The healthcare industry is facing a significant shift in cybersecurity compliance.
The U.S. Department of Health and Human Services (HHS) has proposed updates to the HIPAA Security Rule that would represent the most substantial cybersecurity changes in more than ten years. These updates are designed to strengthen protections for electronic protected health information (ePHI) and address the growing cybersecurity threats targeting healthcare organizations.
For healthcare providers, hospitals, clinics, and business associates, the message is clear: cybersecurity expectations are increasing, and organizations should begin preparing now.
Why the HIPAA Security Rule is Changing
Cyberattacks against healthcare organizations continue to rise in frequency and sophistication. Ransomware incidents, data breaches, and third-party vulnerabilities have exposed millions of patient records and disrupted critical healthcare operations.
The proposed HIPAA Security Rule updates aim to establish stronger, more consistent cybersecurity standards across the healthcare sector by requiring safeguards that were previously considered “addressable.”
Historically, organizations could implement alternative security measures if they documented why a specific control was not appropriate. Under the proposed rule, many of these controls would become mandatory.
Key Cybersecurity Requirements Expected Under the New Rule
Several security measures long considered best practices are expected to become required safeguards.
Multi-Factor Authentication (MFA)
MFA is one of the most effective defenses against unauthorized access and credential-based attacks. Healthcare organizations will likely be required to implement MFA for systems that access sensitive patient information.
Encryption of Sensitive Data
Encryption helps ensure that patient information remains protected even if systems are compromised. The proposed rule emphasizes stronger encryption requirements for both data at rest and data in transit.
Network Segmentation
Healthcare networks often contain a mix of clinical systems, administrative applications, and connected medical devices. Network segmentation can help limit the spread of cyberattacks and reduce organizational risk.
Asset Inventory and Mapping
Organizations will be expected to maintain comprehensive visibility into their technology environments, including hardware, software, applications, and data flows. Accurate asset inventories are foundational to effective security and compliance.
Routine Vulnerability Testing
Regular vulnerability assessments and testing help organizations identify and remediate security weaknesses before attackers can exploit them.
Audit Logging and Vendor Oversight
Healthcare organizations will face increased expectations around monitoring system activity, retaining audit logs, and managing cybersecurity risks associated with third-party vendors and business associates.
What Healthcare Organizations Should Do Now
While the final rule has not yet been published, waiting until the new requirements take effect could create unnecessary risks and compliance challenges.
Organizations can begin preparing today by focusing on five key areas.
- Assess Your Current Security Posture
Conduct a comprehensive review of your existing cybersecurity controls, risk management processes, and technology assets. Understanding your current state is the first step toward identifying compliance gaps.
- Prepare for Mandatory Safeguards
Evaluate which existing HIPAA security controls are currently treated as “addressable” and determine what investments or operational changes may be necessary to meet future requirements.
- Update Policies and Agreements
Review internal security policies, workforce training programs, disaster recovery procedures, incident response plans, and Business Associate Agreements to ensure they align with emerging expectations.
- Engage Key Stakeholders
Cybersecurity is not solely an IT responsibility. Compliance, legal, risk management, operations, and vendor management teams should work together to prepare for new audit requirements, reporting obligations, and technical controls.
- Monitor Regulatory Developments
The proposed rule may continue to evolve before final publication. Organizations should stay informed and be prepared to adjust their compliance strategies as additional guidance becomes available.
Compliance is No Longer Enough
The proposed HIPAA Security Rule updates reflect a broader reality: cybersecurity has become a critical component of patient care, operational resilience, and organizational trust.
Healthcare organizations that proactively strengthen their security programs today will not only be better prepared for future regulatory requirements but also better positioned to defend against the growing threat landscape.
The question is no longer whether stronger cybersecurity measures are needed; it is whether organizations are ready to implement them before they become mandatory.
How ClearBridge Can Help
At ClearBridge Technology Group, we help healthcare organizations assess risk, strengthen cybersecurity programs, improve compliance readiness, and implement the technologies and processes needed to protect patient data.
Whether you’re evaluating your current security posture, preparing for anticipated HIPAA changes, or developing a long-term cybersecurity strategy, our team can help.
Recent Comments