HIPAA’s New Vulnerability Management Guidelines: What You Need to Know

Last month, the United States Department of Health and Human Services (HHS) proposed an update to the Security Rule under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HHS has been pushing for an update to the set of standards that healthcare organizations must meet when it comes to consumer data protection, largely because the healthcare industry has struggled to keep up with the pace of security exploits and software supply chain threat vectors. The latest proposed update of the Security Rule contains new requirements around container security, risk analysis, and data security best practices. At the core of these updates is a new SLA that healthcare organizations must adhere to around the remediation of Common Vulnerabilities and Exposures (CVEs).

Read on to learn more about why this new SLA was put in place, and practical strategies for solving this onerous compliance requirement.

The Healthcare Industry is a Massive Target

In the past few years, healthcare organizations have been feeling increased pain in keeping their environments safe from security breaches. In a recent statement, the HHS reported that “large breaches” increased by 102% from 2018-2023, with the number of individuals affected by these breaches increasing by 1002% during the same time period. (Yes, you read that correctly: over 1000%.) In 2023 alone, over 167 million individuals were impacted by large breaches. The sheer amount of data healthcare organizations have to manage is scaling quickly, and keeping it secure has become increasingly difficult. 

We’ve seen several of these large breaches play out in recent years. In February 2024, Change Healthcare experienced a cyberattack that reportedly impacted over 190 million people and has cost the company over $1.5B in direct response costs (and ~$2.9B in total costs). In 2015, the data of over 78 million people was compromised in a breach of Anthem Blue Cross Blue Shield.

HIPAA’s New CVE Remediation SLA: Making the Target Smaller

In an effort to prevent breaches like those described above, HHS is updating HIPAA’s Security Rule for the first time since 2013. Core to the many updates is a new requirement for remediating CVEs in healthcare companies’ software supply chains under strict, mandatory SLAs. CVEs marked as Critical Severity must be addressed within 15 calendar days of discovery, and those marked as High Severity must be addressed within 30 calendar days. But that’s not all.

The HHS has also said they will require healthcare organizations to conduct an annual audit to hold themselves accountable to these standards and maintain compliance. That means that remediating CVEs won’t be something healthcare organizations can do just once for compliance — the CVE remediation effort must be handled continuously, both to clear the backlog of existing CVEs, and also to address new CVEs as they are discovered. This requirement is similar to the continuous monitoring requirements present in other compliance frameworks for highly regulated industries like government software (FedRAMP) and financial services (PCI DSS).

The HHS’s proposed updates to the Security Rule are only the beginning of a long journey to bring the healthcare industry in line with other industries’ security and compliance standards. At Chainguard, we expect these updates to continue, with the HHS moving towards guidelines like NIST 800-53 as a best practice. This is critical for engineering teams at healthcare companies to understand: NIST 800-53 requires zero CVEs overall in container images, as well as FIPS cryptography and STIG hardening to ensure a secure software foundation.

Chainguard Images: CVE-Free, HIPAA Compliant

The proposed CVE remediation SLA will help reduce the risk for healthcare organizations in maintaining the security of their data, but comes at a cost: increased overhead, complexity, and toil for engineering and security teams who have to do the hard work of identifying, triaging, and remediating CVEs. Effective CVE management requires dedicated headcount, taking away precious resources from important product development projects.

Chainguard Images simplify continuous compliance for companies operating under HIPAA. Our minimal, hardened images start at zero CVEs and stay there under our best-in-class enterprise SLA for CVE remediation (7 days for Critical, 14 days for High, Medium, and Low). Engineering teams can quickly drop in Chainguard Images and see instant time to value when it comes to improved security and performance.

And as a pioneering leader in container best practices, Chainguard’s images are future-proofed as HIPAA’s Security Rule evolves. Beyond CVE remediation, Chainguard also offers over 400+ kernel-independent FIPS images, each of which is paired with an OS-Level STIG for container hardening compliance. In short, Chainguard Images allow healthcare organizations to speedrun the HIPAA compliance maze – without sacrificing developer productivity and at a lower total cost of ownership.

Reach out today and see how Chainguard Images can help your organization get ahead of the new HIPAA Security Rule requirements.