Book a Demo

HHS’ Proposed HIPAA Security Rule Updates

Report by FortifyData

The U.S. Department of Health and Human Services has not updated the HIPAA Security Rule since 2013; the Omnibus Rule, which focused on Business Associates. There has been no sweeping change to the Security Rule since its inception in 2003.

HHS has now released proposed updates that represent the most significant proposed changes to the rule in over two decades. These updates shift the language from “addressable” to “required” for several key security controls, introducing specific mandates that give covered entities and business associates less room for interpretation, and less room for inadequate security practices that technically remained compliant under the existing framework.

Read the report below or Download the PDF.

Download PDF

Cyberattacks on healthcare organizations are escalating, with threats to electronic protected health information (ePHI) becoming increasingly sophisticated.  Yet, the U.S. Department of Health and Human Services (HHS) hasn’t updated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule since 2013!  That was the Omnibus Rule, which focused on Business Associates.  In fact, there’s not been a sweeping change for the Security Rule since its inception in 2003.

Recognizing this HHS has released proposed updates on the HIPAA Security Rule. These updates are aimed at equipping healthcare organizations with more robust tools and practices to safeguard ePHI. Many will see the shift in language in use in the proposed rules from ‘addressable’ to ‘required’ when in comes to the security controls. At FortifyData, we are committed to helping hospitals and clinics understand and navigate these proposed changes to bolster their cybersecurity defenses effectively.

Critical Infrastructure sectors

The proposed rules include specific control requirements, marking a significant shift from the existing framework. This white paper provides an overview of the changes, with practical insights into how FortifyData can support your organization in meeting these requirements.

Why the Changes Are Necessary

The healthcare sector faces unique challenges in cybersecurity. With sensitive patient data at risk, breaches not only compromise privacy but also undermine patient trust and patient care.

Cost is also a core concern on two fronts – the lucrative cost to sell compromised patient records on the dark web and the increasing cost of a data breach in healthcare.

According to the 2024 IBM Cost of a Data Breach study, “Healthcare breaches cost the most. For the 9th year in a row, healthcare organizations had the highest cost of a breach – nearly $6.5 million on average (over 60% more than other industries in the study).”

Healthcare records contain lots of valuable information and provide targeting for individual blackmail and ransoms, and they can fetch higher prices per record – from $300 – $1,000 per record – once obtained and then posted for sale on the dark web.

The proposed updates aim to:

  1. Address gaps in the current HIPAA Security Rule.
  2. Provide clear and actionable guidance for managing risks.
  3. Standardize security practices across the industry.
  4. Strengthen accountability for covered entities and business associates.
Locations of breached ePHI image
When it comes to cyber attacks you can see how some of these new requirements will help to reduce the source from the network, email and other endpoints. 70% of breaches in 2023 linked to vulnerable network servers according to research from HIPAA Journal.

Key Proposed Controls and Requirements

What makes the new proposed changes unique is that there are several specific control requirements planned.  This is highly unusual for HHS, as they’ve never wanted to be so specific.  They realize, though, that this allows broad interpretation and, often times, bad security practices while remaining compliant.  The specific controls are designed to improve the security posture of covered entities and their business associates. Let’s review the proposed changes:

1. Mandatory Technology Asset Inventory

Organizations must develop and maintain a comprehensive inventory of technology assets, including all devices, software, and systems handling ePHI. This inventory must:

  • Be updated at least annually or whenever significant changes occur.
  • Include details such as device types, locations, and the ePHI they handle.
  • Serve as a foundation for managing vulnerabilities and risks associated with technology assets.

2. Network Mapping

The proposed rules call for a detailed network map illustrating ePHI flows within your organization’s systems. This map must:

  • Identify all data storage locations, transmission paths, and endpoints.
  • Be updated regularly to reflect changes in infrastructure.

3. Specific Risk Analysis Requirements

Organizations must conduct detailed risk analyses, including:

  • Identifying potential threats and vulnerabilities to ePHI.
  • Assessing the likelihood and impact of each risk.
  • Prioritizing risks based on their severity.

4. Elimination of Addressable Specifications

All controls previously categorized as “addressable” will now be mandatory, with justifications for non-compliance requiring thorough documentation.

5. Policy and Procedure Documentation

The proposed rules emphasize written policies and procedures. Organizations must:

  • Maintain comprehensive documentation of Security Rule policies.
  • Regularly update documentation to reflect changes in threats or operations.

6. Encryption and Authentication Standards

Stronger encryption and authentication measures of ePHI are required, including:

  • Encrypting data at rest and in transit.
  • Implementing multi-factor authentication (MFA) for accessing high-risk systems.

7. Defined Timeframes for Compliance

Organizations must adhere to specific timelines for implementing and reviewing controls. For example:

  • Asset inventories and network maps must be updated at least annually.
  • Risk analyses must be conducted regularly.

8. Access Management Controls

Access to ePHI must be tightly controlled, including:

  • Assigning unique identifiers to users.
  • Regularly reviewing and updating access permissions.
patterns in healthcare breaches
According to the 2024 Verizon DBIR report, ‘Miscellaneous Errors’ from insiders spiked as a leading source of compromise after steady decline for years. Tighter access management is needed to reduce this breach source.

9. Ongoing Monitoring and Auditing

Continuous monitoring and periodic audits are critical. Organizations must:

  • Monitor systems for unauthorized access and anomalies.
  • Conduct regular audits to evaluate security practices.
Proposed change How FortifyData helps meet requirements
Mandatory technology asset inventory Provides automated asset discovery and tracking, ensuring your inventory remains current and accurate with minimal manual effort.
Network mapping Continuously identifies new assets and changes to the environment, allowing you to better address network mapping requirements as they evolve.
Specific risk analysis requirements Simplifies risk analysis by identifying and prioritizing risks through automated assessments, risk classification, and prioritization — empowering your team to focus on mitigation rather than data gathering.
Elimination of addressable specifications Ensures full compliance by guiding your organization through the implementation of required controls and documenting efforts for auditors and regulators.
Policy and procedure documentation The Cyber GRC module centralizes and manages compliance documentation, reporting on gaps by policy and streamlining compliance efforts across the organization.
Encryption and authentication standards Accounts for MFA and encryption policies to automatically reduce risk associated with encryption and MFA-specific controls in the compliance framework.
Defined timeframes for compliance Automates compliance with reminders, scheduling, and updates through the platform, ensuring timely and ongoing compliance with proposed rule timelines.
Access management controls Simplifies user tracking and permissions management with full RBAC settings within the FortifyData platform, reducing the risk of unauthorized access to ePHI.
Ongoing monitoring and auditing Provides continuous monitoring and audit capabilities to identify and address issues proactively rather than reactively.

Implications for Hospitals and Clinics

The proposed changes will impact healthcare organizations significantly. New York hospitals face additional state-level cybersecurity requirements under 10 NYCRR 405.46. Key implications include:

  • Increased Compliance Burden: Organizations will need to allocate resources to meet new requirements, including budget, personnel, technology, and training.
  • Enhanced Accountability: Emphasis on documentation and mandatory controls will heighten accountability for security practices.
  • Improved Security Posture: By adopting these measures, hospitals and clinics can reduce risks and build patient trust.

Preparing for the Proposed Changes

FortifyData recommends taking proactive steps to prepare for these changes:

  1. Conduct a Gap Analysis:
    • Compare your current practices with the proposed requirements.
    • Identify areas needing improvement.
  2. Develop a Compliance Roadmap:
    • Plan for implementing new controls and updating existing ones.
    • Use FortifyData’s platform to track progress and maintain compliance.
  3. Invest in Training and Awareness:
    • Educate staff about the proposed changes and their roles in compliance.
  4. Engage with Stakeholders:
    • Involve leadership, IT teams, and legal counsel in planning efforts.
Download PDF

Other Considerations - TPRM

Third-party attack vectors also continue to grow. While the HIPAA security rule includes actions like having a Business Associate Agreement (BAA) to “Comply with the HIPAA Security Rule’s administrative, physical, and technical safeguards, ” “Report security incidents and breaches to the CE,” and “Ensure that any subcontractors they use that handle PHI also have BAAs in place and comply with HIPAA,“ business associates, or third parties, continue to be an entry point to healthcare organizations or the source of healthcare patient data breaches.

It’s clear, while well-intentioned, this isn’t reducing the growth of third-party attack vectors in healthcare. “35% of third-party breaches affected healthcare organizations with application security presenting the broadest attack surface, according to a new cybersecurity analysis of the largest healthcare companies.”

The WHO reports that supply chain attacks tripled in Q1 2024 compared to Q1 2023. Expect business associate risk management issues to increase as more software is used and software supply chains continue to be exploited through vulnerabilities in code from an open-source library or other software provider embedded in a software package or technology a healthcare provider is using.

Towards A More Secure Healthcare Industry

The proposed updates to the HIPAA Security Rule represent a crucial step in enhancing cybersecurity across the healthcare sector. By addressing gaps in the current framework and introducing specific controls, HHS aims to better protect ePHI and patient trust.

FortifyData is here to help hospitals and clinics navigate these proposed changes, providing solutions that simplify compliance and strengthen your security posture. Why wait to improve cybersecurity until it’s required? You’ll find it can be simpler with an automated platform. 

See how FortifyData supports healthcare organizations across the full risk management lifecycle on our healthcare cyber risk management page.

Frequently asked questions about the proposed HIPAA Security Rule updates

When will the proposed HIPAA Security Rule updates take effect?

HHS released the proposed updates in January 2025. The rule is expected to take effect in 2027, giving covered entities and business associates a limited window to assess their current posture against the proposed requirements and begin closing gaps. Organizations that wait for the final rule before acting will have less time to implement what are, in some cases, significant operational and technical changes.

What is the difference between “addressable” and “required” HIPAA controls?

Under the current HIPAA Security Rule, “addressable” controls give covered entities flexibility — organizations can implement an alternative measure if the specified control is not reasonable and appropriate for their environment, as long as they document the rationale. The proposed updates eliminate this flexibility for several controls, reclassifying them as “required.” This means organizations that have been treating addressable controls as optional, or implementing minimal alternatives, will need to fully implement the specified controls or face noncompliance.

What are the most significant new requirements in the proposed HIPAA Security Rule?

The most operationally significant proposed requirements include mandatory technology asset inventory updated at least annually, detailed network mapping of ePHI flows, specific risk analysis requirements with documented threat and vulnerability assessments, multi-factor authentication for accessing high-risk systems, encryption of ePHI at rest and in transit, and defined compliance timeframes for implementing and reviewing controls. For many organizations, the asset inventory and network mapping requirements will require the most immediate investment given how few have maintained current, comprehensive inventories.

Do the proposed HIPAA updates affect business associates as well as covered entities?

Yes. Business associates are subject to HIPAA’s Security Rule requirements directly, and the proposed updates apply to them as well as to covered entities. The proposed rules also strengthen the requirements around business associate oversight — covered entities will need to demonstrate more active and continuous monitoring of their business associates’ security posture, not just the existence of a Business Associate Agreement. For covered entities managing dozens or hundreds of business associates, this represents a significant operational requirement that manual questionnaire processes are not designed to satisfy at scale.

Why does healthcare have the highest data breach costs of any industry?

Healthcare has led all industries in average data breach cost for nine consecutive years, reaching nearly $6.5 million per breach on average according to the 2024 IBM Cost of a Data Breach study. The combination of highly sensitive patient data, complex technology environments including healthcare IoT and legacy systems, regulatory penalties, patient notification requirements, and the operational disruption of ransomware attacks on clinical systems contributes to this cost profile. Healthcare records also command higher prices on the dark web than most other data types, making healthcare organizations disproportionately targeted.

How should healthcare organizations prepare for the proposed HIPAA Security Rule updates now?

The most practical starting point is a gap analysis comparing current security practices against the proposed requirements — particularly the asset inventory, network mapping, and risk analysis requirements where gaps are most common. Organizations should prioritize building a current, comprehensive technology asset inventory if one does not exist, as this is foundational to nearly every other proposed requirement. Business associate risk management programs should be assessed for their ability to provide continuous monitoring evidence rather than point-in-time questionnaire documentation. The 2027 timeline is closer than it appears given the implementation scope of some requirements.

FortifyData: One Platform, Total Visibility, Continuous Protection

FortifyData is a leading automated Cyber GRC and continuous cyber risk monitoring platform that empowers clients to reduce their cyber risk. By consolidating tools and providing a unified view of integrated security data and compliance, FortifyData offers continuous monitoring and automation, acting as a force multiplier for security and compliance teams and significantly improving cybersecurity posture.

FortifyData’s platform helps hospitals and healthcare organizations to prevent breaches, defend patient data, and meet security expectations and requirements while streamlining and rationalizing cybersecurity investments.

FortifyData dashboard 2026

Have questions about this white paper or want to see a demo?

Reach out to FortifyData to discuss your organization’s approach and needs.