Setting The Stage For Change

Rob 0:00

Welcome to the Van Rien Compliance Podcast with Rob and Don. We help growing teams reduce risks, build trust, and stay audit ready without the overwhelming. Welcome back to the Van Rien Compliance Podcast. I'm Rob, and this week I'm going to walk us through the biggest HIPAA security rule update that we've had in over 15 years and what it means for your business. So HIPAA's been around a while, right? It's been around for 30 plus years. It had a high-tech uh update, you know, in about 2013, up to about 2014. And then we had another update around COVID time, about 2020, 21. But there hasn't been a big change with HIPAA. It hasn't done anything right. It has been the law. And that's really what it's needed to be. It's almost like a speed limit. It's been 65 for years. And now we're like, hey, let's go to 75. Let's go a little higher. Or in some cases, let's go a little lower. But today, what I want to walk you through is I'm going to walk you through the the changes that are coming in May of 2026, just a couple months away. And this is very significant. There's a lot of changes within the regulation. So HIPAA hasn't had a major update in that probably decade. But this is what's going to change. We're going to focus on the HIPAA security rule that's going to become law in May of 2026. Time of this recording, it is on track to become law. It's gone through the public domain, it's gone through all the feedback. It's gone through everything that the market does and how the bill has worked its way through through Congress. Now it's going to come to Secretary Kennedy's desk to get to get final reviewed, signed, and then it becomes it becomes law, right? So the goal of the HIPAA security rule update is really to modernize HIPAA and for the world of ransomware, cloud computing, and AI. These are the big pieces that we're really focused on. The first piece is why is HIPAA being updated? Well, it hasn't been touched in a while, right? There's been a lot of changes into computing. If you think about it, we, you know, when HIPAA came out, everything was on premise. All the servers are on premise. Computers are on premise. It was in your office, right? It was in your data center. Now they migrated, and pretty much everything is in EMRs. Everything's in the cloud. Nobody even thinks about actually going in and putting a server on-prem anymore or in a data center. Now some high security, high requirements or high availability. I've seen that kind of come back into data centers, but everything has gone cloud. That has been the big, the big focus. The AI transcription tools, those are big as well, right? Those are the things that are ingesting the data. And we need to know how to handle those. And that's what's included in this bill. Telehealth platforms is another area along with third-party SaaS vendors. So we work with a lot of clients that are SaaS, or they're um they are also health uh telehealth providers and platforms. These areas have exploded in the last two years, and it's even getting more and more competitive, I would say, even the last six months as AI continues to come out. So these are areas that are in scope in the final bill. We're very excited to see that. Kind of the last piece that I'm seeing, what needs to be focused on is the ransomware targeting hospitals. It is a daily, it by the minute sometimes, just attack on our healthcare system. And the reason being is there's so much data. When you go to the hospital, they not only have all your personal information, even down your social security numbers, address, all your health records, medication, all of that. They also have your financials, right? They probably have maybe if it's banking account information, or they have an Aetna or a Cigna card or a willpoint card. Those cards you can make a full Z, meaning you make a full identity of about $1,1200 that's worth on the black market. So there are thieves out there and they'd love to steal and they'd love to sell your information for their own good. And that's what they, that's what they like to do. So those are the areas that they're really focusing on is that is how do we strengthen the healthcare infrastructure and industry here in the United States? It really strengthens the protections for EPHI and clarifies organizations must do to secure. That's the big piece. The next piece we're seeing is really the biggest changes that are expected here in the new HIPAA regulation coming in May. A lot of the areas, if you remember with HIPAA, there is addressable, there is standard, and there's required areas. Very, very ambiguous, right? The addressables always confuse people. Here at Van Rien, we've always addressed everything. Everything's required, I guess, because a lot of the addressables like encryption or our two-factor authentication and all that really is required. If you go for a SOC and ISO or Hytrust, those are required. So we're like, you know what, we have raised here at Van Rien, we've raised the bar on HIPAA and said everything has got to meet these standards. Oh, but it's going to finally become a law. The other area that is exciting is actually focusing on data and asset inventory. So think of it as a risk register, right? You need to list out all the inventories of your hardware, of your software, of your third parties, of your AI platforms, all of those that handle ePageI and map them, like on a physical map, right? You can just put all together, or you can put a virtual map. I don't know. I like, I like both. But think of it as your servers, your laptops, your integration, all of this. When we come in and do an audience, these are the things we look for. You have to have a really solid asset and data inventory of your environment. So you know where the weakest links are. And then you could also understand what you need to do to uh deal with any incident or if there's even issues or brick breaches. I can say breaches today. The other thing that's becoming mandatory is two-factor. Multi-factor, two-factor uh today is addressable. Isn't that scary? It is going to be required. So you need to hack sure that you have um your two-factor authentication on your email platforms. You need to make sure you have it on uh your internal platforms, you need to make sure you have it on your EMRs, you need to make sure you have it on your AIs, you need to make sure you have it if you're able to travel, even if you want a travel platform. Anything and everything needs two factors. So for example, Van Rien, we're a Google shop, we have two-factor on our entire Google Workplace. We're a Slack shop, we have two-factor on our Slack. VRC one is our auditing tools, we have two-factor on that. Your environment, you uh sorry, even our HR platform, we use Riplight. All of that has two-factor because you you're only as good as your weakest links. So if you have a if you have a platform, for example, if VRC one that we use for auditing doesn't have two-factor, that is a risk factor into the entire environment. So you've got to have those, you've got to have everything dialed in. You've got to have your two-factors. We're making this mandatory and it removes the ambiguous ambiguity. Ambiguity, there we go. Removes the ambiguity of what needs to happen with two-factor and becomes an actual law, which was great. Finally, we're gonna go ahead and expand to the encryption expectations. So everything is encrypted. Right now, it just says data in transit and data at rest must be encrypted, but it's kind of vague. So it's gonna be a lot more prescriptive and it's gonna be very focused and it's not optional. You can you have to have to have everything encrypted. So um your data in transit and your data at rest and and and all in between has to be encrypted. Computers have to be either have bitlocker encryption or file wall encryption. There should be no, we don't want any thumb drives. I don't want to see any mobile devices. We give a mobile device, those must be encrypted as well. For example, let's talk about that. They are um encrypted out of the box. Androids are not. That's just by design. Those all must be encrypted. Everything has to be encrypted and put together to make sure that the data is secure at all times. No more weak links, no more, you know, is this good enough? Do the bare minimum. We don't do the bare minimum, nor do we audit to the bare minimum. You have got to meet all these today, uh, and this is what's coming. So get yourself prepared. So a required security testing is the next piece in the regulations. Stations are now gonna be required to do vole scans every six months. They're gonna do annual penetration testing, lawmare protection, and network segmentation. These are going to be required. This is not going to be a test. It's not gonna be just kind of do it. This is not gonna be, well, maybe we'll do it later. No, you're gonna be required to do vole scans, you're gonna be required to do pen tests. You know what's interesting is you have to do all this if you do take a certification, right? If a soccer or an ISO or even high trust, they're gonna want that. Uh, I know some some auditors in the soccer world may let that go, but I know our auditor doesn't, because it's important to know where the risks are in the environment in your environment. You gotta have the pen test, you gotta have the ball scans. Mauler, come on, folks, it's antivirus. We know that. It's already there. I will say it's so easy to install and manage nowadays. It's it's just normal that it's there. The one piece that's probably gonna confuse folks is network segmentation. The network segmentation is important. So then you can segregate out your threat vectors. So if you have like production where you have databases with, as an EMR, is one VLAN, if you will, one network. The next you could have maybe that's email and your Slack or your Teams environment, whatnot, that's another network. And then maybe you have database redundancy is another network. Oh, let's see, maybe you have um HR items, stuff like that. You kind of segregate those networks out in large environments to make sure that the data doesn't cross, or where it does, it knows exactly where to go. So that way you can isolate any risks. Um, these, you know, and these are really designed to reduce ransomware spread. These are gonna be the key pieces that you are going to have to ensure that you're gonna do because what's gonna happen is if ransomware or when it gets in, you got to be able to close the door, right? Isolate it off and keep your business going. So the security testing is going to be be big. Now let's see. The next one that I'm seeing is really stronger incident response requirements. This is big as well. So right now, you do have to complete a formal incident response plan that is in the regulation, but it's gonna move to require. So you're gonna be required to have an IRP. We already require that in our auditing. We're gonna make sure that you have that. How are you going to respond to an incident, right? How are you gonna get the business go uh back up and running, items like that? Those are gonna be those are gonna be key pieces. We've got to test those plans annually. If you really look at everything uh and what we need to do, you've got to be able to test the plans to make sure the plans are working correctly. Because you can't just go in here and go, I have an IRP, it's documented, it's a pretty PDF, it's a Google Doc, it's a Word doc. Yay, it's 18 pages, look what I did. But have you tested it? If you haven't tested it, there's no value. It's just written words that there's no value on it. You've got to test to know the gaps, right? It's like sports, it's like football, it's like motor racing, it's whatnot. You have a new part, you have a new play. Will that get me over the goal line? Will that help us win? We don't know. You could run the plays, but you got to test it in the field. So you've got to test those plans annually. A new critical piece actually detailed out is you got to restore systems within 72 hours. Within 72 hours, you've got to have your environments back up and running. That is not an if, but that's gonna be required by law, and it will be enforced with fines, and you'll be put on the hip of wall of shame. That's another big chain. So you've got to have those IRP plans, how you respond, what you do, and then be able to move those forward. Notify your partners rapidly if a security event occurs. That's that's another section. They're requiring notification. It's really just good business, but they felt like a lot of people haven't notified. I've seen some MSPs not notify their clients that they've had incidents. So we're gonna make it a law. You're right. You're gonna have to do good business, do the right business, and make sure that you notify them within that 24 hours. 24 hours is key. You know what's going on within about five hours. You probably know within about two hours what's really going on in your environment. But business associates are gonna need to be um to report back what the incident that they're seeing and what's going on. Those are the key pieces. So, what does this mean for healthcare companies? What does this mean for IT companies? What does this mean for answering services? What does this mean for SaaS companies? What does this mean for small practice? Here's what is expected, and here's what we're gonna do, and this is what we're gonna take our clients to. First up is the annual security audits. You've got to do those. You gotta do your hip audit, your high-tech audit. I even gonna do a NIST audit. That's what we're starting to roll out here at Van Running. Stronger risk assessments. The days of, hey, check the box, it's good to go, isn't gonna work anymore. You gotta have very strong risk assessments, audits with evidence, evidence-based audits. Like today, I need to see the like the screenshot of your incident response plan. I gotta see your plan, right? Uh screenshot being where do you keep it in your environment so people can get to it? When you have, when you have your antivirus or um and all that going on your desktops, where I need to see the dates. I need a screenshot of the date and time. Is it actually legitimate today? Don't manipulate things. And making sure that we have good, we actually have that good data. I mean we actually have good evidence. Stricter access management. We need to know all the computers, all the access, mobile devices, everything. Those are key pieces. So the strict access management, who has access to the environment, who doesn't have access, and and making sure it's documented because we've got to have that. Vendor vetting, vendor vetting. We've been harping on this one for a while, but you've got to vet your vendors, right? I always like to say vendors are just there to, you know, basically throw peanuts at a ballgame. They're not there to help you. You want strategic partners that are there to help champion your success. That's what you got to do. So you want to make sure your strategic partners are in a true partnership with you, right? Do they have BAAs signed? Do they have incident response plans? Do they have disaster recovery plans? Do they have their AI governance plan? You got to make sure those are all put together and all lined up specifically, because it's very, it's very important to know your supply chain. If one part of your supply chain breaks, then your business is at risk. If your business is at risk, then you're at risk of um not only failing a HIPAA audit, but breaching data. And then you got to deal with the government investigators and there will be fines. So what I'm really seeing here as far as kind of like a timeline, I know we've gone through a lot of that, but kind of a timeline is the final rule should be published within May, probably towards the end of May, probably before Memorial Day, we'll get that published. 60 days later from that, you know, in July, the rules will become effect. And then 180 days after that will become the compliance is required. Um law will become final in in May. 60 days after that, it becomes effective. 180 days the compliance required. So we are already preparing our clients and teams how to handle this. We're already ready because a lot of this has already been required in other frameworks, but now it's exciting to see it actually written in law. So all of you every listeners and and everybody else that are new to listening to the podcast, you're gonna have to go ahead and make sure you comply before the end of 26. Period. This is a big year. Making sure that you have everything in order uh and and making sure that you have evidence of everything and be ready by, I'm even gonna say by like November, right? Let's get it before the holidays, before things get really crazy. Sort of three things you can do today to get things ready and get prepared between now and May, right? Well, first up, what you need to do is you need to conduct a full HIPAA security risk analysis. Where are you? Where are you? You don't know what you don't know until you have an audit. So you need to have an audit. You need to go through and and and take a look at the inventory of your environment, right? Next, you need to really look at that multi-factor authentication. That's gonna be huge. Two-factor, multi-factor authentication in the environment. Do you have everything in place? Are you using a Google single sign-on or uh, uh Microsoft site or some other type of SSO, right? What does that look like? What does single sign-on with two-factor look like? Do you have that in the environment? Is it all working? Next up is really take an inventory of your strategic partners. Make sure they're good partners. Anybody that touches health information from AI to front office to answering services to um um, you know, any developers to any websites, anybody and any anyone that touches health information, you got to make sure that you have that documented. And that you have that inventory of all vendors and make sure you you have that very robust list. Also take an inventory of your of your platform. Look at the risk. Let's build a risk register out. Do we have everything documented from software and hardware? And those are key, key pieces. So to kind of close things and wrap this up a little bit, you know, um HIPAA isn't just about policies. It's not just about writing a policy, making sure it's done, making sure it's taken care of and all of that. It's really about making sure that you have mature cybersecurity. We're going away from, oh, I've got policies, we're good to go, or oh, you know, Amazon has a SOC tube, fine, I don't care. This and that. No, you are going to be required to have the proper frameworks. You're gonna be required to have cybersecurity, maturity, and in what you really need to do. Um, the organizations that prepare early and get in front of it have a huge advantage when this thing becomes final rule in May. And we'll be able to just crank, crank right ahead and crank forward. So these are the areas that we see here at Van Rien. And we're just excited to be able to announce that we're here to actually help you walk through these, right? You need help with a risk analysis, we can help you go through that. We can we can go ahead and get a report together for you so that you can see your risk and then you can plan that forward. Yeah. So thank you for joining us again here on the Van Rien Compliance Podcast as we go through uh our wonderful world of HIPAA this year this week, and look forward to more information coming later.