Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) has been the regulatory standard for U.S. healthcare providers, health organizations, and health data processors and clearinghouses to protect the confidentiality and security of electronic public health information (ePHI). HIPAA also outlines penalties for non-compliance.
In January 2025, the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR), which oversees HIPAA, published proposed updates to the HIPAA Security Rule. This long-awaited proposal now includes many new cybersecurity requirements to better protect the healthcare system from the growing number of cyberattacks.
The proposed changes mark the first update to HIPAA’s Security Rule since its inception in 2005 – a sign that HIPAA as a framework has worked well for all of its additions since its establishment in 1996. But as the health data risk landscape evolves, the framework that regulates its security must evolve too.
HIPAA security updates: making a good framework even better
Three factors are driving the urgency behind the HIPAA Security Rule updates.
First, technology has changed significantly over the last 3 decades, especially in the healthcare industry. From better integrated health technology to the sophistication of data sharing – and data hacking – tools, systems have changed.
Threat actors and breach trends have also changed. Cyberattacks have increased exponentially in all industries – in 2024 alone, OCR recorded 579 breach incidents from health organizations or their third-party partners, a 127% increase from the previous year. Healthcare data is also one of the top targeted and most coveted categories sought by hackers due to the large amounts of extremely valuable, easily monetizable personal data available.
Security rule updates to HIPAA should be seen by leaders as a step towards making an already good security framework even better and more prepared for the current challenges of the health industry’s cyber risk environment.
What are the implications of the proposed HIPAA rules?
The proposed updates cover a wide spectrum of cybersecurity areas in addition to clarifying terminology in the existing framework language. Several key themes stand out:
Modern cyber hygiene requirements: The healthcare industry cyberattacks of 2024, the largest being Change Healthcare, showcased just how quickly hackers can take advantage of weak points in a health system’s security and cause major damage. Implementing controls such as multifactor authentication, stronger password security standards, data encryption, anti-malware measures, and network segmentation seems fundamental, but codifying these steps makes the entire system more secure.
More robust and proactive risk measures: Across the proposed updates, regulators are signaling the need for healthcare organizations to enhance their risk analysis practices and conduct risk assessments more regularly. Addressing risks ad-hoc will no longer be an acceptable standard – healthcare organizations need to be more proactive about risk assessments and take these steps more continuously.
Standardization and harmonization: In the existing HIPAA rules, organizations have a degree of flexibility and interpretation between which rules are required, and which rules are “addressable” under certain circumstances. The new proposed rules tighten the definition of some of these rules, making any addressable circumstances less open to interpretation. The proposal also includes rules that recognize other standard frameworks for compliance, such as NIST and CISA, and require harmonization of controls across these frameworks alongside HIPAA. Together, these measures reduce or fully eliminate the potential for ambiguity in organizations’ interpretation of what constitutes compliance.
Thematically, it’s clear that regulators are pushing organizations to take their cybersecurity steps to the next level to better protect valuable patient data from cyber threats.
Guidance for health cybersecurity leaders
Cybersecurity leaders in healthcare play an important role in not only making sure new regulations are implemented, but that others on their leadership team – all the way up to the C-suite and board – understand how these rules will impact their wider organization. Given the above areas of focus in HIPAA’s updates, leaders may wonder what else can be done to reinforce a stronger environment under HIPAA.
While the proposed rules are yet to be approved, leaders can start taking steps in anticipation of upcoming changes to create a more risk-aware workforce and culture. Updating cybersecurity training programs and encouraging employee adherence to training will help teams better understand their role in preventing cyber risk. Every person plays a part in safeguarding the risk environment, especially in healthcare. Leaders, however, are held responsible if a violation – or worse, a risk event – occurs, and regulators will not be lenient if organizations are caught unaware or unprepared.
In the current environment, health systems may feel stretched for resources or may not know where to start in protecting legacy systems from threats. Updating and harmonizing health system technology takes time, but an integrated approach is also necessary. Health leaders are advised not to take on this work alone or set their IT teams to the task without targeted, specialist guidance.
Though AI cybersecurity tools are still in the early stages of applications in healthcare risk management functions, the future is promising. With the right tools available and proper controls in place, AI can help those responsible for the safe stewardship of health data do their job more efficiently and focus on proactive risk management, rather than repetitive monitoring, reporting, or compliance tasks.
Though addressing cybersecurity risks upfront do present health systems with potential expenses – additional training, more IT and cyber employees, new software or consultancy fees – getting ahead of risks before they happen is much more manageable than navigating the challenges of a cyberattack.
Leaders in any industry need to remember: the cost of a data breach is not just the cost of paying out a hacker’s ransom. Breach recovery also includes the cost of brand management and reputational damage control, sustaining long-term resilience, and straightening out any interruptions to communications or operations. In the healthcare industry, the cost also includes human health and, potentially, human lives.
By staying informed on HIPAA’s security rule updates, planning for a more robust risk system, and staying compliant, hospital systems and health data stewards can be ready for the risks of the modern cyber risk environment. Patient safety is worth protecting at all costs.
