The U.S Department of Health and Human Services (HHS) has proposed new changes to the HIPAA Security Rule, making this the first major revision in 20 years. These changes aim to improve how healthcare organizations protect their electronic protected healthcare information (ePHI). So why now? What do these newly proposed changes include? What challenges could arise from these proposed changes?

The request for input and the subsequent proposed changes are a response to the significant increase in cyberattacks within the healthcare industry in recent years. Between 2018 and 2023, data breaches that were caused by hackers increased by over 239%.

 

Current State of Regulations

The 60-day public comment period for the proposed changes closed on March 7, 2025, and the current Administration will decide whether to release a Final Rule. The Final Rule is expected to be released in mid to late 2025, and these updates will likely take into effect by late 2025 or early 2026. Organizations typically have 180 days to implement changes from the effective date (for most provisions); however, covered entities historically have received a grace period to comply with new requirements. Changes to the Security Rule do not require a vote from Congress but rather are subject to a public comment and revisions period, which means ratification is much more likely.

The following items are good hygiene and practices and organizations should adopt them as feasible to prepare for the proposed changes.

1. Technology Asset Inventory and Network Map: Most organizations historically struggle to manage a current and comprehensive asset inventory (hardware and software) and the corresponding data flows due to organizational complexity. A thorough understanding of this inventory is essential for understanding where electronic protected health information (ePHI) is present and subsequently encrypting it at rest and in transit.

   Consideration: If your network relatively static, manual processes (e.g., workshops with network, infrastructure, and application teams) may suffice to document a network map and an asset inventory. For more dynamic environments, scanning and mapping tools (e.g., Nmap, NetBox) can be used to provide regularly updated views of the network topology and may be integrated with asset inventory or configuration management database (CMDB) platforms.

2. Contingency and Incident Response Plan: The expectation is that critical systems are restored within 72 hours, which may be difficult to accomplish depending on the number of critical systems, organizational staffing, and operational capacity.Consideration: Conduct business impact analyses (BIAs) to prioritize critical systems and applications in the environment. BIAs can define owners; dependencies; and financial-, legal-, and compliance impacts. Review and update the BIA methodology periodically to ensure the distribution of criticality ratings is reflective of the organization’s actual risk profile.
3. Frequent Testing: The proposed changes increase the focus on testing activities – and the frequency in which they occur. Proposed testing activities include regular Security Rule Compliance Audits, prescribed timelines for vulnerability scans (every 6 months) and pen tests (every 12 months), and annual verification of the Business Associate Agreement (BAA) and contractors’ security measures which may be difficult based on the maturity BAA and contractor security programs. A BAA is a contract required under when a healthcare provider or a covered entity works with an outside party (a business associate) who will have access to Protected Health Information (PHI).Consideration: Engage your Compliance, Legal, and/or Vendor management teams to document all existing and prospective BAA’s. Review vendor risk management processes and ensure an annual security review of BAA’s is required regardless of their criticality. The review should evaluate the security measures of the BAA and can be based on industry frameworks (e.g., NIST CSF, 800-53, CISv8, SIG/SIG Lite).
4. Network Segmentation: Implementing network segmentation to enhance security by limiting access between systems and isolating sensitive data is a complex task. Challenges include legacy system dependencies, limited visibility in network architecture, and the difficulty of configuring access controls without disrupting business operations and patient safety.Consideration: Use the outputs from the “Asset Inventory and Network Map” recommendation to inform a network segmentation approach. Once data flows are understood and prioritized, a layered segmentation plan can be designed; start by segmenting the externally facing systems from internal systems, then move on to segmenting internal high-risk assets and applications from the rest of the network (e.g., separate internet-connected medical devices, workstations from servers, file shares, legacy- from modern applications).
5. Technical Safeguards for Portable Devices: Organizations will need to apply robust technical safeguards to portable devices such as workstations, mobile phones, tablets, and other portable equipment to ensure the security of ePHI.
   Consideration: Use a mobile device management (MDM) solution to enforce policies and manage configurations of devices with access to sensitive data such as requiring device encryption, password / passcode requirements, jailbreak/ root detection, automatic OS and app updates, and auto-wipe following failed logins. For removable storage, require all media to be encrypted – or ideally – blocked entirely if feasible.

 

What to Expect

If these proposed changes are implemented, healthcare providers, especially small providers, may struggle with the cost of upgrading and expanding the implementation of security measures such as MFA, updating encryption standards, and meeting stricter compliance requirements. Many healthcare providers likely lack the resources to manage these updates which makes implementation difficult. Additionally, covered entities must monitor the security controls of their Business Associate Agreements (BAAs) which adds financial and logistical burden to all organizations involved. These partners may feel added strain if they need to invest in new technology or staff to be compliant. Although these proposed changes have not gone into effect yet, it is important to start implementing them now to avoid running into resource shortages or tight financial budgets in the future.

 

How Can SRA Help?

At SRA, we help healthcare organizations better understand their security risks by conducting thorough HIPAA Risk Assessments. Our goal is to identify potential threats to their most critical data and provide clarity on where they may be vulnerable. The Health Industry Cybersecurity Practices (HICP) are voluntary cybersecurity best practices as opposed to the Security Rule which is a federal regulation. HICP offers practical, actionable guidance, which is a helpful supplement to the Security Rule. SRA uses HICP to inform HIPAA Risk Analyses to identify and address healthcare-specific cybersecurity risks. Want to learn more? Be sure to check out SRA’s blog, New Health Industry Cybersecurity Practices (HICP) Guidance Released: What You Need to Know.

Resources

• https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
• HIPAA Updates and HIPAA Changes in 2025
• Strengthening Healthcare Cybersecurity: Proposed Updates To HIPAA Security Rule – Healthcare Business Today