also conducting thorough risk assessments and maintaining strong access controls to limit unauthorized access to sensitive patient data. .

建议医疗保健组织实施高级控制措施，例如对所有电子保护健康信息（ePHI）进行强制加密（无论是静态还是传输中）、多因素身份验证 (MFA)、网络分段、定期漏洞扫描和渗透测试、强大的反恶意软件保护、补丁管理以及配置控制，同时进行全面的风险评估并保持严格的访问控制，以限制对敏感患者数据的未授权访问。

Who Said What

谁说了什么

Comments were received

已收到评论

from 4749 individuals, healthcare providers, professional organizations and cybersecurity vendors, a broad show of support for strengthening cybersecurity protections for ePHI. These reflected significant concerns about the practicality, burden, and clarity of some of the proposed changes.

来自4749名个人、医疗保健提供者、专业组织和网络安全供应商，广泛表示支持加强对ePHI的网络安全保护。这些反映了对部分拟议变更的实用性、负担性和清晰度的重大关切。

Healthcare Providers

医疗服务提供者

focused on implementation challenges and the feasibility and cost of the measures and the practicalities of implementing certain requirements, particularly for smaller organizations and those with technical limitations. Many focused on the significant the financial impacts of implementing the proposed measures, and concerns about underestimating the costs involved in penetration testing, especially for smaller entities.

专注于实施挑战、措施的可行性和成本，以及执行某些要求的实际操作性，特别是对于较小的组织和那些存在技术限制的组织。许多意见集中在实施拟议措施的重大财务影响上，并担忧可能低估了渗透测试涉及的成本，尤其是对较小的实体而言。

Some also worried about potential disruptions to healthcare operations if compliance becomes overly burdensome..

一些人还担心，如果合规变得过于繁重，可能会对医疗保健业务造成潜在的中断。

Industry organizations

行业组织

:

：

HIMSS

HIMSS

recommended closer alignment with  frameworks like

建议与以下框架更紧密地对齐，例如

NIST Cybersecurity Framework 2.0

NIST网络安全框架2.0

and the HHS CPGs. The Consumer Technology Association (

和 HHS CPGs。消费者技术协会 （

CTA

呼气末二氧化碳分压

) noted the burden of preparing detailed plans and procedures.

）指出了制定详细计划和程序的负担。

The American Council of Life Insurers (ACLI)

美国人寿保险协会 (ACLI)

urged that  HHS reconsider the specific time periods provided in the Proposed Security Rule, and try to implement the rule in a way that wouldn’t require re-negotiating Existing Business Associate Agreements (BAAs).

敦促美国卫生与公众服务部重新考虑拟议安全规则中规定的时间段，并尝试以不会要求重新谈判现有的业务伙伴协议 (BAAs) 的方式实施该规则。

Cybersecurity experts

网络安全专家

noted that the NPRM significantly underestimates the time and effort required for thorough penetration testing and other security assessments and processes,  referencing industry standards like

注意到拟议规则制定通知（NPRM）大大低估了进行彻底的渗透测试和其他安全评估及流程所需的时间和精力，参考了行业标准，如

PTES.

渗透测试执行标准。

Technology vendors

技术供应商

stressed the need for greater clarity both in terms of scope (e.g. are EHR vendors “Business Associates?”), and clearer technical implementation details (e.g. around cloud environments, MFA, encryption, etc.).

强调了需要更清晰的范围（例如，EHR供应商是否为“业务伙伴”？）以及更明确的技术实施细节（例如，关于云环境、多因素认证、加密等）。

Pushback on Frequency of Checks and Reporting Timelines

对检查频率和报告时间表的反对

Several commenters expressed significant pushback on the various timeframes proposed in the updated HIPAA Security Rule, arguing that they are often too short, inflexible, and do not account for the operational realities and resource constraints of regulated entities, particularly smaller and rural providers .

一些评论者对更新后的《HIPAA安全规则》中提出的各种时间框架表示了强烈的反对，认为这些时间框架通常过于短暂、不够灵活，且没有考虑到受监管实体的运营现实和资源限制，尤其是较小的和农村地区的供应商。

Incident Reporting

事件报告

: There is a requirement for regulated entities to establish written procedures for restoring certain relevant electronic information systems and data within 72 hours, perform a criticality analysis, and create documented security incident response plans.

：受监管实体需要建立书面程序，以便在72小时内恢复某些相关的电子信息系统和数据，进行关键性分析，并制定有记录的安全事件响应计划。

There is significant pushback that this rule is too prescriptive and would create undue burdens.

有人强烈反对这一规定，认为其过于死板，并会带来不必要的负担。

Patches and fixes

补丁和修复

: The proposed rule suggests patching critical vulnerabilities within 15 days and high-risk vulnerabilities within 30 days. Many argued these timelines are aggressive and difficult to meet due to system downtime requirements, vendor delays in releasing patches, the need for thorough testing, and the challenges associated with legacy systems at or nearing end of life support. .

拟议的规则建议在15天内修补严重漏洞，在30天内修补高风险漏洞。许多人认为，由于系统停机需求、供应商发布补丁的延迟、彻底测试的必要性，以及接近或处于生命周期支持末期的传统系统所带来的挑战，这些时间表过于激进且难以满足。

Recommendations included revising the deadlines to 30 days for critical risks, and 45 days for high-risk vulnerabilities with flexibility for documented exceptions aligning with industry norms like NIST SP 800-53. Some suggested timelines based on the CVSS severity rating scale or allowing patching to occur on a “reasonable and appropriate” timeline based on risk assessment..

建议包括将关键风险的期限修订为30天，高风险漏洞的期限修订为45天，并允许与行业规范（如NIST SP 800-53）一致的有记录的例外情况。部分人建议根据CVSS严重性评级标准制定时间表，或允许根据风险评估在“合理且适当”的时间内进行修补。

Workforce Access Termination Notification

员工访问终止通知

:

：

The proposal to notify other regulated entities of a workforce member’s access termination to ePHI in less than 24 hours was challenged, citing variability in termination processes and reliance on HR system updates. Allowing entities to adjust the timeline based on their risk analysis was recommended by commenters, with immediate termination for high-risk separations and a 24-hour window for standard cases.

有评论对在24小时内通知其他受监管实体关于某员工访问ePHI被终止的提议提出质疑，理由是终止流程存在差异且依赖于人力资源系统更新。评论者建议允许各实体根据其风险分析调整时间表，对于高风险离职情况立即终止访问，而标准情况下则给予24小时的窗口期。

Data Backup and System Restoration:

数据备份与系统还原：

The proposed requirement — to restore loss of critical relevant electronic information systems and data in 72 hours or less — received substantial pushback, given that restoration can depend on factors outside the regulated entity’s control, such as law enforcement investigations, supply chain delays, and coordination with vendors – especially medical device providers.  .

拟议的要求——在72小时或更短时间内恢复关键相关电子信息系统和数据的丢失——遭到了大量反对，因为恢复可能取决于受监管实体控制之外的因素，例如执法调查、供应链延迟以及与供应商（尤其是医疗设备供应商）的协调。

Many also operate with limited personnel, making such rapid restoration infeasible. Moreover, premature restoration before fully addressing the root disruption cause could lead to repeated breaches.

许多机构还面临人手不足的问题，使得如此快速的恢复变得不可行。此外，在未完全解决根本原因之前就仓促恢复，可能会导致再次发生故障。

Commentors recommended replacing the strict 72-hour deadline with a flexible timeframe that requires timely restoration without further jeopardising data security “within a reasonable and appropriate period, not to exceed 7 days,” based on a criticality analysis

评论者建议，基于关键性分析，用灵活的时间框架取代严格的72小时期限，该框架要求在“合理且适当的时间内，不超过7天”的前提下及时恢复，同时不再进一步危及数据安全。

Reviews and Testing

评论与测试

: Several proposals included a requirement for reviews and tests to occur at least once every 12 months for various administrative, physical, and technical safeguards. This includes policies procedures, technical controls, and security incident response plans. The proposed annual compliance audit to be conducted at least once every 12 months was also questioned.

几项提案中包含一项要求，即对各种行政、物理和技术保障措施至少每12个月进行一次审查和测试。这包括政策程序、技术控制以及安全事件响应计划。提议的每年合规审计至少每12个月进行一次也受到了质疑。

Contributors argued that the additional employment costs would be particularly burdensome for organisations already subject to multiple compliance audits, and in smaller organisations, would risk diverting resources from patient care. It was suggested that the frequency of testing and reviews should be risk-based, with some recommending compliance audits every few years instead of annually.

贡献者认为，额外的雇佣成本对于已经受到多重合规审计的组织来说将尤其沉重，而在较小的组织中，可能会有将资源从患者护理中转移的风险。有人建议，测试和审查的频率应基于风险，有些人建议每隔几年进行一次合规审计，而不是每年一次。

Data Backup Testing Frequency

数据备份测试频率

: The proposed requirement to test the effectiveness of backups and document the results at least monthly was cited as unnecessarily frequent. Monthly testing could require substantial IT resources and workforce time, diverting attention from other critical security activities or patient care. Commenters instead suggested a risk-based approach for determining testing frequencies.

：提议的要求是至少每月测试备份的有效性并记录结果，这被认为过于频繁。每月测试可能需要大量的IT资源和工作时间，分散了对其他关键安全活动或患者护理的注意力。评论者反而建议采用基于风险的方法来确定测试频率。

Vulnerability Scanning Frequency

漏洞扫描频率

: The proposal for automated vulnerability scans no less frequently than once every six months was questioned: one commenter suggested monthly scans for highly dynamic IT environments and six-month scans for stable environments

提案要求每六个月进行不少于一次的自动漏洞扫描，但该提案受到质疑：一位评论者建议，对于高度动态的IT环境每月进行扫描，而对于稳定的环境则每六个月进行扫描。

In summary, the dominant theme in the pushback regarding proposed timeframes and frequencies is that they are often perceived as unrealistic, overly prescriptive, and potentially detrimental to patient care due to the significant resource burdens they would impose, especially on smaller and rural healthcare entities.

总之，关于拟议的时间表和频率的反对意见的主要主题是，它们通常被视为不切实际、过于规定性，并且由于会给较小和农村医疗机构带来沉重的资源负担，可能对患者护理造成不利影响。

Many commenters advocated for a more flexible, risk-based approach to these requirements..

许多评论者主张对这些要求采取更灵活、基于风险的方法。

About George McGregor

关于乔治·麦格雷戈

George McGregor

乔治·麦格雷戈

is VP of Marketing for

是营销副总裁，负责

Approov

批准

. He is passionate about healthcare sector cybersecurity and previously held executive roles at Imperva, Citrix, Juniper Networks and HP.

他对医疗保健领域的网络安全充满热情，之前曾在Imperva、Citrix、Juniper Networks和HP担任过高管职务。

Approov API Threat Protection

Approov API威胁防护

provides a multi-factor, end-to-end mobile API security solution that complements identity management, endpoint, and device protection to lock-down proper API usage. Only safe and approved apps can successfully use APIs. Bots and fake or tampered apps are all easily turned away and PHI is protected..

提供多因素、端到端的移动API安全解决方案，该方案补充了身份管理、终端和设备保护，以锁定正确的API使用。只有安全且经过批准的应用程序才能成功使用API。机器人、伪造或篡改的应用程序都很容易被拒绝，PHI也得到了保护。