HIPAA and Cybersecurity: What’s Changing
- Read Time: 4 mins.
Cyber threats hit healthcare harder every year. Hospitals, clinics and insurers are prime targets for ransomware, data theft and system outages. And with so much of healthcare running on connected systems, the stakes have never been higher.
That’s why the Department of Health and Human Services (HHS) has proposed updates to the HIPAA Security Rule. While these aren’t final rulings yet, the intent is clear: make cybersecurity a built-in, enforceable part of protecting patient data—not an afterthought.
Let’s break down what HIPAA covers today, what might change and what you can do now to prepare.
A Quick Refresher on HIPAA
HIPAA was signed into law in 1996 to protect patient privacy and set national standards for handling health information. Over time, it’s grown to include several key rules:
- The Privacy Rule defines how health information (PHI) can be used and shared.
- The Security Rule sets standards for protecting electronic health information (ePHI).
- The Breach Notification Rule requires organizations to report when PHI is exposed.
Together, these rules form the backbone of HIPAA compliance—and created something every patient has seen: the Notice of Privacy Practices (NPP). The NPP explains how data can be used, your rights to access it, and who’s responsible for keeping it secure.
The Security Rule: Where Cybersecurity Comes In
The Security Rule, found in 45 CFR Part 160 and Part 164, outlines how to keep ePHI confidential, intact, and available when needed.
It focuses on three categories of safeguards.
- Administrative: policies, procedures, and training
- Physical: access controls and facility protections
- Technical: encryption, authentication, and audit logs
The rule was intentionally flexible, allowing small clinics and large hospital systems to meet the same standards in different ways. But today’s cybersecurity climate has outgrown that flexibility.
Proposed 2025 HIPAA Changes
HHS’s Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to modernize the Security Rule for the first time since 2013.
These proposals are not yet finalized, but they give a pretty good preview of where enforcement is heading.
- Stronger Safeguards, Fewer Loopholes
The NPRM proposes eliminating the distinction between “required” and “addressable” implementation specifications under the Security Rule. If finalized, all safeguards would need to be implemented as written, with limited flexibility only where explicitly permitted by the regulation.
Organizations would also need to maintain written documentation for every policy, procedure and analysis related to the Security Rule. - Encryption and Access Control
Encryption for ePHI—both at rest and in transit—would become mandatory, as would multi-factor authentication (MFA). These are already considered best practices, and the proposed update would make them requirements. - Regular Cyber Health Checks
The NPRM suggests defined testing intervals.
- Vulnerability scans every six months
- Penetration tests once per year
- Compliance audits every 12 months
This moves HIPAA toward repeatable, measurable cybersecurity practices rather than recommendations.
- Clearer Risk Analysis Requirements
Organizations would be required to maintain a technology asset inventory and network map showing where ePHI resides and how it moves.Threats, vulnerabilities and risk levels would need annual review (or whenever systems change).
- Incident Response and Recovery
The proposed rules emphasize resilience.
- Critical systems recoverable within 72 hours
- Access changes or terminations reported within 24 hours
- Security incident plans written, tested and regularly updated
Additional Proposed Requirements
The NPRM also includes several more detailed updates aimed at modernizing security practices and accountability under HIPAA. The key proposals:
- Technology inventory and network mapping: Maintain a complete list of systems handling ePHI and detailed network diagrams.
- Patch management: Apply critical software updates within 15 days and document patching activity.
- Business associate verification: Annually confirm that partners and vendors have required safeguards in place.
- Access control and workforce sanctions: Enforce access changes within 24 hours and document any policy violations.
- Network segmentation and anti-malware controls: Implement segmentation, disable unused network ports, and remove unnecessary software.
- Encryption and MFA: Mandate encryption for ePHI at rest and in transit, plus multi-factor authentication across systems. The proposed rule does have a carve out for the possibility of ‘limited exceptions.’
- Regular audits and testing: Require vulnerability scans every six months, penetration tests annually, and annual compliance audits.
- Disaster recovery readiness: Test contingency plans annually and ensure backup and recovery systems have separate technical controls.
Privacy Rule and NPP Updates
Covered entities may no longer need written acknowledgment from patients that they received the NPP. The notice itself would be modernized to better explain how data is used and shared—especially as telehealth, AI and digital tools evolve.
Updates to 42 CFR Part 2 would also align substance use disorder records with HIPAA protections, strengthening privacy for sensitive health data.
How to Prepare Now
Even though these changes are still proposed, organizations shouldn’t wait. You will have 240 days from the publication of the final rule to be in compliance.
Here’s ways to prepare now:
- Review your risk analysis to ensure it includes full system inventory and network mapping.
- Encrypt all ePHI at rest and in transit.
- Enable MFA for all accounts, not just admin users.
- Test your incident response plan and update it regularly.
- Revisit business associate agreements to confirm partner compliance.
- Train staff on revised security procedures.
HIPAA + Cybersecurity
The proposed HIPAA updates aren’t law yet—but they signal what’s coming. HHS is prioritizing stronger cybersecurity, better documentation, and continuous monitoring.
For healthcare organizations, this is a chance to get ahead rather than catch up.
Don’t wait for the final ruling. Use this time to assess your systems, close gaps and strengthen your defenses. Because whether the changes take effect this year or next, the expectation for better protection is already here.
Need help assessing your readiness?
Connect with HBS security experts and vCISOs for tailored guidance on cybersecurity, compliance, and risk management. We’ll help you evaluate your current state and take proactive steps toward future HIPAA compliance.
Related Content
How Microsoft Is Helping Rural Hospitals Combat Cyberattacks
Learn how Microsoft’s new program helps rural hospitals defend against rising cyber threats with grants, discounts, and advanced security.
Strategy, Execution & Unknowns in Healthcare Cybersecurity
RECORDING AVAILABLE – Join us as we conquer the challenges of cybersecurity in healthcare with a panel of industry leading security professionals as they uncover strategies and tactics to reduce cybersecurity risk in your healthcare technology environment.
What Is Penetration Testing? A Complete Guide for IT Leaders
Penetration testing helps uncover real security risks before attackers do. Learn what it involves, how it works, and how to find the right testing partner.
