Approov Limited, a global leader in mobile app and API security, issued “Public Comments Analysis on HIPAA Security Rule Amendment for Cybersecurity” an analysis of the more than 4,700Health & Human Services (HHS) received from healthcare providers, associations, technology vendors, and individuals on the proposed amendment to the HIPAA Security Rule for electronic health information.
The report which calls out specific concerns likely to be considered for the much-needed amendment. Healthcare organizations have been aggressively targeted by ransomware operators and other threat actors over the last 12 months.
Findings: While there’s broad support for the proposed security enhancements, there’s also strong, legitimate concern about the practical feasibility of implementing certain measures. Among key issues:
Concerns:
- Feasibility of Measures: the practical implementation of certain rules, especially for smaller organizations.
- Patch Management: the feasibility of meeting proposed timelines for patching vulnerabilities.
- Incident Reporting: challenges with the requirement for reporting security incidents, particularly unsuccessful breach attempts.
- Business Associate Verification/Supply Chain Risk: Difficulty in verifying the cybersecurity measures of business associates.
- Mobile App Protection: The need to properly address the threats from apps on unmanaged personal devices. The report notes the example of a 9-page comment from a global healthcare software company that specifically requests guidance on which types of devices they expect anti-malware to be deployed on.
Requests to HHS:
- Greater Clarity from HHS Needed: More detailed guidance, particularly for smaller entities on compliance with cybersecurity measures. Clearer definitions of “electronic media” and “security or security measures,” and the concept of “direct management control” in cloud computing environments, the types of devices covered for malicious software detection.
- Reporting Flexibility: Requests that unsuccessful breach attempts not to be classified as incidents.
- Data Restoration: Calls for more flexibility in restoration timelines for critical systems and data.
Report author George McGregor, Approov VP, said in part: “Mobile health app and mobile provider app code is uniquely exposed. Even when obfuscation techniques are used, app code can be decompiled and analyzed, and malicious code can run on devices. Specific defenses are required.”
Approov’s app attestation technology has been adopted by major organisations in high-stakes industries, demonstrating its real-world effectiveness. By reducing API attacks by over 95% and preventing bot attacks, man-in-the-middle exploits, and app tampering, Approov is creating a safer digital ecosystem.
For more information about Approov’s mobile security solutions, please visit www.approov.io.
