The proposed HIPAA Security Rule changes aren’t just another set of regulations to check off—they signal a shift toward a security-first culture. In today’s hyper-digital world, where everything from patient records to care delivery is interconnected, resilience has become the new gold standard.
These proposed updates challenge us to think beyond compliance – and this article will explore what that means in practice. The proposed changes to the HIPAA Security Rule focus on safeguarding sensitive patient data, maintaining trust, and ensuring healthcare organizations can withstand the ever-growing threat of cyberattacks.
But before we dive into how leaders should adapt to the updates, let’s establish why the changes are so important.
Why HIPAA Updates Matter: The Stakes Have Never Been Higher
When HHS estimates the first-year compliance costs of the new HIPAA Security Rule at $9 billion, it’s hard not to wince. For mid-sized healthcare providers, it’s not just a big number—it’s a real challenge. Balancing budgets, patient care, and operational demands is already tough. Adding costly upgrades and new processes might feel like an uphill battle.
But here’s the reality: the cost of doing nothing is far greater.
Last year, the HHS implemented a 1.03241% cost-of-living increase on civil monetary penalties for HIPAA, MSP, and SBC violations. The rising costs of remediation, penalties, and fines—combined with daily downtime expenses—cost healthcare organizations an average of $1.9 million. These financial and reputational impacts force breached organizations to spend 64% more on annual advertising to reassure their care community. The message is clear: investing in proactive measures today can save far more tomorrow.
HIPAA Security Rule Changes: From Reactive to Proactive Security
The proposed rule changes will transform how healthcare providers approach security, addressing people, processes, budgets, and mandates. Leaders should focus on three key factors:
1. People: Your First Line of Defense
Cybersecurity isn’t just about firewalls and encryption; it’s about people. The new rules demand organizations build their “human firewall” by:
- Hiring roles like Information Security Officers and Risk Analysts.
- Upskilling existing staff to fill cybersecurity gaps.
- Partnering with managed service providers for expert support.
- Providing ongoing training for all employees—from front-line staff to leadership.
Cyberattacks often exploit human error, with 61% of healthcare data breaches coming from insider threats. Empowering employees with tools and knowledge is one of the most effective ways to mitigate this risk.
2. Processes: From Snapshots to Live Feeds
Under the proposed updates, periodic risk assessments will be replaced by continuous risk monitoring.
This means vulnerabilities, misconfigurations, and attacks are identified and addressed in real time—not weeks or months after they’ve done damage. Automated monitoring tools, real-time alerts, and proactive incident response are key to streamlining workflows and closing gaps before they can be exploited.
3. Budget: Smart Investments Pay Off
There’s no sugarcoating it: compliance will be expensive. But smart investments in the right areas can yield significant benefits. Key focus areas include:
- Multifactor Authentication (MFA): Requiring advanced tools like biometrics or token-based systems to verify access to sensitive systems.
- Network Segmentation: Isolating critical systems to limit the damage if a breach occurs.
- Data Encryption: Protecting ePHI in transit and at rest to ensure patient information stays secure.
Yes, the upfront costs can be daunting, but they’re nothing compared to the costs of a breach—both financially and in terms of patient trust.
Outdated Practices, Modern Risks
The last major update to HIPAA’s Security Rule was in 2013. At the time, some safeguards like MFA were considered “nice-to-haves.” Fast-forward to today, and those “nice-to-haves” are essential.
One of the most significant shifts in the proposed updates is the elimination of addressable safeguards. In the past, organizations had flexibility in implementing certain requirements based on their size, complexity, and resources. Now, all safeguards will be mandatory. This monumental shift levels the playing field and closes gaps that have long left patient data vulnerable.
Here’s a table comparing the current state (before the proposed HIPAA Security Rule updates) with the proposed state (after the updates), focusing on the shift from addressable to required safeguards:
| Safeguard Category | Before (Current Rule) | After (Proposed Rule) |
| Addressable vs. Required | Safeguards are classified as “addressable,” allowing flexibility based on the size, complexity, and resources of the organization. | All safeguards are mandatory, eliminating flexibility and requiring uniform implementation across organizations. |
| Risk Analysis | Periodic risk assessments conducted at defined intervals. | Continuous risk monitoring in real-time, requiring automated tools to identify and address risks dynamically. |
| Access Controls | Periodic risk assessments are conducted at defined intervals. | MFA mandatory for all users accessing systems containing electronic Protected Health Information (ePHI). |
| Encryption | Encryption of ePHI “addressable” based on the organization’s capabilities and environment. | Encryption of ePHI in transit and at rest becomes a required safeguard. |
| Network Segmentation | Network segmentation is not explicitly required but considered a best practice to limit access and reduce risk. | Network segmentation becomes a required safeguard to isolate critical systems and limit damage from breaches. |
| Incident Response | Organizations are expected to develop and implement incident response plans but with flexibility on the structure and scope. | Incident response plans must include predefined processes for identifying, containing, and mitigating breaches. |
| Vendor Oversight | Providers are required to establish contracts with business associates that address security, but with some flexibility in oversight. | Providers must conduct regular audits of vendors, enforce compliance certifications, and update contracts to include stringent security clauses. |
| Workforce Training | Policies and procedures are required, but with flexibility in the level of detail and update frequency. | Regular, scenario-based cybersecurity training becomes mandatory for all employees, including executives. |
| Audit Controls | Auditing systems are “addressable” and often dependent on the organization’s ability to implement. | Audit controls, including activity logging and monitoring, are mandatory for all organizations. |
| Documentation | Policies and procedures are required but with flexibility in the level of detail and update frequency. | MFA (Multifactor Authentication) is recommended but not required, with flexibility to use alternative methods. |
This table highlights the shift from flexibility to uniform, mandated implementation, requiring healthcare organizations to adopt more robust and standardized safeguards to protect ePHI effectively.
Building a Resilient Culture: The Big Opportunity
Rather than seeing these updates as just another compliance headache, healthcare providers should embrace them as an opportunity to build a stronger, more resilient organization. Here’s how:
- Empower Your People: Equip employees with scenario-based training (like phishing simulations) to prepare them for real-world threats.
- Leverage Technology: Use automated platforms to identify vulnerabilities, provide actionable insights, and respond to incidents quickly.
- Secure Vendor Relationships: Audit vendors, require compliance certifications, and embed security requirements into contracts.
- Lead from the Top: Cybersecurity isn’t just an IT issue—it’s a leadership priority. Leaders should set the tone by prioritizing investments in security and embedding resilience into organizational goals.
Establishing a Future-Ready Healthcare Industry
This isn’t just about ticking boxes on a compliance checklist—it’s about preparing for the future. Cyber threats aren’t going away, and healthcare providers must shift from reactive defenses to proactive, resilient systems.
While the financial and operational challenges are significant, so are the opportunities. By embracing these changes, healthcare organizations can not only protect their patients but also build trust, foster innovation, and ensure their own longevity in a rapidly evolving landscape.
The proposed updates to the HIPAA Security Rule represent a turning point—an opportunity for the industry to step up, modernize, and lead the way in resilience.
In the final part of this series, we’ll dive deeper into specific safeguards like MFA, network segmentation, encryption, and actionable strategies for implementing these updates with minimal disruption to day-to-day operations.
Have questions or concerns you want to discuss with an expert?
