Healthcare is one of the most targeted sectors by malicious actors, with the number of breaches growing consistently year on year. Despite the common security risks affecting healthcare environments and numerous headline-hitting data breaches, healthcare remains under-resourced to defend against the increasing number of cyberattacks.
In early January 2025, HIPAA proposed a set of updates to its HIPAA Security Rule framework to provide more granular security regulations. This is a much-needed change for the industry as it will force every healthcare organization to address its security risks head-on. But let’s be honest: while the proposed changes in HIPAA are a step in the right direction, it’s far from a complete solution, and many of the new guidelines will challenge under-resourced organizations to comply.
Why is the HIPAA framework adding new regulations?
The HIPAA Security Rule has undergone a few major revisions since its inception, with the most recent occurring in the early 2000s. Since then, only minor updates have been applied to the framework, none of which moved the proverbial needle from a security perspective. Furthermore, the current security HIPAA guidelines were more recommendations than requirements in the framework.
In short, it was time for an overhaul of the security guidelines, especially where they related to identity security. It’s also worth noting that the updates didn’t come out of nowhere: they were a direct response to the growing number of attacks in the healthcare industry in recent years. The common denominator with attacks in this sector was the use of compromised credentials and undetected lateral movement.
As a result of this continuous and successful breach of healthcare providers, the HIPAA regulators came out with a strong and clear message: enough is enough.
These new proposed guidelines aim to tackle the sector’s lack of security controls and posture. They’re also a serious reality check for an industry struggling to keep up with security best practices.
Key proposed changes to the HIPAA framework
On January 6th, 2025, the Department of Health and Human Services (HHS) unveiled a comprehensive proposal for updating the HIPAA framework, marking a significant step towards enhancing the security and privacy of electronic protected health information (ePHI).
According to OCR’s announcement, the proposed rule seeks to “improve cybersecurity and better protect the U.S. healthcare system from a growing number of cyberattacks” and “better align the Security Rule with modern best practices in cybersecurity.”
Let’s take a closer look at the proposed guidelines that specifically address identity security in the updated HIPAA Security Rule framework.
1. Compromised credentials and MFA
For all access points to electronic protected health information (ePHI), organizations will be required to implement MFA protection. This measure aims to mitigate risks associated with compromised credentials, reducing unauthorized access.
2. Incident response
Following the proposed updates, all policies, procedures, plans and analyses related to incident response must be documented in writing. A comprehensive incident response plan, including procedures for reporting incidents and restoring systems within 72 hours of a breach, must be developed by covered entities. Additionally, organizations must conduct annual security testing to ensure the effectiveness of the organization’s security controls.
3. Risk analysis
To conduct security risk analyses, the HHS proposed more detailed requirements which include maintaining a written assessment that reviews an asset inventory and network map, identifies potential threats to protected health information (PHI), and evaluates each threat’s risk level. Organizations will benefit from this proactive approach by better understanding and mitigating security threats and risks.
4. Asset inventory
Healthcare organizations will be required to develop an asset inventory and network map that tracks the movement of ePHI throughout their systems. This comprehensive mapping requirement will help identify misconfigurations and security risks, ensuring all assets are adequately secured against unauthorized access.
5. Encryption
All PHI must be encrypted both at rest and in transit, reflecting a shift towards mandatory encryption practices rather than optional recommendations. This change highlights the critical importance of securing sensitive patient information from unauthorized access during storage and transmission.
6. Vulnerability scanning and penetration testing
Organizations will need to conduct vulnerability scans every six months and perform penetration testing at least once a year. These assessments will be crucial for identifying weaknesses in security measures before they can be exploited by malicious actors.
7. Compliance audits
Covered entities must conduct a compliance audit at least once a year to verify that technical controls are implemented effectively. Organizations must document this audit to prove that they have adhered to the updated security standards.
8. Security awareness training
The proposed rule includes new training requirements for workforce members regarding identifying and reporting security incidents, securely accessing electronic systems, and understanding HIPAA policies. Upon access to IT systems, training must be completed within 30 days and must be renewed annually.
The hard truth for healthcare organizations
As significant as these updates are, they also highlight the challenges faced by under-resourced healthcare providers. Complying with these regulations requires the right amount of resources (IT team & investments) in technology and processes that many healthcare providers tend to struggle with. Non-compliance with HIPAA’s new proposed framework could lead to regulatory penalties as well as the fallout from a security breach. By implementing stronger security controls and enhancing their overall security posture, healthcare organizations can take proactive steps to align with HIPAA’s proposed new security guidelines, which call for more stringent and extensive security measures.
Proactive security approach will lead to easier compliance
The proposed changes to the HIPAA framework are a necessary step toward helping the healthcare industry in its fight against cybercriminals. By addressing the different security risks and threats in the sector, HIPAA is providing a clear roadmap for reducing risk. However, achieving compliance will require significant effort, particularly for under-resourced organizations. Healthcare providers must take a proactive approach to security and act now to align with these changes, ensuring they are not only compliant but also resilient.
Want to learn more about how Silverfort can assist you in complying with HIPAA requirements? Schedule a call with one of our experts or download the State of Emergency: Identity Security Blind Spots Endanger Healthcare Services eBook.