In January 2025, the U.S. Department of Health and Human Services (HHS) introduced proposed updates to the HIPAA Security Rule, aiming to close security gaps and strengthen protections for electronic protected health information (ePHI). These changes come in response to an alarming rise in cyberattacks in the healthcare sector, where ransomware and data breaches have affected millions of patients and cost the industry billions of dollars.
While HIPAA has long required healthcare organizations to implement safeguards for patient data, the previous regulations left too much room for interpretation. Many security measures were "addressable," meaning organizations could decide if and how to implement them. The proposed rule eliminates this flexibility, making key protections mandatory.
This article outlines some of the most significant changes, their impact on the healthcare industry, and why they represent a necessary evolution in healthcare cybersecurity.
Why the Rules Are Changing
Cybercriminals increasingly target the healthcare industry because of the high value of patient data and the operational necessity of keeping medical systems running. Hospitals and clinics are particularly vulnerable to ransomware attacks, where hackers encrypt critical systems and demand payment to restore access.
Under the previous HIPAA framework, many organizations failed to properly secure patient data, leaving information unencrypted, using weak authentication methods, or neglecting third-party risks. These weaknesses have led to major breaches, exposing sensitive medical records and personal information. The new HIPAA rules aim to create a consistent, industry-wide security standard that reduces these vulnerabilities and holds organizations accountable for better cybersecurity practices.
Key Changes in the New HIPAA Security Rule
The proposed rule introduces several major updates. While these are among the most impactful changes, they are not the only revisions healthcare organizations must consider.
Encryption Becomes Mandatory
One of the most significant changes is the requirement for encryption. Previously, encryption was considered "addressable," allowing organizations to assess whether it was reasonable and appropriate. Now, encryption is mandatory for all ePHI, both in storage and transit.
This change addresses one of the biggest weaknesses in healthcare cybersecurity. Many past data breaches occurred because patient records were stored or transmitted in unencrypted formats, making them easily accessible to hackers. Encryption ensures that even if data is stolen, it remains unreadable without the proper decryption key.
Multi-Factor Authentication (MFA) Is Required
Under the new rule, healthcare organizations must implement multi-factor authentication (MFA) for accessing systems containing ePHI. MFA requires users to verify their identity using at least two factors, such as a password and a one-time code sent to a mobile device.
The reasoning behind this change is clear: stolen passwords are one of the most common ways hackers gain unauthorized access to healthcare systems. Implementing MFA significantly reduces the risk of compromised credentials leading to a breach.
No More "Addressable" Security Measures
The elimination of "addressable" security standards is one of the most impactful changes. Previously, organizations could decide if a specific security measure made sense for them. Now, all required security measures must be fully implemented unless an organization can provide documented, justified reasons why an alternative approach is being used.
This removes a long-standing loophole that allowed some healthcare providers to avoid implementing essential protections. The new approach ensures that all covered entities follow the same cybersecurity standards, making the entire industry more resilient.
Stricter Business Associate Requirements
Third-party vendors and contractors that handle ePHI are a major source of security risk. Under the new rule, covered entities must ensure that their business associates have strong cybersecurity protections in place. This includes regular security audits, contractual obligations to meet HIPAA standards, and faster breach notifications.
Business associates must also notify covered entities within 24 hours if an employee who had access to ePHI leaves the company or if there is a potential security incident. This requirement is designed to reduce insider threats and improve response times to breaches.
Network Segmentation to Limit Cyberattacks
To prevent attackers from moving freely through healthcare networks, organizations must now segment networks that store or process ePHI. This means that systems containing sensitive patient data should be isolated from general IT infrastructure.
This change aligns with modern Zero Trust security principles, where no system or user is automatically trusted. By limiting access and movement within a network, organizations can contain cyberattacks before they spread.
Annual Risk Assessments Are Now Mandatory
Under the new rule, healthcare organizations must conduct a full cybersecurity risk assessment at least once a year. This includes:
- Identifying weaknesses in security systems.
- Testing current protections to ensure they are effective.
- Implementing new security measures as threats evolve.
Many healthcare providers currently perform risk assessments only when required or after a security incident occurs. By making risk assessments an annual requirement, the new rule encourages proactive security planning instead of reactive damage control.
What These Changes Mean for Healthcare Organizations
Challenges
- Higher Compliance Costs – Smaller healthcare providers and vendors may struggle to afford the new security upgrades. Encryption, MFA, and network segmentation all require investment in new technology and employee training.
- Operational Disruptions – Many organizations will need to redesign workflows and update legacy systems to comply with the new rules.
- Vendor Accountability – Business associates that fail to meet the stricter security standards may lose contracts, leading to potential disruptions in service.
Benefits
- Stronger Protection Against Cyberattacks – By enforcing encryption, MFA, and network segmentation, these changes reduce the likelihood of large-scale data breaches.
- Improved Patient Trust – Patients are becoming more aware of cybersecurity risks. Knowing their medical records are better protected may improve confidence in healthcare providers.
- Alignment with Modern Security Practices – These changes bring HIPAA compliance in line with other cybersecurity frameworks, such as the NIST Cybersecurity Framework and Zero Trust Architecture.
The Bigger Picture: A Necessary Step Forward
While some may see these changes as a burden, they reflect the reality of modern cybersecurity threats. The healthcare industry has been one of the most targeted sectors for cyberattacks, yet security standards have remained inconsistent. These updates ensure that healthcare organizations take cybersecurity seriously and implement protections that should have been standard years ago.
The reality is that hospitals, clinics, and business associates are handling some of the most sensitive personal data imaginable. Patients trust these organizations with their medical history, social security numbers, and financial information. The responsibility to protect that data should be treated with the same urgency as patient care itself.
Ultimately, these changes aren’t just about compliance—they’re about building a more secure and resilient healthcare system. Healthcare organizations that take action now to improve their cybersecurity posture will not only meet the new HIPAA requirements but also reduce their risk of becoming the next breach headline. Reach out to ProCircular or contact our team at sales@procircular.com to get started!
Sources