How kind of them to require 2FA without requiring the governments to issue real 2FA tokens for use in signing / interacting. No doubt this will require some rootkit 'authenticator' app on the consumer's purchased mobile device that they are then not allowed to truly own.
It really depends on who is testing and enforcing these standards. I have worked in this area, built scalable systems for medicare. The annual pen testing used to be a joke. Any consultant who would come had no clue what was being built, how the process worked - and they wouldn't even care to understand. After a meeting, we'd get the notification that the pen testing was successful. So, on paper you can change any rule - if the consultants you are hiring don't give a shit (which they usually don't)- nothing gets enforced. We would go out of our 'job responsibilities' to do internal testing of all sorts (the external agency would not even do 2% of that).
As is the case with SOC2, the "vulnerability scan" requirement here is likely to be meaningless; any automated process that can plausibly be described as instrumental in finding some kind of vulnerability is a "vulnerability scan", so all you have to do is run nmap.
Thanks for the clarification, in that case the text is indeed really weak. Does that system work in practice, or are companies just claiming they are HIPAA compliant with close to no actual auditing mechanism?
I'm not being snarky when I say that not getting your automated vulnerability scan, whatever it might have been, past your SOC2 auditors is a skills issue. SOC2 audits are not technical and the vulnerability scan control in SOC2 is categorically not meaningful. Cloudflare wrote a whole post about this.
It's so grating to read obviously LLM-generated text, even more so from a company that is asking us to hire them for a security audit.
AI writing makes somewhat more sense on tech blogs. Where a business' value proposition is "I am knowledgeable and reliable about computer security", it seems unwise.
I was thinking the same - makes the article feel very amateur and unprofessional. And I know for a fact that AI can do a better job at writing than this, I doubt they read it and had any sense of how poor the writing actually is.
PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks. The notion that your system might become "in-scope" is one of the scariest things you have to deal with. Avoiding this designation is almost always easier than satisfying all the controls they prescribe. Stripe & friends have it really good. I don't know who their equivalents are in the health care industry but I am certain they exist.
I despise PCI-DSS. A friend owns a small business and has a credit card reader. Due to that, we had to build out a separate LAN so that the reader is on its own precious network, and have to pay an external auditor for a quarterly scan of our external IP. Bullshit past findings were things like “your VPN server supports old encryption algorithms”. “But our clients don’t support them. They select the newer algorithms!” “But they could!” “What do you care? Those clients aren’t even on the same LAN as the scanner.” “PCI-DSS lol!”
Basically, Visa and friends externalized their own shitty security and made every other company in the land responsible for wrapping their janky hardware in electronic bubble wrap. A real security framework would’ve said “don’t make a credit card scanner so weak that it can’t survive being on the same LAN as a printer”. Instead, the whole country has to waste billions of dollars mitigating that risk for them.
It's worth noting that cybersecurity requirements can be a mechanism of control.
As a government regime, do you want to build an effective surveillance system where health data on large numbers of suspects can be pulled into a data fusion system at the push of a button, once a judicial framework for rubber-stamping is in place? And do you want to be able to pressure vendors into not supporting certain types of research/analysis and even direct patient care that could be construed/presented as counter to the regime's goals?
Both of these are easier when smaller vendors are forced out and larger vendors are the only ones left standing. As such, regulatory capture becomes a mutually beneficial tool to dominant vendors and regulators alike.
There are few coincidences when lobbying is involved. Which is not to say that cybersecurity improvements aren't a good thing! But speed and mechanisms of required rollout need to be balanced. And with the numerous signatories of [0] opposing the rule and describing "unreasonable implementation timelines," it's hard to say that this is entirely done in the interest of patients.
Interesting. I haven’t fully read through the rule change, but seems like HHS is directly adopting the controls required by HITRUST? I have been out of the industry for a while. Always interesting how the industry shapes regulation and vice versa.
How kind of them to require 2FA without requiring the governments to issue real 2FA tokens for use in signing / interacting. No doubt this will require some rootkit 'authenticator' app on the consumer's purchased mobile device that they are then not allowed to truly own.
It really depends on who is testing and enforcing these standards. I have worked in this area, built scalable systems for medicare. The annual pen testing used to be a joke. Any consultant who would come had no clue what was being built, how the process worked - and they wouldn't even care to understand. After a meeting, we'd get the notification that the pen testing was successful. So, on paper you can change any rule - if the consultants you are hiring don't give a shit (which they usually don't)- nothing gets enforced. We would go out of our 'job responsibilities' to do internal testing of all sorts (the external agency would not even do 2% of that).
As is the case with SOC2, the "vulnerability scan" requirement here is likely to be meaningless; any automated process that can plausibly be described as instrumental in finding some kind of vulnerability is a "vulnerability scan", so all you have to do is run nmap.
they have comment/request for information sessions for HIPAA rule proposals, which your input would be valued.
If it is like SOC2 I would expect respected auditors to reject that
But there are no auditors required for HIPAA. Only the government (HHS OCR) itself can enforce the standards.
Thanks for the clarification, in that case the text is indeed really weak. Does that system work in practice, or are companies just claiming they are HIPAA compliant with close to no actual auditing mechanism?
You get that the technical controls in SOC2 are also extremely weak, right?
Sure, yes
No? Like, wildly no? This is a big part of why you pay for the most respected auditors.
I guess we had different experiences. The ones I interacted with were ok and wouldn’t accept a simple nmap here
I'm not being snarky when I say that not getting your automated vulnerability scan, whatever it might have been, past your SOC2 auditors is a skills issue. SOC2 audits are not technical and the vulnerability scan control in SOC2 is categorically not meaningful. Cloudflare wrote a whole post about this.
It's so grating to read obviously LLM-generated text, even more so from a company that is asking us to hire them for a security audit.
AI writing makes somewhat more sense on tech blogs. Where a business' value proposition is "I am knowledgeable and reliable about computer security", it seems unwise.
I was thinking the same - makes the article feel very amateur and unprofessional. And I know for a fact that AI can do a better job at writing than this, I doubt they read it and had any sense of how poor the writing actually is.
The institutional moats grow ever wider.
PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks. The notion that your system might become "in-scope" is one of the scariest things you have to deal with. Avoiding this designation is almost always easier than satisfying all the controls they prescribe. Stripe & friends have it really good. I don't know who their equivalents are in the health care industry but I am certain they exist.
I despise PCI-DSS. A friend owns a small business and has a credit card reader. Due to that, we had to build out a separate LAN so that the reader is on its own precious network, and have to pay an external auditor for a quarterly scan of our external IP. Bullshit past findings were things like “your VPN server supports old encryption algorithms”. “But our clients don’t support them. They select the newer algorithms!” “But they could!” “What do you care? Those clients aren’t even on the same LAN as the scanner.” “PCI-DSS lol!”
Basically, Visa and friends externalized their own shitty security and made every other company in the land responsible for wrapping their janky hardware in electronic bubble wrap. A real security framework would’ve said “don’t make a credit card scanner so weak that it can’t survive being on the same LAN as a printer”. Instead, the whole country has to waste billions of dollars mitigating that risk for them.
It's worth noting that cybersecurity requirements can be a mechanism of control.
As a government regime, do you want to build an effective surveillance system where health data on large numbers of suspects can be pulled into a data fusion system at the push of a button, once a judicial framework for rubber-stamping is in place? And do you want to be able to pressure vendors into not supporting certain types of research/analysis and even direct patient care that could be construed/presented as counter to the regime's goals?
Both of these are easier when smaller vendors are forced out and larger vendors are the only ones left standing. As such, regulatory capture becomes a mutually beneficial tool to dominant vendors and regulators alike.
There are few coincidences when lobbying is involved. Which is not to say that cybersecurity improvements aren't a good thing! But speed and mechanisms of required rollout need to be balanced. And with the numerous signatories of [0] opposing the rule and describing "unreasonable implementation timelines," it's hard to say that this is entirely done in the interest of patients.
[0] https://assets.ctfassets.net/opszt4tga0mx/4QrJlGP2EkCiZjgvGx... (2025)
Interesting. I haven’t fully read through the rule change, but seems like HHS is directly adopting the controls required by HITRUST? I have been out of the industry for a while. Always interesting how the industry shapes regulation and vice versa.
Wait a second. If encryption is required for all ephi, that means faxes will finally die, right? Right??? Please!
Is this why every healthcare website has 2FA now? It's so annoying.