Welcome to my “MySpace” to talk all things HIPPA-HITECH new rules. The young folks on the ORDR marketing team googled my ask for a MySpace and gave me a blog page instead. I’ll be updating this space on the regular with my latest thoughts. Enjoy! 

– Wes 

Friday, March 7, 2025 

I just returned from HIMSS and was overwhelmed by the number of folks that attended my session on the HIPPA/HITECH New Rules, so the content must resonate. I know it’s not me because I’ve done lots of presentations with different content before and usually get about about six people sitting around looking at their phones!  So, again, thank you. 

A slap in the head Home Simpson “Doh” moment came when folks approached me about where they could find more information, I told them I’d posted a bunch of stuff on my personal LinkedIn and asked for them to search for it there. Apologies. 

My plan is to rectify that with this space. You’ll find any documents I post(ed) on LinkedIn regarding the New Rules, here on this blog. I’m also going to use this space to perhaps write/create some stuff that’s a little less consumable on LinkedIn – but I’ll use LinkedIn to refer back to it. 

I plan on asking some of my friends their opinions on the New Rules. Perhaps, I can get Jacki Monson from Sutter Health (she was cited either 31 or 41 times in the document) to contribute some “inside baseball” comments and thoughts on the New Rules,. Intermountain Health’s Erik Decker may opine a bit for us as well (haven’t asked him yet, though). 

I have to say, I’m super, super heartened by the response around this topic. No, not just because it’s good for ORDR (it is) but because it shows me that the group of folks that I used to be part of are: 1. Thinking strategically (we know those rules will eventually come into play — or some form of them) and 2. Despite the “pause,” you’re all still interested in getting the right things done. Like I said in my presentation, most all this New Rule stuff you already moved into the “Red Zone.” I think these New Rules are going to be what helps us get the ball in the End Zone. 

Link to my HIMSS presentation on the new HIPPA/HITECH New Rules 

P.S. I’ve added all my previous HIPPA/HITECH New Rules content below. 

Feb. 27, 2025 

Why do we need to update the HIPAA/HITECH rules?  

I’ve extracted the two sections of the New Rules document that tell that story, no edits on my part. I left the footnotes in there too so you can see how these new rules were developed by a group of your peers, working together and talking truth about what HC IT needs.  

That sounds like the mission statement for a lot of the organizations l belong to, so imagine my surprise when I find out most of them are AGAINST these new rules.  

Enjoy the read. 

New Rules Document Extraction: Compliance With Security Rules is Inconsistent 

Feb. 15, 2025 

Gemini and I have been working on gathering a list of things that need to be documented when/if the New Rules come down the pike.  

One of the last paragraphs in the document it says: “[45 CFR 164.316(a)(2)] to require a regulated entity to document all of the actions, activities, and assessments required by the Security Rule.” So, I asked Gemini to identify “all of….” and added a few more prompts and we came up with this (it missed a few things I thought were pretty important, so I put them in — human in the loop, ya’ know. 
 
If you haven’t had the time this is as probably as succinct a document as you’re going to find to read about what’s coming at you, maybe, sometime. 

Link to “Actions, Activities, and Assessment by the New Rules” 

Feb. 2, 2025 

More on the “New Rules.” I told you HHS had really done the ROI on the #NewRules, and here it is. I cut it out to use some of the numbers they came up with, with my CFO, so I figured you could do the same. hashtag#ORDR 

Link to New Rules ROI Discussion 

January 29, 2025 

New HIPAA/HITECH Rules: Regulatory Impact Analysis 
I’ve heard some folks talk about how much implementation of the New Rules is going to cost, and it looks like the GOVT anticipated that argument (I know it’s mandated, but they did a bang-up job on this one). I’ve attached that section. 
 
Bottomline: in the “pay me now or pay me later” thought process, HHS has decided “pay me later” is no longer an option. 
#NewRules #ORDR 
 
*Bonus: there are some great numbers, ratios, rationale in here you can use with your CFO/CEO on other projects! 

Link to “Reg Impact Section by Itself” 

January 16, 2025 

Proposed new HIPAA/HITECH rules. If you haven’t read it, great document but really wordy. I’ve cut out Section 164.308 Administrative Safeguards and then cut some of the fluff out of that. So, here’s 64 pages of goodness you can consume. 

Key learnings for me: 

  • Inventory is king and it’ll have to be real time — mashing together lists to come up with a number just won’t work anymore. 
  • Network maps are expected 
  • ePHI flows also need to be mapped, which means you’ll have to know all the locations of all your ePHI (hashtag#Tausight can probably help with that.) 
  • Massive patch management changes to include mandated patch time for critical and high vulnerabilities (15/30 days). 

Way, way more to come. Since hashtag#Ordr provides a ton of this information, we’re working on mapping your hashtag#Ordr data to these new standards, just like we’ve done with NIST. 

Link to Edited Version (fluff cut out) 
 

Interested in
Learning More?

Subscribe today to stay informed and get
regular updates from ORDR Cloud

You Might Also Be Interested in

From
Jan 2, 2025

From TP-Link to Shadow IoT: Unmanaged Devices Are Expanding Your Attack Surface

Read More
Dec 6, 2024

The Hidden Risks of Agentless Devices: How to Secure Your Expanding Attack Surface

Read More
7-Zip's
Dec 4, 2024

7-Zip’s Critical Vulnerability: What CVE-2024-11477 Means for Your Security

Read More

Ready to Get Started?

REQUEST A DEMO