With a spate of massive cybersecurity attacks rocking the healthcare industry in recent years, the federal government is searching for ways to strengthen cybersecurity maturity to better safeguard sensitive patient information.
A new proposal, published in the Federal Register on January 6, 2025, looks to improve safeguards for electronic protected health information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA).
The proposal, issued by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), would mark the first significant HIPAA update since it was first introduced in 2003 and revised in 2013.
The proposed compliance requirements mirror what the Department of Defense (DoD) has done with the rollout of its Cybersecurity Maturity Model Certification (CMMC) Final Rule, which went into effect in December.
CMMC 2.0 consolidates existing DoD cybersecurity frameworks and guidelines into a structured, three-tiered program. Under the revamped rule, primes and their subcontractors within the Defense Industrial Base (DIB) must now satisfy specific security and assessment requirements for their level.
To ensure the ongoing security of its supply chain, the DoD is now requiring that DIB businesses get audited to prove they’re doing everything possible to protect the federal contract information (FCI) and controlled unclassified information (CUI) that they store, process, or transmit.
Businesses must pass the assessment to get CMMC certified, or risk losing their federal contracts, being disqualified from obtaining new ones, or potentially facing severe fines and penalties for noncompliance.
Similarly, the HHS is looking to verify HIPAA compliance across its supply chain to keep electronic patient, financial, and other sensitive information from falling into the wrong hands.
Related Article: Top IT Trends And Concerns Facing Healthcare Organizations In 2025
Why Current Cybersecurity Laws Aren’t Enough
The number of cyberattacks targeting the healthcare industry is on the rise.
During the ransomware attack on Change Healthcare, a United HealthGroup subsidiary, the protected information of an estimated 190 million individuals was stolen, including names, social security numbers, dates of birth, and medical records.
The attack paralyzed much of the healthcare industry, shutting down critical patient care authorization, prescription drug processing, and claims processing systems.
The February 2024 attack resulted in widespread service disruptions, and in some instances, potentially put patient lives at risk.
It represented the single, largest cyberattack ever to hit the healthcare industry, impacting hospitals, care facilities, pharmacies, private practices, and other healthcare organizations across the country.
“Many providers were forced to exhaust personal funds to keep their businesses open, and many providers were pushed to the brink of closure,” The HIPAA Journal reported.
To ease the cash crunch the attack caused providers, United HealthGroup set up a financial assistance program with no-interest loans; it’s already paid out $9 billion.
In an unrelated data breach in April 2024, Kaiser Permanente disclosed that attackers were able to gain unauthorized access to the personal and medical records of an estimated 13.4 million members.
Kaiser said the breach happened because threat actors were able to gain access to two employee email accounts, exposing the sensitive information.
Related Article: How Token Theft Bypasses MFA & How Conditional Access Can Reduce Risk
By the end of 2024, the protected health information (PHI) of an estimated 276.8 million people had been stolen or compromised (including those through the Change Healthcare attack), according to The HIPAA Journal.
6 Major HIPAA Compliance Changes Healthcare Orgs Must Prepare For
Since electronic patient records remain a gold mine for criminal enterprises to use in extortion attempts, the alarming trend is expected to only worsen in the coming years.
Bad actors are using greater financial and technological resources, including AI, to launch increasingly sophisticated attacks.
Related Article: AI In Cybersecurity: How It Can Hurt And Help Your Business
With that in mind, federal regulators are trying to find ways to stem the tide.
Healthcare organizations must already meet strict cybersecurity and data protection requirements under HIPAA. Under the proposed HIPAA Security Rule 2025 update, however, those compliance requirements would be beefed up significantly.
Those enhanced cybersecurity measures include advanced encryption, multi-factor authentication, incident response reporting, and business continuity planning, along with regular risk assessments and audits.
These new HIPAA compliance requirements would be standardized across the industry to better protect confidential patient electronic protected health information (ePHI).
Healthcare organizations that fail to meet the compliance requirements could face hefty fines and penalties from the government.
As part of its rationale for making the proposed rule changes, the government cited the widespread conversion to electronic patient records within the industry, a focus on patient safety during a cyber incident, and the need for more uniform implementation of cybersecurity controls and oversight throughout the industry.
Ultimately, the goal of the proposed healthcare cybersecurity regulation change is to ensure the ongoing security, integrity, and availability of confidential patient ePHI.
What are the changes to HIPAA data security compliance?
Here are 6 proposed changes:
1. Annual Inventory Review
-
Conduct an annual inventory audit of your environment
-
Categorize and document all of your assets (including data, hardware, software, cloud-based services, electronic media, data, and other resources) that could store, process, or transmit ePHI
-
Create a map to track the flow of ePHI as it travels through your environment
-
Periodically review and update your records to ensure they accurately reflect your current environment
2. Risk Assessments
-
Perform annual risk assessments of your environment
-
Evaluate your current security posture
-
Identify security gaps and potential threats
-
Document the risk and potential effect of such security vulnerabilities
-
Establish and implement proposed remediation controls to correct identified security flaws
-
Develop and adopt comprehensive cybersecurity controls, policies, and procedures for handling ePHI to mitigate cyber incidents
3. Mandatory Cybersecurity Safeguards
-
User identity verification and access controls
-
Multi-factor authentication for all technology assets (with few exceptions)
-
Advanced data encryption
-
Regular vulnerability scanning and penetration testing
4. Threat Detection and Incident Response
-
Create a formal incident response plan to document how your organization identifies and responds to cybersecurity incidents
Related Article: Why You Need An Incident Response Plan Before A Cyber Incident Happens
-
Detail the security measures you’ve implemented to block and mitigate threats
-
Review your incident response plan annually and update it as necessary
5. Business Continuity and Disaster Recovery
-
Ensure secure data backups
-
Create and adopt a detailed business continuity and disaster recovery (BCDR) plan to outline your operational response both during and after a cyberattack
6. Annual Compliance Audits
-
Perform a formal, internal audit to verify ongoing HIPAA compliance
-
Audit may need to have written verification, with your specific cybersecurity tools, policies, and procedures documented by an external cybersecurity professionals, such as a managed IT services provider (MSP)
-
Must be completed at least annually; larger organizations may be required to conduct such audits more frequently
-
All documented evidence of compliance must be readily accessible and available for review, including formal risk assessments, implemented security controls, incident response plan, and business continuity plan
-
In a major policy shift, covered healthcare organizations would be responsible for verifying that their business associates have met the compliance requirements—including all documentation
The Bottom Line With Proposed HIPAA Security Rule Changes
In the face of growing cyber incidents and cybersecurity deficiencies, the HHS Office of Civil Rights is taking action. After reading this article, you now understand why the HHS is moving toward revamping HIPAA, and what this will mean for healthcare organizations.
The proposed rule change, the first major update to the regulation in more than a decade, will require healthcare organizations to modernize their technology and implement more robust security measures to meet compliance.
They’ll also need to ensure they have the proper documentation to prove they’ve met compliance, similar to the CMMC 2.0 Final Rule.
Do you have the internal IT department that has the knowledge and specialized skills to implement such security controls and documentation? Even if you do, the proposal calls for an independent review and verification process by an external cybersecurity expert.
With that said, if you don’t know how your security defenses measure up, or you want to learn if you have any hidden security gaps within your environment, a managed IT provider can help.
With managed IT support, you gain a deep bench of IT professionals with broad industry knowledge and technical expertise who can assess your environment and implement the right cybersecurity tools for your business.
If you do decide to partner with an MSP, we encourage you to thoroughly research your choices to help ensure that you pick a provider capable of aligning your technology needs with your long-term business objectives.
If you have concerns about your cybersecurity posture, we’re here to help.
At Kelser, we have decades of experience helping clients meet compliance requirements for a variety of security regulations and frameworks, including HIPAA, NIST, and CMMC.
Click the button to reach out and we’ll get back to you quickly to schedule a brief call to learn more about your IT and cybersecurity challenges to see how we can help you strengthen your security defenses to minimize risk and meet compliance.
