In this article published by The Legal Intelligencer, Marci Rozen discusses the growing cybersecurity risks facing health care organizations and the vendors that support them. She highlights the massive impact of recent ransomware attacks, including one that affected the protected health information (PHI) of over half the U.S. population. Despite the rising sophistication of these threats, HIPAA’s security rule has not been updated since 2013. The article explores proposed changes by the Department of Health and Human Services (HHS) and how covered entities and business associates can prepare for the evolving regulatory and threat landscape. This article is paywalled.
In recent years, health care organizations and the vendors that support them have been prime targets for cyber attacks. Indeed, just last year, the ransomware attack on the health care clearinghouse Change Healthcare is estimated to have affected the protected health information (PHI) of over half of the U.S. population. Yet even as the sophistication and severity of these attacks has grown, the rules governing the security of electronic PHI (ePHI) have not changed since 2013. That may soon shift as the Department of Health and Human Services (HHS) has proposed critical updates to the HIPAA security rule. This article highlights the most significant changes in the proposed updates, examines how they compare to current industry practices, and offers insights into how covered entities and business associates can prepare for the potential changes and secure their health data in today’s threat landscape.
Background
Over the past 15 years, health care entities have shifted from largely paper-based recordkeeping to interconnected information systems. As of 2021, almost 80% of physician offices and 96% of hospitals had adopted electronic health records (EHRs). While EHRs offer substantial benefits for health care providers and patients through efficiency gains and more streamlined access to patient history, they also increase security risk as threat actors seek to penetrate health care systems to steal data or otherwise interfere with critical services. Between 2018 and 2023, there was a 100% increase in the number of breaches reported to HHS and a 950% increase in the number of individuals affected.
Although market and business pressures have pushed mature health care companies to strengthen their security practices, the existing HIPAA security rule—while more stringent than many other sector-specific security laws in the United States—has not kept pace. The new proposed updates would bring the Rule in line with, and in some cases exceed, industry best practices.
Key Proposed Changes to the HIPAA Security Rule
HHS has proposed extensive changes to the security rule, with several key changes standing out:
Elimination of “Addressable” Implementation Specifications. The existing security rule distinguishes between “required” and “addressable” implementation specifications. Entities have flexibility under this framework to adopt “addressable” specifications that are appropriate to the entity’s size, sophistication, and the sensitivity of the ePHI they process, as well as the presence of compensating controls. The proposed rule would remove this distinction, making all implementation specifications mandatory, with limited exceptions. This change underscores HHS’s view that unauthorized disclosure or use of ePHI poses a high risk to individuals regardless of the covered entity’s or business associate’s size or sophistication.
Enhanced Risk Analysis and Management. Under the proposed rule, regulated entities would be required for the first time to conduct an accurate and comprehensive written assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they process. As part of this assessment, an entity would need to develop and review of asset inventories and network maps that illustrate the movement of ePHI throughout systems to ensure that they are current. Entities would be required to update the assessment in response to changes in the environment, operations, security incidents or significant events. They would also need to adopt security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Patch Management. Regulated entities would be required to implement written policies and procedures for applying patches to systems processing ePHI. Critical security patches or upgrades must be applied within 15 calendar days of the patch or upgrade becoming available.
Multi-factor authentication. Citing the “intractable problem of password re-use and the ubiquity of stolen credential dumps,” the proposed rule would require entities to implement multi-factor authentication (MFA) for systems housing ePHI.
Encryption of ePHI. The proposed rule mandates the encryption of ePHI both at rest and in transit; previously, this was an “addressable” specification.
Network Segmentation: The proposed amendments introduce a new mandate for covered entities and business associates to implement technical measures to segment their networks to isolate systems that handle ePHI from those that do not, ensuring an extra layer of protection for ePHI in the event of a compromise of systems that are outside of the scope of the HIPAA security rule.
Comparison to Current Industry Practices and Challenges for Implementation
Many of the proposed changes align with industry best practices and recognized security frameworks, such as the NIST Cybersecurity Framework (CSF). However, the current implementation of these practices varies widely across health care organizations. Some of the areas that may prove to be the most challenging for covered entities and business associates to address include:
Risk Analysis. While most health care organizations conduct some form of risk analysis, it is too often conducted as a “check-the-box” exercise. The new changes call for greater depth and comprehensiveness in risk assessments, as well as documentation of risk assessment criteria, evaluations of each risk area, and tracking of remediation items. This may require some entities that lack internal compliance resources to outsource these assessments to third parties.
Patch Management. All trained security professionals are well aware of the importance of timely patching, but many face challenges in execution. For instance, some health care entities may be running legacy software and systems that are no longer supported by patches or are unable to install patches on a timely basis because installation would require system downtime that would interfere with critical care. Entities may need to expend resources to upgrade systems or create redundancy so that systems can be patched or upgraded without operations interference.
Multi-factor Authentication. Despite its proven benefits, MFA is still not universally adopted, particularly among smaller organizations. Some forms of MFA also require users to adopt a device-based mechanism, such as an authenticator app, as a second factor—a challenge in medical settings where not all providers are used to this technology.
Encryption. While most companies have adopted some forms of encryption, encryption at rest is not always possible in certain systems or is cost prohibitive. This is especially true for business associates that process less sensitive ePHI who previously relied on the flexibility of the “addressable” standard to use compensating controls as opposed to encryption. These entities will need to make investments in this technology if the proposed rule is adopted.
Network Segmentation. For covered entities, whose data processing activities mostly consist of PHI, this may not be a significant change. However, this requirement may prove to be challenging for business associates that process both PHI and non-PHI data. These companies will need to invest in additional resources to create separate environments to house ePHI if they have not done so already.
Preparing for the Upcoming Changes
While it’s not clear whether the current administration will finalize the proposed HIPAA security rule updates, health care entities should nevertheless be prepared for changes, particularly in light of increased security risks to their data. Covered entities and business associates should begin evaluating their existing security practices, identifying compliance gaps, and setting aside necessary resources for implementation. A structured approach can help organizations prioritize efforts and manage costs effectively:
Conduct a Readiness Assessment. Entities should assess how their current security practices compare to the proposed requirements, including by reviewing existing policies and controls against the updated rule’s mandates, and identifying any areas where “addressable” specifications were previously implemented flexibly and may now require stricter compliance. A formal gap analysis—conducted internally or with external auditors—can provide a clear roadmap for compliance efforts and help leadership allocate resources efficiently.
Prioritizing Resource Allocation Based on Risk and Business Impact. Given the potential costs of implementation, organizations should categorize necessary updates based on their security impact and feasibility. High-risk, high-impact measures, such as multi-factor authentication (MFA) and encryption of ePHI should be prioritized, as these provide significant risk reduction and are explicitly required under the new rule.
Assessing IT Infrastructure. Entities should conduct a technical review to determine whether their IT infrastructure supports the new patching and encryption mandates. Identifying legacy systems that may not support timely patching and developing a replacement or mitigation plan should be the highest priority.
Conclusion
The proposed updates to the HIPAA security rule represent a crucial step toward strengthening cybersecurity in the health care industry. While some entities have already taken the steps required by the proposed rule, all entities should begin evaluating their practices to identify potential gaps and start allocating resources for improvements. These steps should be seen not only as compliance readiness, but also as critical investments to safeguarding ePHI against evolving cybersecurity threats in the health care landscape.
Marci Rozen is a senior legal director for ZwillGen in the firm’s Washington, D.C., office. She advises companies on cybersecurity and privacy issues, with deep expertise in risk assessment, policy development, and regulatory compliance. Rozen can be reached at marci@zwillgen.com.
Reprinted with permission from the March 24, 2025, edition of The Legal Intelligencer. © 2025 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
