New HIPAA Security Rule Tightens Cybersecurity for Healthcare Organizations

Proposed changes to HIPAA cybersecurity regulations could pose significant operational and budget challenges for Chief Information Security Officers (CISOs) in the health sector. New mandatory audits, backup and recovery timelines, and enhanced vendor oversight could strain already tight budgets and resources.

Below, we break down the key updates — and offer practical advice on how your organization can get ahead – and possibly save money along the way.

(Note: The Department of Health and Human Services is currently reviewing public comments on the proposed rule, the final step before deciding whether it will be published. If published, the rule  would become effective 60 days later and covered entities and business associates would then have only 180 days from the effective date to comply.)

What is Expected to Change in the HIPAA Security Rule?

All hospitals, clinics, and healthcare providers must comply with new, tougher HIPAA security requirements — turning what used to be flexible guidelines into mandatory, enforceable standards. While these changes are not yet in effect, organizations may benefit from evaluating their current security posture and identifying areas for improvement to align with the proposed standards. Here's a quick overview of the new requirements:

• Elimination of "Addressable" Specifications: Previously, organizations had discretion in determining whether certain security measures were necessary based on their risk environment. This flexibility is being eliminated — all specifications will become mandatory, meaning every covered entity and business associate must fully implement HIPAA’s prescribed security controls. If you previously documented why a control was "addressable," use that justification to prioritize implementation. If an alternative control was in place, assess whether it meets the new "mandatory" threshold before replacing it entirely.
• Mandatory Multi-Factor Authentication (MFA): All users accessing systems containing ePHI must use MFA. If possible, enforce FIDO2-based authentication (YubiKeys, Google Titan) instead of SMS-based MFA, which is vulnerable to phishing.
• Mandatory Encryption: All ePHI must be encrypted, whether it's stored or transmitted. If you're not sure where encryption is lacking, run a simple Data Loss Prevention (DLP) scan to check for unencrypted sensitive data in storage, databases, and backups. If your Electronic Health Record (EHR) system or cloud provider does not support encryption at rest, prioritize migrating to one that does (AWS S3 with SSE, Azure Blob Storage Encryption, Google Cloud Storage CMEK). Ensure encryption mechanisms align with NIST 800-111 and NIST 800-52/77 standards.
• Network Segmentation: Organizations must divide their networks into separate zones, isolating systems that store or process electronic protected health information (ePHI) from the rest of their IT environment. This makes it much harder for hackers to move laterally across systems if they breach one part of the network. Effective segmentation limits the damage of a cyberattack and helps contain threats before they can reach sensitive patient data.
• Annual Security Audits: Organizations would be required to conduct formal security audits every 12 months, covering all HIPAA security standards and implementation specifications instead of performing ad-hoc evaluations. Previously, many organizations treated audits as one-time events; this change formalizes the requirement for ongoing evaluation. If you're already conducting SOC 2, ISO 27001, or NIST CSF audits, align HIPAA audits with those efforts. Leverage existing compliance tools rather than reinventing the wheel. Assign each compliance area an internal "audit owner" who is responsible for tracking progress before the formal audit process begins. This decentralizes the burden and avoids last-minute scrambles.
• 72-Hour Disaster Recovery: Under the proposed rule, organizations must be able to restore ePHI access within 72 hours following a breach or ransomware event. To help with compliance, schedule annual tabletop exercises and live recovery drills to ensure the 72-hour requirement is feasible. Simulate a real-world recovery scenario at least once per year. Ask: How long did it take? What failed? What do we need to fix?

• Regular Penetration Testing and Vulnerability Scanning: Annual pen tests and biannual scans are mandatory under the proposed rule. With this change, it is advisable to outsource at least one major penetration test per year while maintaining continuous internal testing using Breach & Attack Simulation (BAS) tools such as SafeBreach or AttackIQ. Also, use Tenable, Qualys, or Rapid7 to schedule vulnerability scans every six months. Consider aligning vulnerability scans with patch management cycles to make remediation more efficient.
• Technology Asset Inventory: Organizations must maintain updated inventories and network maps under the proposed rule. Right now, the HIPAA Security Rule doesn’t require healthcare organizations to keep a formal inventory of their data and technology. But under the new proposed rules, organizations would have to maintain written inventories of all hardware, software, and data that handle patient information. They would also need to create maps showing how patient data moves through their systems. These inventories and maps would need to be updated every year — or sooner if there’s a security incident, a legal change, or a major technology upgrade. With this change, it is advisable to set up an automated asset discovery process to flag new, unapproved devices or software installations in real-time.
• Stricter Vendor Management: Covered entities must annually verify that all business associates meet HIPAA security requirements. This will require implementing continuous vendor monitoring. Platforms such as OneTrust, CyberGRX, or BitSight can automate vendor risk assessments. Also, organizations should include mandatory security audits in contract renewals: require SOC 2 Type II or ISO 27001 compliance from vendors handling ePHI. It may be helpful to bundle vendor audits into contract renewal cycles to ensure compliance before signing new agreements.

Why The New HIPAA Security Rule Updates Matter Now

The healthcare sector has been a favorite target for cybercriminals because patient data is extremely valuable — both for black-market sales and ransomware extortion. Last year, a cyberattack on UnitedHealth’s Change Healthcare division compromised sensitive data for over 100 million Americans.

Incidents like this prompted regulators to act fast, and the HIPAA Security Rule updates aim to harden defenses across the industry. Under the proposed rules, even if hackers manage to break into your network, strong security measures such as encryption, multi-factor authentication, and network segmentation should stop them from easily accessing patient records, moving deeper into your systems, or using the stolen data. The goal is to make any breach as limited — and as useless to attackers — as possible.

Practical Steps for HIPAA Compliance with the HIPAA Security Rule

Given that the proposed updates have not been finalized, healthcare organizations should continue to comply with the current HIPAA Security Rule requirements. However, considering the potential for significant changes, organizations may consider proactively assessing their security measures in anticipation of potential future requirements.

Here’s how healthcare organizations can tackle these new requirements without getting overwhelmed:

1. Reassess Your HIPAA Risk Management Program

Start with a fresh HIPAA risk assessment. A foundational element of this mandate is conducting a comprehensive HIPAA risk assessment. A HIPAA risk assessment involves evaluating the potential risks and vulnerabilities to ePHI within an organization's environment. The U.S. Department of Health and Human Services emphasizes that such an assessment is the first step in identifying and implementing safeguards that comply with the Security Rule. All ePHI created, received, maintained, or transmitted by an organization is subject to this evaluation. Make sure it addresses the new required controls like MFA, encryption, and network segmentation. If your last assessment treated these as “optional,” it’s time to revise.

2. Prioritize High-Impact Changes First

Don't attempt a wholesale upgrade overnight. Instead, align implementation with annual security cycles (e.g., Q1 = Access Controls, Q2 = Encryption, Q3 = Incident Response, Q4 = Security Testing). Focus on quick wins:

• Enforce MFA across all systems containing ePHI.
• Encrypt databases, backups, and communications.
• Create or update your network segmentation plan.

3. Prepare for Annual Audits

Build an audit calendar now. Don't wait for December — split HIPAA audit elements into quarterly checks:

• Q1: Access control review and MFA audits
• Q2: Data encryption and network security reviews
• Q3: Penetration tests and disaster recovery drills
• Q4: Vendor compliance and training evaluations

4. Strengthen Vendor Oversight

You’ll need to take a closer look at the security practices of your business associates — anyone who handles ePHI on your behalf. It’s no longer enough to trust that they’re doing the right thing. You should require formal proof of their security standards, such as a SOC 2 Type II report or ISO 27001 certification, whenever possible. Be sure to keep detailed records of all vendor assessments, contracts, and certifications to demonstrate compliance if regulators come calling. Document everything.

5. Enhance Backup and Disaster Recovery

Simulate recovery scenarios at least once a year. Make sure your ePHI can truly be restored within 72 hours — not just on paper. It’s important to do more than just write a disaster recovery plan — you need to test it. At least once a year, run a real-world simulation to see if you can recover your electronic protected health information (ePHI) within the required 72-hour window. A written plan is a good start, but only a full test will show whether your systems, backups, and teams are truly ready to handle a real crisis.

Key Takeaways for the HIPAA Security Rule

If you’re a CISO, Privacy Officer, or IT Director, the new HIPAA Security Rule isn’t just another box to check — it’s a critical roadmap for defending your organization against real-world cyber threats. These updates are designed to make healthcare systems tougher targets for ransomware, data breaches, and other attacks that can cripple operations and put patient trust at risk.

Yes, meeting the new requirements will take considerable effort, time, and resources. But it’s also a real opportunity. Organizations that act now to build stronger, smarter security programs won’t just meet HIPAA standards — they’ll be far better positioned to protect their patients, avoid costly incidents, and safeguard their reputations in an increasingly high-risk environment.

ERMProtect HIPAA Compliance Solutions

ERMProtect specializes in HIPAA compliance solutions, offering automated risk assessments, security testing, and third-party vendor management programs. We can help healthcare organizations stay one step ahead of hackers — and regulators — without overwhelming internal teams.

For CISOs looking to simplify compliance while improving overall security, ERMProtect provides efficient, scalable solutions that align with both regulatory and operational requirements.

For a free consultation and/or scoping conversation, contact Silka Gonzalez at [email protected] or Judy Miller at [email protected] or call 305-447-6750.