CHANGE PUTS ALL YOUR CHOICES TO THE TEST
HIPAA Security Rule Is Getting A Much-Needed Upgrade. So What?
HIPAA has been the law of the land for more than two decades, pushing healthcare businesses to strike a careful balance between protecting patient privacy and maximizing data use. The law has mostly been managed as a compliance matter, with the framework offering little prescriptive guidance or specific controls.
Luckily, IT and security decision-makers have lots of other places to go for the best practices that keep them operating at a high level of operational and cybersecurity maturity. Depending on where you sit on that curve, it can be easy to dismiss changes to the HIPAA framework as a mostly incidental compliance issue.
A LONG OVERDUE UPDATE ARRIVES
However true this might have been in the past, proposed 2025 HIPAA Security Rule changes are more than bureaucratic incrementalism. The requirements have been strengthened and the scope widened, with an intense focus on risk analysis. But here again, many organizations are operating way ahead of proposed minimums.
Before we get to the updates, it’s important to understand why understanding these changes matters to everybody, not just healthcare businesses worried about achieving technical compliance.
Big Change Is A Chance To Review And Reflect
Most healthcare organizations get a lot about protecting ePHI right. But we only need to look at lessons learned from breaches like Change Healthcare to understand there’s still significant work to be done extending mature best practices across not only the organization, but business, technology, and data partnerships as well.
No matter your current strategic posture, or the sophistication of your ePHI security, understanding what’s coming is critical for a couple of reasons.
Understanding Material Impact: There are, in fact, new control requirements put in place by the new Security Rule. This material impact is the very best reason to get up to speed.
Accelerating a Culture of Continuity: Some of these new recommendations increase the required cadence of analysis and monitoring. Businesses looking to embed more continuous risk assessment and mitigation patterns into how they operate can use these new requirements as a driver.
Assessing Business Partner Obligations: The scope of HIPAA obligations has expanded over time, putting more and more of the partners inside an ePHI ecosystem under newly increased scrutiny. It’s important to understand any possible impact.
THREATS IN MOTION
The healthcare industry is seeing notable changes in threat dynamics. The 2024 Verizon DBIR shows us insider threats again surging, and credentials misuse is now a top tactic of attackers.
Now that we understand why mastering these new changes is so essential, it’s time to take a look at how we arrived at the current moment.
Catching Up With Modern Risks And More Mature Controls
Even as nearly everything about technology and cyberthreats has been transformed, we’ve seen only two updates to the Security Rule, in 2009 and 2013. The 2025 changes represent a huge raising of the bar on security and compliance baselines for ePHI, especially where loopholes are closing and previous suggestions become mandates.
The regulations come just as new threats are pushing systems to the max:
- The cost of cyber-attacks continues to skyrocket, especially in healthcare
- The number of third parties involved in healthcare makes security even more complex
- Past attempted fixes to the security rule ended up being a patchwork of ineffectiveness
But even as regulators chase innovators, businesses are paying a heavy price for lax cybersecurity practices around storing and using PHI. A surge of enforcement at the end of the Biden administration was mainly focused on organizations found to have failed to achieve minimum risk analyses standards.
There were also big fines for failing to implement baseline IAM controls, including uneven or non-existent MFA adoption. That cost Solara Medical Supplies $3M. Enzo Clinical Labs was cited for sharing privileged credentials across five different users, including a password that hadn’t been updated in 10 years. That, plus other violations, cost the business $4.5M.
A Stronger, Smarter, Clearer Security Rule
Even with increased enforcement under existing law, experts and regulators have been pressing for more effective means of driving and measuring HIPAA compliance. 2024 brought much relief to these worries, as Office of Civil Rights (OCR) leaders proposed the most significant updates to the Security Rule since its inception.
What Exactly is Changing?
We’ll review the proposed changes as of February 2025. The final approved changes might look different—always go to the source.
ADIOS, ADDRESSABLE
Current HIPAA rules give businesses some flexibility when administering controls. With very few exceptions, all addressable items and controls are now mandatory:
- Administrative safeguards including MFA and password management
- Physical safeguards including dedicated data backup and recovery systems
- Technical safeguards including the encryption of data at rest
The goal of these changes is to raise those baseline security minimums in the face of advanced threats.
BETTER MAPS AND INVENTORIES
You can’t protect what you can’t see. Proposed security rule changes increase the requirements around documenting not just your ePHI environment, but the overall flow of data between and across other technical and business partners.
- Asset inventory must now include all technology assets that impact ePHI use and security
- Network mapping must now include all these assets
- A data flow visualization must show how ePHI data flows to, from, and between systems and partners
NEW TIMELINES AND CALENDARS
A huge focus of the new rules is increasing cadence and consistency. The goal is to get organizations to embed a greater timeliness and urgency into security priorities and best practices across the business.
- A risk analysis must be performed at least every 12 months
- Vulnerability scanning must be conducted every six months
- Incident response plans must be tested and validated every 6 months
- Penetration testing must take place at least once a year
ZTNA MANDATES
While zero trust continues to gain adoption across all industries, proposed rule changes will mandate key zero trust network architecture (ZTNA) fundamentals in order to better protect the users, networks, and systems that interact with PHI.
- Virtual or physical segmentation of networks is now mandatory
- A qualified, risk-based approach must be used in network design
- User access controls must also be similarly segmented using role-based access control (RBAC) and the same risk-based strategy
- Legacy devices that can’t support required encryption must be secured by additional defenses or be replaced
NEW RECOVERY SLAs
The ability to recover quickly and confidently from disaster or disruption (ransomware, specifically) is important for any business, but especially inside healthcare. The new guidance puts very aggressive recovery and restoration timelines in place, enabled by the just mentioned network design changes.
- System restoration must happen within 72 hours, with backups that are 48 hours old or newer
- ePHI backup and recovery systems must be separately and specifically tested on a regular basis
ADVANCED USER AND IDENTITY MANAGEMENT
Users and credentials are always attractive targets for attackers. Busy healthcare environments make the problem worse, with dozens of clinical and business users and roles across the ePHI data flow accessing and using the data. The new rules tighten system and application access.
- Multifactor authentication and RBAC are now mandatory for both ePHI applications and any systems that manage user privileges
- Terminated users must have all access revoked within one hour, and business partners must be notified within 24 hours for roles with PHI access
- Encryption keys for ePHI must be managed and distributed separately
A Checklist For Getting (And Staying) Ahead
Now that you understand what’s coming, it’s time to think about getting prepared. Implementation deadlines will give everybody plenty of time, but why wait? This is especially true for organizations already operating well ahead of the security status quo—understanding the changes early crosses one more worry off the list.
Even if you weren’t worried about HIPAA and the Security Rule, these would be some pretty good cybersecurity best practices. But the unique complexity and criticality of healthcare systems and their data make this advice especially relevant to healthcare businesses—payer, provider, and insurer alike.
1. Prioritize visibility (into everything)
So many of the new controls are about bringing much-needed visibility into your ePHI environment. Whether it’s understanding where users or assets are located, clarifying which roles touch ePHI workflows, or finding legacy devices that must be replaced due to new encryption requirements, it all starts with discovery and documentation.
Strengthen both your mapping and inventory processes across networks and devices
Maximize endpoint and user monitoring, especially in real-time, to understand where and how systems are being accessed and the behaviors behind the events
Use the new mandatory minimums, from vulnerability management to regular risk analysis, as the floor, not the ceiling, of cybersecurity maturity
2. Engineer simplicity into your security
That unique complexity of healthcare shows up in a sprawling hardware, software, and services stack. Build security and compliance stacks differently, aiming for simplicity and seamlessness where possible. Every moving piece removed is a problem solved.
Given the heightened focus on insider threats, build for interoperability at the identity layer
Healthcare businesses are also more likely to be operating inside prem-heavy hybrid clouds, simplicity in identity would make life easier for both security and compliance teams
Similarly, look for opportunities to unify cyber and physical controls, bringing the same best practices to digital and physical access control
3. Accelerate zero trust
Zero trust works through constant and continuous validation of access and credentials, for both human and machine users. The challenge has been finding ways to implement these dynamic defenses in depth without slowing authorized users and workflows down. Better network virtualization and more options to authenticate users both go a long way.
Strengthen both your mapping and inventory processes across networks and devices
Maximize endpoint and user monitoring, especially in real-time, to understand where and how systems are being accessed and the behaviors behind the events.
Use the new mandatory minimums, from vulnerability management to regular risk analysis, as the floor, not the ceiling, of cybersecurity maturity.
4. Upgrade Your MFA
The weakness of passwords drove MFA adoption, but it also threatens the fundamental rule of three behind the strategy. This is one of the many reasons businesses are looking beyond passwords and towards more robust multifactor authentication.
Look for opportunities to elegantly add new defenses without slowing busy users down, especially in clinical settings
Enable solutions that integrate well with unique healthcare device challenges, like multi-user kiosk endpoints
Look at ways to eliminate, reduce, or hide passwords inside the user experience
5. Reach out to partners
As with nearly every other compliance challenge, healthcare takes third-party risk to a new level. Between covered entities and their networks of business associates, proposed changes give everybody a little more responsibility.
Consider making joint risk assessments part of your expanded risk analysis schedule
Look to build information-sharing relationships with vendors and entities
Leverage HHS resources design to help healthcare businesses understand
Check with your vendors – they’re preparing for these changes too
CHANGE PUTS YOUR SECURITY CHOICES TO THE TEST
While chances are good that the final rule changes discussed here will materialize, there’s always uncertainty until the rules are actually published. Always check with HHS first to get trusted updates on HIPAA and the new Security Rule. And as the final rules and guidance are prepared, it’s time to start considering the next smart step.
Discover how Proximia is redefining authentication
for healthcare. Contact us today to learn more.
