As is the case with SOC2, the "vulnerability scan" requirement here is likely to be meaningless; any automated process that can plausibly be described as instrumental in finding some kind of vulnerability is a "vulnerability scan", so all you have to do is run nmap.
Interesting. I haven’t fully read through the rule change, but seems like HHS is directly adopting the controls required by HITRUST? I have been out of the industry for a while. Always interesting how the industry shapes regulation and vice versa.
How kind of them to require 2FA without requiring the governments to issue real 2FA tokens for use in signing / interacting. No doubt this will require some rootkit 'authenticator' app on the consumer's purchased mobile device that they are then not allowed to truly own.
It's worth noting that cybersecurity requirements can be a mechanism of control.
As a government regime, do you want to build an effective surveillance system where health data on large numbers of suspects can be pulled into a data fusion system at the push of a button, once a judicial framework for rubber-stamping is in place? And do you want to be able to pressure vendors into not supporting certain types of research/analysis and even direct patient care that could be construed/presented as counter to the regime's goals?
Both of these are easier when smaller vendors are forced out and larger vendors are the only ones left standing. As such, regulatory capture becomes a mutually beneficial tool to dominant vendors and regulators alike.
There are few coincidences when lobbying is involved. Which is not to say that cybersecurity improvements aren't a good thing! But speed and mechanisms of required rollout need to be balanced. And with the numerous signatories of [0] opposing the rule and describing "unreasonable implementation timelines," it's hard to say that this is entirely done in the interest of patients.
Your comment is essentially borderline conspiracy theory that HIPAA is somehow setting up a surveillance state.
> As a government regime, do you want to build an effective surveillance system where health data on large numbers of suspects can be pulled into a data fusion system at the push of a button, once a judicial framework for rubber-stamping is in place?
Sure, and I'm right there with you that people should protest frameworks for judicial rubber-stamping. But HIPAA is like the only privacy law in America, basically, and having it mandate that medical data is encrypted can be good on its own.
While there are standardized formats for medical data, many are so ill-adopted that building some sort of surveillance system would be a monumental task; the bulk of data I've worked with has been in poorly documented, non-standard formats.
> Both of these are easier when smaller vendors are forced out and larger vendors are the only ones left standing
Clearer regulations and standardized, interoperable data formats benefit smaller players.
PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks. The notion that your system might become "in-scope" is one of the scariest things you have to deal with. Avoiding this designation is almost always easier than satisfying all the controls they prescribe. Stripe & friends have it really good. I don't know who their equivalents are in the health care industry but I am certain they exist.
I've implemented PCI-DSS and have 12 years of level 1 audits behind me. I actually find their rules to be sane, pretty good security practice. Internally, we made many of the controls standard across the board even for out-of-scope systems because they were sensible and we'd already built the tooling for it. If you implement it well, once you're compliant it is easy to stay compliant.
And yes, there is plenty of incentive to keep things out of PCI scope. I'd say that is PCI working as intended. Why would you want a larger attack surface that touches your credit card data?
We recently did PCI-DSS level2 and it was pain in the right place to complete the scans and gaps their scripts find. It took 6 months to complete the audit.
It's so grating to read obviously LLM-generated text, even more so from a company that is asking us to hire them for a security audit.
AI writing makes somewhat more sense on tech blogs. Where a business' value proposition is "We are knowledgeable and reliable about computer security", it seems unwise.
It really depends on who is testing and enforcing these standards. I have worked in this area, built scalable systems for medicare. The annual pen testing used to be a joke. Any consultant who would come had no clue what was being built, how the process worked - and they wouldn't even care to understand. After a meeting, we'd get the notification that the pen testing was successful. So, on paper you can change any rule - if the consultants you are hiring don't give a shit (which they usually don't)- nothing gets enforced. We would go out of our 'job responsibilities' to do internal testing of all sorts (the external agency would not even do 2% of that).
I don't understand why there shouldn't be a strict-liability play here on top of penalties for knowing violations.
You lose all your customer's data to a darknet leak? We should be taking a huge chunk out of your balance sheet.
My insurer has disclosed names, social security numbers, and ENTIRE MEDICAL CASEFILES for their entire client base more than once at this point in overlapping data breaches. Why exactly don't they owe me $10k for my trouble, or N% shares of the company? If that's too much, why do these penalties exist for knowing disclosure, if incompetence is so tolerated that knowing disclosure does no damage?
you can be certain the DOGE kids downloaded as much as they could grab from federal systems about everyone's medical history including the federal e-prescription system
Of course they have to double down on yet another compliance regime. Why not converge on an existng NIST 800-53 baseline, or some HHS "tailored" variant? Or CMMC, if they want to push for more strict certification processes instead?
It's getting absurd with how many different compliance regimes a modern research university will have to follow simultaneously, if they do a broad set of defense, energy, basic sciences, and health research as well as having an attached medical school and teaching hospital.
Universal encryption of PHI at rest is going to be INCREDIBLY painful. Hospitals mostly have onprem, locked down mainframe IRIS systems that host data. If the IRIS data is encrypted at rest then it can’t be compressed which means hospitals will have to buy a bunch more hardware which is super expensive, especially these days.
This doesn’t get you much in terms of security. The IRIS system itself is an OLTP so it’s going to need to constantly pass around the encryption key and use it constantly, and if an attacker gets disk access they also will have access to the keys.
So this is a big waste of everyone’s time and money.
I'm not sure why there's so much negativity in this thread. The listed requirements were already basic table-stakes security standards. IMO, anyone not encrypting all user data at rest, requiring MFA, etc. is bush league.
highly irritating. HIPAA was originally designed to be a "portability" standard (meaning easier to share). It has done the opposite. Health data is important to developing a cure, and privacy is unimportant to many people. The world would be better if there we were zero regulation here at all.
This was a pleasant surprise; I fully expected a gutting of the rules, based on what’s been on the front page these past few months. I’m glad to see that someone in the federal govt is paying attention to the risk landscape.
25 comments
[ 3.4 ms ] story [ 58.8 ms ] threadAs a government regime, do you want to build an effective surveillance system where health data on large numbers of suspects can be pulled into a data fusion system at the push of a button, once a judicial framework for rubber-stamping is in place? And do you want to be able to pressure vendors into not supporting certain types of research/analysis and even direct patient care that could be construed/presented as counter to the regime's goals?
Both of these are easier when smaller vendors are forced out and larger vendors are the only ones left standing. As such, regulatory capture becomes a mutually beneficial tool to dominant vendors and regulators alike.
There are few coincidences when lobbying is involved. Which is not to say that cybersecurity improvements aren't a good thing! But speed and mechanisms of required rollout need to be balanced. And with the numerous signatories of [0] opposing the rule and describing "unreasonable implementation timelines," it's hard to say that this is entirely done in the interest of patients.
[0] https://assets.ctfassets.net/opszt4tga0mx/4QrJlGP2EkCiZjgvGx... (2025)
> As a government regime, do you want to build an effective surveillance system where health data on large numbers of suspects can be pulled into a data fusion system at the push of a button, once a judicial framework for rubber-stamping is in place?
Sure, and I'm right there with you that people should protest frameworks for judicial rubber-stamping. But HIPAA is like the only privacy law in America, basically, and having it mandate that medical data is encrypted can be good on its own.
While there are standardized formats for medical data, many are so ill-adopted that building some sort of surveillance system would be a monumental task; the bulk of data I've worked with has been in poorly documented, non-standard formats.
> Both of these are easier when smaller vendors are forced out and larger vendors are the only ones left standing
Clearer regulations and standardized, interoperable data formats benefit smaller players.
PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks. The notion that your system might become "in-scope" is one of the scariest things you have to deal with. Avoiding this designation is almost always easier than satisfying all the controls they prescribe. Stripe & friends have it really good. I don't know who their equivalents are in the health care industry but I am certain they exist.
And yes, there is plenty of incentive to keep things out of PCI scope. I'd say that is PCI working as intended. Why would you want a larger attack surface that touches your credit card data?
AI writing makes somewhat more sense on tech blogs. Where a business' value proposition is "We are knowledgeable and reliable about computer security", it seems unwise.
You lose all your customer's data to a darknet leak? We should be taking a huge chunk out of your balance sheet.
My insurer has disclosed names, social security numbers, and ENTIRE MEDICAL CASEFILES for their entire client base more than once at this point in overlapping data breaches. Why exactly don't they owe me $10k for my trouble, or N% shares of the company? If that's too much, why do these penalties exist for knowing disclosure, if incompetence is so tolerated that knowing disclosure does no damage?
rules for thee but not for me
It's getting absurd with how many different compliance regimes a modern research university will have to follow simultaneously, if they do a broad set of defense, energy, basic sciences, and health research as well as having an attached medical school and teaching hospital.
[1] https://www.youtube.com/watch?v=4sfIBRTcRpU
https://odysee.com/@NaomiBrockwell:4/HIPAA:7
This doesn’t get you much in terms of security. The IRIS system itself is an OLTP so it’s going to need to constantly pass around the encryption key and use it constantly, and if an attacker gets disk access they also will have access to the keys.
So this is a big waste of everyone’s time and money.