Blog Overview

The U.S. Department of Health and Human Services (HHS) has proposed sweeping updates to the HIPAA Security Rule, representing the most significant revision since the Omnibus Rule in 2013. Announced on December 27, 2024, the proposed changes aim to modernize and strengthen cybersecurity safeguards for electronic protected health information (ePHI), addressing an increasingly volatile threat landscape facing the healthcare industry.

This initiative reflects the federal government’s growing urgency to reinforce cybersecurity in healthcare, as the sector experiences an unprecedented surge in data breaches, ransomware attacks, and cyber incidents. In 2023 alone, ransomware attacks impacted over 100 million healthcare records, underscoring the critical need for more robust and prescriptive security standards.

Why These Changes Matter

Historically, the HIPAA Security Rule offered a degree of flexibility, allowing covered entities and business associates to implement “addressable” safeguards tailored to their risk profile. However, this flexibility has often led to inconsistent adoption of basic security controls, particularly among smaller healthcare providers. The proposed updates aim to close those gaps by mandating specific technical and administrative controls, transforming cybersecurity compliance from an interpretive framework to an enforceable baseline of security expectations.

Key Proposed Changes to the HIPAA Security Rule

1. Mandatory Security Controls

The proposed rule introduces explicit technical requirements aimed at fortifying defenses against unauthorized access and data exfiltration:

• Encryption: Encryption of all ePHI, both in transit and at rest, will become mandatory, eliminating the current discretion entities have over this safeguard.
• Multi-Factor Authentication (MFA): MFA would be required for accessing systems containing ePHI, significantly reducing the risk of unauthorized access via compromised credentials.
• Network Segmentation: Organizations must implement segmented network architectures to isolate sensitive data and limit the blast radius of cyber incidents.
• Regular Risk Assessments: Periodic and comprehensive security risk assessments must be documented, analyzed, and used to inform mitigation efforts.
• Technical Asset Inventories: Entities must maintain up-to-date inventories of all hardware and software systems used to create, store, or transmit ePHI.

2. Enhanced Incident Response & Vendor Oversight

The proposed updates also address how entities respond to security events and manage third-party risk:

• Incident Response Plans: Covered entities and business associates must develop formalized incident response protocols, including detection, mitigation, and recovery processes.
• Vendor Notification Requirement: Business associates must notify covered entities within 24 hours of activating contingency operations, ensuring rapid visibility and coordination in the event of an incident.

3. Workforce Access & Security Training

Human error and weak internal controls remain key vectors in many healthcare breaches. These changes aim to minimize insider threats:

• Stronger Access Controls: Access to ePHI must be restricted using least-privilege principles, with clearly defined roles and access permissions.
• Mandatory Cybersecurity Training: Organizations must provide regular, up-to-date cybersecurity training to staff, tailored to their roles and responsibilities.

4. Compliance Audits & Documentation Requirements

To ensure long-term adherence, HHS proposes more rigorous documentation and accountability mechanisms:

• Annual Compliance Audits: Covered entities will be required to conduct internal or third-party audits on an annual basis to validate compliance with the updated rule.
• Comprehensive Documentation: Entities must maintain detailed documentation of their compliance efforts, including security policies, risk assessments, training logs, and breach response activities.

Implementation Timeline and Industry Response

The Notice of Proposed Rulemaking (NPRM) was published in the Federal Register on January 6, 2025, with a 60-day public comment window that closed on March 7, 2025. HHS will now review the feedback before issuing a final rule, which may include adjustments based on public input and legal considerations.

Although these proposed changes are seen as a critical step toward securing the healthcare ecosystem, concerns have emerged, particularly from smaller providers and rural clinics, regarding the financial, technical, and operational impact of implementation. Many argue that without dedicated funding or scalable solutions, these requirements could strain already limited resources.

Healthcare organizations are encouraged to begin preparing now by assessing existing cybersecurity practices, identifying gaps relative to the proposed requirements, and engaging their vendors and IT teams in readiness planning. Proactive adaptation may mitigate future compliance risks and strengthen resilience in the face of growing cyber threats.

Next Steps for Healthcare Organizations

With the proposed HIPAA Security Rule revisions on the horizon, healthcare entities must begin laying the groundwork for compliance to avoid being caught off guard when the final rule is enacted. The following steps can help covered entities and business associates prepare strategically:

1. Conduct a Gap Analysis

Perform a comprehensive security risk assessment comparing your current security posture against the proposed rule requirements. Identify areas where current safeguards may fall short, such as the absence of MFA, outdated asset inventories, or incomplete incident response plans.

2. Prioritize High-Impact Controls

Focus initial efforts on implementing the most critical and enforceable measures, such as:

• Encrypting all ePHI at rest and in transit
• Deploying multi-factor authentication across all access points
• Establishing or enhancing incident response and contingency plans

3. Invest in Scalable Solutions

Smaller organizations with limited budgets should explore cost-effective technologies such as managed security service providers (MSSPs), cloud-based encryption platforms, and virtual audits to meet compliance standards without significant infrastructure investments.

Proactive preparation today will reduce compliance burdens tomorrow. The proposed changes reflect not only regulatory evolution but also the reality that cybersecurity is now central to patient safety and organizational resilience.