The healthcare industry is at a pivotal moment in its approach to cybersecurity. The U.S. Department of Health and Human Services (HHS) has proposed sweeping updates to the HIPAA Security Rule—the first significant revision since 2013. These updates aim to address the realities of modern cyber threats, from ransomware attacks to unauthorized cloud access.
Now that the March 7th comment window has closed, let’s break down what’s changing, why it matters, and how organizations can prepare.
Let’s begin with what’s changing—and why.
HIPAA Security Rule History
The HIPAA Security Rule was established in 2003 to set national standards for safeguarding electronic protected health information (ePHI). Over the years, the rule has evolved to reflect shifts in technology and cyber risk:
- 2003: The original HIPAA Security Rule took effect.
- 2013: The “Omnibus Rule” expanded HIPAA’s scope to cover business associates and implement stronger privacy protections following the HITECH Act.
- 2025 (Proposed Changes): The current proposed updates focus on addressing the cybersecurity realities of today, such as phishing, ransomware, and cloud vulnerabilities—threats that were less sophisticated or common in 2013.
The existing HIPAA Security Rule is outdated in a world where telehealth, mobile apps, and cloud-based data systems are the norm. These proposed updates aim to close the gap between regulation and real-world risk.
Proposed HIPAA Security Rule Updates
The proposed rule introduces several enhancements designed to strengthen data protection and operational resilience:
1. Mandatory Multifactor Authentication (MFA):
In today’s environment, where phishing attacks have become highly sophisticated, passwords alone aren’t enough. MFA dramatically reduces the chances of unauthorized access by adding another layer of protection. In fact, according to Microsoft, properly configured MFA blocks 99.9% of automated cyberattacks.
With hybrid work and cloud infrastructure usage on the rise, mandatory MFA is no longer a ‘nice-to-have’ – an essential security baseline. Poor password practices are the direct result of more than 80% of healthcare data breaches. Implementing is a critical step in protecting sensitive data and maintaining customer trust.
2. Comprehensive Risk Analysis and Management:
The massive 2022 CommonSpirit Health ransomware attack disrupted services across hundreds of facilities across the U.S.The breach was traced back to vulnerabilities in third-party vendor systems, underscoring the importance of robust risk assessments that include external partnerships and IoT connections.
Had the risk analysis been more comprehensive—factoring in third-party risks and bolstering vendor access controls—CommonSpirit may have detected vulnerabilities and strengthened defenses before the attack.
With an evolving threat landscape, comprehensive risk management isn’t just about securing internal systems—it’s about assessing every interconnected component to stay one step ahead of cybercriminals. By identifying and mitigating risks early, healthcare organizations can avoid costly disruptions and protect patient safety.
3. Enhanced Network Segmentation:
Think of your IT infrastructure as a ship. If one compartment starts flooding, bulkheads prevent water from spilling into the rest of the vessel. Similarly, network segmentation divides your IT environment into isolated sections, containing cyberattacks and preventing them from spreading like wildfire.
This strategy is crucial in the case of ransomware, where attackers often aim to paralyze entire systems. By segmenting critical assets—like patient records, billing systems, and IoT-connected devices—you can limit an attacker’s movement and minimize downtime and damage if a breach occurs.
4. Data Encryption Requirements:
Imagine your sensitive data as a locked treasure chest—without the key, even if someone steals the chest, they can’t access what’s inside. That’s the power of encryption. By encrypting electronic Protected Health Information (ePHI) both in transit (while being sent) and at rest (while stored), organizations make their data unreadable to unauthorized users.
Even if cybercriminals breach your systems and access your files, they’re met with indecipherable code. This significantly reduces the impact of breaches, reducing both financial and reputational damage.
Mandating encryption both at rest and in transit, organizations can turn their most valuable data into a useless trove for attackers—accessible only to those holding the proper decryption keys. Encryption isn’t just a regulatory checkbox; it’s a fundamental pillar of modern data security that safeguards patients, preserves trust, and ensures compliance with healthcare regulations.
5. Improved Documentation and Compliance Tracking:
Think of security documentation as your organization’s “black box”—it records critical information that can be invaluable in both routine operations and crises. Strengthened requirements for documenting security protocols, updates, and incidents ensure that you have a clear record of your actions and a roadmap for faster responses when incidents occur.
Kaiser Permanente, one of the largest U.S non-profit health plans and delivery networks, has developed rigorous compliance tracking systems that allow it to produce evidence of safeguards during audits and investigations quickly. This proactive approach to documentation has helped them avoid regulatory fines and maintain customer trust.
Implementing clear and thorough documentation streamlines audits, reduces compliance headaches, and demonstrates that your organization has exercised due diligence to meet regulatory standards. This can be critical in avoiding fines and mitigating legal repercussions during investigations.
Improved documentation and compliance tracking do more than check regulatory boxes—they create a culture of accountability and resilience. By maintaining accurate records, healthcare organizations can respond swiftly to incidents, support their legal standing, and show auditors that they meet or exceed security and compliance obligations.
Why These Changes Are Critical
The proposed updates come at a time when the healthcare sector faces unprecedented cyber threats:
- Rise in Ransomware Attacks: Healthcare organizations are frequent targets because of the high value of patient data and the operational pressure to restore access quickly.
- Telehealth and Remote Work: The rapid shift to telehealth services and remote workflows during the pandemic introduced new access points for potential breaches.
- Third-Party Risk: Many healthcare organizations now depend on third-party vendors and cloud-based platforms, creating more points of vulnerability.
- Downtime Breach Costs: According to Comparitech, breaches cost healthcare organizations $1.9 million per day in downtime expenses.
These factors highlight the need for updated regulations that reflect today’s interconnected and increasingly digital healthcare ecosystem.
Preparing for What’s Ahead
While the proposed updates to the HIPAA Security Rule are not yet final, healthcare leaders should begin preparing now. Implementing stronger access controls, conducting thorough risk assessments, and updating documentation practices will help with future compliance and improve overall cybersecurity posture.
The 60-day public comment period started January 6, 2025, and ended on March 7, 2025, providing an opportunity for healthcare providers, vendors, and industry stakeholders to have their voices heard. Engaging in this process can help shape a regulation that balances security, usability, and operational feasibility.
In the next blog, ‘From Compliance to Resilience: How the New HIPAA Security Rule Could Impact Healthcare Providers’, we’ll explore how these proposed changes could impact your organization and what steps you can take to get ahead of the curve. nts, reputation, and bottom line?
