Data SecurityBlogHealthcareCybersecurity Risk & StrategySecurity
Blog4 minute read

The HIPAA Security Rule Changes Are Almost Here. Is Your Organization Ready?

The proposed HIPAA Security Rule updates represent the most significant shift in healthcare cybersecurity expectations in over a decade. Once the final rule is issued, organizations are expected to have a relatively short window to comply, as they navigate technical, operational and clinical complexities.

In this blog

Healthcare leaders already know that cybersecurity is no longer just an IT issue. It's an enterprise and board-level imperative. It is directly tied to patient safety, operational continuity and financial performance. That reality is driving the most significant proposed update to the HIPAA Security Rule in more than a decade.

 The HIPAA Security Rule

For the first time since 2013, the U.S. Department of Health and Human Services Office for Civil Rights has proposed major updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. It issued a Notice of Proposed Rulemaking at the end of 2024 to strengthen protections for electronic protected health information (ePHI) in response to a sharp increase in cyberattacks across the sector.

While the final rule is expected at any time, the direction is already clear. HIPAA is moving away from a flexible, documentation-driven model and toward a more prescriptive, enforcement-driven model centered on real technical controls. For health systems, this is not just a regulatory update. It is a shift in how cybersecurity programs are expected to operate.

 Proposed changes

The updates directly address common areas of non-compliance with the Security Rule that OCR has identified in the past ten years, and at the same time, make the Security Rule more consistent with the National Institute of Standards and Technology ("NIST") cybersecurity framework and HHS's Cybersecurity Performance Goals, which were published in 2024. At a high level, the proposed changes can be summarized into three themes: less flexibility, stronger technical requirements and increased accountability.

1. "Addressable" safeguards become required

One of the most impactful changes is the removal of the distinction between "required" and "addressable" safeguards. Historically, organizations could justify not implementing certain controls if they documented why. That flexibility is going away.

Under the proposed rule, implementation specifications are expected to be required across the board, with only limited exceptions. The implication is simple. Documentation alone will no longer be sufficient. Organizations will need to demonstrate that controls are actually deployed and functioning.

2. Mandatory technical controls become explicit

The proposed updates move several cybersecurity best practices into baseline expectations. These are not new concepts, but the updates will create standards and consistency across organizations. The update signals that regulators now expect these controls to be standard across the healthcare industry.

  • Multi-factor authentication for system access
  • Encryption of ePHI at rest and in transit
  • Network segmentation 
  • Configuration management
  • Deployment of anti-malware protection
  • Removal of extraneous software from ePHI systems
  • Backup and recovery of ePHI
  • Vulnerability management and patching

3. Asset visibility and risk analysis become operational

The proposed rule places a strong emphasis on knowing what you have and where your data lives. This is a significant shift from periodic risk assessments to continuous visibility and management.  Organizations would be required to maintain: 

  • A current technology asset inventory covering every system that may affect ePHI
  • A network map showing how ePHI flows through these systems
  • Ongoing, updated risk analyses tied to those assets at least once every 12 months

4. Audit and Risk Assessment Standards

The proposal would set explicit cadences for what are currently loose obligations. Organizations must perform and document:

  • Comprehensive compliance audits at least annually.
  • Formal testing and verification of administrative, physical, and technical safeguards need to occur every 12 months.
  • Technical testing and vulnerability scanning will be required every 6 months
  • Annual penetration testing of ePHI systems every 12 months,

5. Incident Response and Notifications

The rule would memorialize the need for written incident response plans, workforce reporting procedures and periodic testing. Tighter contingency planning will be required, including: 

  • Written procedures to restore certain systems and data within 72 hours of a service disruption
  • Separate technical controls for backup and recovery
  • Documented restoration priorities.

The proposal would compress time-bound obligations across the covered entity-business associate (BA) relationship to 24-hour notification requirements and require annual BA verification as well.

 Getting ready

Once the final rule is issued, organizations are expected to have a relatively short window to comply, often cited as roughly 240 days from publication. For most health systems, that is not enough time to start from scratch.  Organizations that treat this as a compliance exercise will struggle. Those who treat it as a broader cybersecurity and resilience strategy will be better positioned.

This is also where partnership matters. Navigating the technical, operational, and regulatory complexity requires alignment across IT, security, clinical operations and leadership.  At WWT, we are helping healthcare organizations translate these proposed requirements into practical architectures, prioritized roadmaps and measurable outcomes. 

Contact us to get started.