It's worth noting that cybersecurity requirements can be a mechanism of control.<p>As a government regime, do you want to build an effective surveillance system where health data on large numbers of suspects can be pulled into a data fusion system at the push of a button, once a judicial framework for rubber-stamping is in place? And do you want to be able to pressure vendors into not supporting certain types of research/analysis and even direct patient care that could be construed/presented as counter to the regime's goals?<p>Both of these are easier when smaller vendors are forced out and larger vendors are the only ones left standing. As such, regulatory capture becomes a mutually beneficial tool to dominant vendors and regulators alike.<p>There are few coincidences when lobbying is involved. Which is not to say that cybersecurity improvements aren't a good thing! But speed and mechanisms of required rollout need to be balanced. And with the numerous signatories of [0] opposing the rule and describing "unreasonable implementation timelines," it's hard to say that this is entirely done in the interest of patients.<p>[0] <a href="https://assets.ctfassets.net/opszt4tga0mx/4QrJlGP2EkCiZjgvGxuGV1/490de7a60a8073dfb0c1de66dd5855bc/2025-12-8_Sign-On_Letter_re_HIPAA_Security_Rule.pdf" rel="nofollow">https://assets.ctfassets.net/opszt4tga0mx/4QrJlGP2EkCiZjgvGx...</a> (2025)
Of course they have to double down on yet another compliance regime. Why not converge on an existng NIST 800-53 baseline, or some HHS "tailored" variant? Or CMMC, if they want to push for more strict certification processes instead?<p>It's getting absurd with how many different compliance regimes a modern research university will have to follow simultaneously, if they do a broad set of defense, energy, basic sciences, and health research as well as having an attached medical school and teaching hospital.
As is the case with SOC2, the "vulnerability scan" requirement here is likely to be meaningless; <i>any</i> automated process that can plausibly be described as instrumental in finding <i>some kind</i> of vulnerability is a "vulnerability scan", so all you have to do is run nmap.
they have comment/request for information sessions for HIPAA rule proposals, which your input would be valued.
If it is like SOC2 I would expect respected auditors to reject that
But there are no auditors required for HIPAA. Only the government (HHS OCR) itself can enforce the standards.
Thanks for the clarification, in that case the text is indeed really weak. Does that system work in practice, or are companies just claiming they are HIPAA compliant with close to no actual auditing mechanism?
No? Like, wildly no? This is a big part of why you pay for the most respected auditors.
> so all you have to do is run nmap.<p>This is ignorance at best. No one who has ever actually had to do SOC2 compliance legitimately has just run nmap and been done with that.
<a href="https://blog.cloudflare.com/introducing-flan-scan/" rel="nofollow">https://blog.cloudflare.com/introducing-flan-scan/</a>
><i>No one who has ever actually had to do SOC2 compliance</i><p>while i find tptacek's opinions very strong on the subject, you would be extremely mistaken to think those opinions were formed without experience
Here's the full proposed rule: <a href="https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information" rel="nofollow">https://www.federalregister.gov/documents/2025/01/06/2024-30...</a>
The institutional moats grow ever wider.<p>PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks. The notion that your system might become "in-scope" is one of the scariest things you have to deal with. Avoiding this designation is almost always easier than satisfying all the controls they prescribe. Stripe & friends have it really good. I don't know who their equivalents are in the health care industry but I am certain they exist.
I despise PCI-DSS. A friend owns a small business and has a credit card reader. Due to that, we had to build out a separate LAN so that the reader is on its own precious network, and have to pay an external auditor for a quarterly scan of our external IP. Bullshit past findings were things like “your VPN server supports old encryption algorithms”. “But our clients don’t support them. They select the newer algorithms!” “But they <i>could</i>!” “What do you care? Those clients aren’t even on the same LAN as the scanner.” “PCI-DSS lol!” I have no way of knowing, but I bet the firewall might’ve accidentally blocked the scanning IP from reaching the VPN server port on the retest and called it a day, but surely not.<p>Basically, Visa and friends externalized their own shitty security and made every other company in the land responsible for wrapping their janky hardware in electronic bubble wrap. A <i>real</i> security framework would’ve said “don’t make a credit card scanner so weak that it can’t survive being on the same LAN as a printer”. Instead, the whole country has to waste billions of dollars mitigating that risk for them.
> Bullshit past findings were things like “your VPN server supports old encryption algorithms”. “But our clients don’t support them. They select the newer algorithms!”<p>Given that downgrade attacks are a massive category of attacks for network protocols, and in fact modern protocols go to great lengths to make them impossible, that doesn’t sound very bullshit at all.
If a client doesn’t support an algorithm, you can’t force a downgrade to it. A compensating control is that the clients are managed and only support the newest algorithms, and aren’t vulnerable to a downgrade attack.<p>Context is everything. Here, the context is that within this scan environment, it was, in fact, a bullshit finding.
I don't understand why there shouldn't be a strict-liability play here on top of penalties for knowing violations.<p>You lose all your customer's data to a darknet leak? We should be taking a huge chunk out of your balance sheet.<p>My insurer has disclosed names, social security numbers, and ENTIRE MEDICAL CASEFILES for their entire client base more than once at this point in overlapping data breaches. Why exactly don't they owe me $10k for my trouble, or N% shares of the company? If that's too much, why do these penalties exist for knowing disclosure, if incompetence is so tolerated that knowing disclosure does no damage?
Penalties are $100-$50,000 per violation (i.e. per leak for each person), up to $1.5 million per year[0]. If in the US (I'm assuming given you mention your health insurance) you can report it to your state insurance commissioner which may have already occurred for your incidents.<p>[0] <a href="https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement" rel="nofollow">https://www.ama-assn.org/practice-management/hipaa/hipaa-vio...</a>
At some point we really should consider a similar system to points on a drivers license for repeat offenders like that. Once, maybe twice come with some serious fines and compensation to victims. 3 times or more? Why are they allowed to continue to be in that business? We can't let repeat offenders be allowed to continue to handle sensitive data.
It's so grating to read obviously LLM-generated text, even more so from a company that is asking us to hire them for a security audit.<p>AI writing makes somewhat more sense on tech blogs. Where a business' value proposition is "We are knowledgeable and reliable about computer security", it seems unwise.
It really depends on who is testing and enforcing these standards. I have worked in this area, built scalable systems for medicare. The annual pen testing used to be a joke. Any consultant who would come had no clue what was being built, how the process worked - and they wouldn't even care to understand. After a meeting, we'd get the notification that the pen testing was successful. So, on paper you can change any rule - if the consultants you are hiring don't give a shit (which they usually don't)- nothing gets enforced. We would go out of our 'job responsibilities' to do internal testing of all sorts (the external agency would not even do 2% of that).
Wait a second. If encryption is required for all ephi, that means faxes will finally die, right? Right??? Please!
Nah, in legal compliance minds, faxes are magical, remote, wet ink.
My thought too. This would be huge if true.
How kind of them to require 2FA without requiring the governments to issue real 2FA tokens for use in signing / interacting. No doubt this will require some rootkit 'authenticator' app on the consumer's purchased mobile device that they are then not allowed to truly own.
Interesting. I haven’t fully read through the rule change, but seems like HHS is directly adopting the controls required by HITRUST? I have been out of the industry for a while. Always interesting how the industry shapes regulation and vice versa.
Is this why every healthcare website has 2FA now? It's so annoying.
you can be certain the DOGE kids downloaded as much as they could grab from federal systems about everyone's medical history including the federal e-prescription system<p>rules for thee but not for me
eh how are they going to make the usual small practice do "penetration testing"?