Written by: Haim Ravia, Dotan Hammer
As the landscape of cyber threats continues to evolve, federal agencies are actively updating regulations to protect sensitive information better. The U.S. Federal Trade Commission (FTC) recently published new guidelines for businesses, recommending security practices in software, data management, and consumer product design. Meanwhile, the U.S. Department of Health and Human Services (HHS) published a draft of updates to HIPAA’s Security Rule for public comment.
The FTC’s “Start with Security: A Guide for Business” offers practical advice for businesses on cybersecurity in their operations. The guide aligns with federal initiatives to protect sensitive data by emphasizing administrative, physical, and technical safeguards. It highlights the importance of managing risks, implementing access controls, and providing security awareness training to information system users. The FTC guide underscores the need for businesses of all sizes to proactively address cybersecurity and emphasizes that the foundational elements of cybersecurity remain consistent over the last 20 years.
The HHS proposed significant modifications to the HIPAA Security Rule, aiming to strengthen the cybersecurity of electronic protected health information (ePHI) while managing the increasing risks of cybersecurity attacks. The HIPAA Security Rule was last updated more than a decade ago, and the proposed changes now seek to modernize the security requirements applicable to HIPAA-covered entities and their business associates (i.e., service providers and vendors). The proposed updates include requirements such as mandatory routine penetration testing, data encryption, implementing multi-factor authentication (MFA), technology asset inventories, and network segmentation. The proposed rule emphasizes the need for written policies and procedures, regular review and updates to security measures, and the deployment of technical controls. The public comment period for this proposed rule ends on March 7, 2025.
Click here to read the FTC’s guidelines.
Click here to read the full draft proposal of the HHS to modify the HIPAA Security Rule.
