What healthcare organizations need to know about the proposed HIPAA Security Rule updates

The HIPAA Security Rule establishes national standards to protect electronic Protected Health Information (ePHI) from unauthorized access, breaches, and cyber threats. Covered entities and business associates must implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI. However, as healthcare technology advances and cyber threats become more sophisticated, existing security measures must keep pace. Proposed updates to the HIPAA Security Rule aim to strengthen compliance requirements, enhance cybersecurity defenses, and address emerging risks in digital healthcare.

Adapting to New Cybersecurity Challenges

From AI-powered diagnostics to virtual reality in patient care, technology is revolutionizing healthcare. While these innovations improve patient outcomes, they also create new security risks. The increasing frequency of breaches and cyberattacks highlights the need for stronger safeguards. The proposed HIPAA updates provide a more robust framework to enhance information system resilience and cyber resilience across healthcare organizations and other covered entities. Key recommendations call for:

• Standard security controls
• Risk-based security programs
• Multi-factor authentication (MFA)
• Offline data backups
• Stronger incident response protocols

Organizations must also align risk analysis with National Institute of Standards and Technology (NIST) guidelines to improve threat detection and mitigation. These updates emphasize the urgent need to strengthen healthcare systems against sophisticated cyber threats.

Strengthening Compliance with Multi-Factor Authentication

Current HIPAA regulations categorize some security specifications as "addressable," allowing flexibility in implementation. The proposed changes would require full compliance or documented justification for adopting alternative security measures, holding all organizations to a uniform standard of security compliance and reducing vulnerabilities.

For example, MFA is currently recommended but not required, but under the new rules, all covered entities must implement it or provide an alternative. If MFA is not feasible, entities must implement reasonable compensating controls—such as firewalls, increased security settings, or physical safeguards—to protect ePHI. This requirement prevents organizations from ignoring security measures, reinforcing the need for comprehensive cybersecurity strategies.

Implementing Cybersecurity Best Practices

To combat growing cyber threats, the proposed HIPAA updates introduce minimum cybersecurity hygiene requirements that align with industry best practices. These include:

• Designating a qualified information security officer
• Eliminating default passwords
• Enforcing multi-factor authentication
• Maintaining offline data backups
• Implementing timely software patching

Many healthcare organizations operate on outdated IT infrastructure, making them prime targets for cybercriminals. To comply with these new requirements, organizations may need to upgrade their systems with enhanced firewalls, encryption technologies, and proactive monitoring tools. Workforce training will also be emphasized as human error remains one of the biggest cybersecurity vulnerabilities. Employees must recognize phishing scams, securely handle patient data, and respond effectively to security incidents.

For instance, a hospital without MFA faces significant security risks if an employee falls victim to a phishing attack. By requiring MFA, the proposed updates reduce the likelihood of unauthorized access, protecting both patient data and operational integrity. Investing in cybersecurity infrastructure and workforce education enhances compliance while mitigating financial and reputational risks from data breaches.

Standardizing Security Controls and Risk Analysis with Audit Compliance

Another major change is the standardization of security controls across all covered entities. Organizations will be required to align their cybersecurity programs with recognized industry benchmarks, such as those outlined by NIST. Risk analysis will become a continuous process rather than a periodic exercise, requiring real-time monitoring, AI-driven threat detection, and automated compliance tracking. External audits may also be necessary to validate adherence to enhanced security requirements.

For example, a clinic relying on annual security reviews must transition to continuous risk assessments with real-time alerts. This proactive approach strengthens security, preventing breaches before they occur rather than simply responding after the fact.

Enhancing Incident Reporting and Detailed Records of ePHI Data Flows

The proposed updates focus on improving how organizations track and protect ePHI. Key changes include:

• A standardized cyber incident reporting framework
• Stricter security protocols
• Detailed documentation of technology assets to mitigate risks

Organizations will be required to detect and report security incidents more quickly to comply with federal regulations for critical healthcare infrastructure. This will require adopting real-time monitoring tools that provide instant alerts, replacing outdated detection methods that may take weeks or months to identify breaches. Additionally, healthcare organizations will be required to maintain an up-to-date inventory of all technology assets and map ePHI data flows. This involves:

• Documenting all devices, applications, and systems that handle ePHI
• Regularly updating records to reflect new technologies, system integrations, or evolving threats
• Identifying vulnerabilities within data flows to prevent security gaps that could expose patient information

Thorough asset tracking and network mapping enable proactive risk management, preventing compliance violations before they occur.

The proposed updates also mandate stronger encryption standards for ePHI at rest (stored data) and in transit (data transmission). Organizations using outdated encryption protocols must develop transition plans to modernize their security infrastructure. This proactive approach safeguards sensitive patient information from cyber threats and compliance risks.

Action Steps for Healthcare Organizations

With these updates on the horizon, organizations must take proactive steps to strengthen their security programs:

1. Conduct a comprehensive gap analysis to identify areas needing improvement, including security protocols, IT infrastructure, and staff training.
2. Allocate resources for cybersecurity upgrades, such as MFA, encryption, and automated threat detection tools.
3. Enhance risk assessment protocols by aligning strategies with NIST guidelines and implementing standardized incident reporting frameworks.
4. Engage cybersecurity experts and legal advisors to provide smooth implementation of the proposed updates. Third-party audits can validate compliance readiness and identify vulnerabilities before they become major risks.

We Can Help

The proposed HIPAA Security Rule updates represent a necessary step in strengthening healthcare cybersecurity. As cyber threats continue to evolve, these changes will enhance the protection of ePHI, mitigate risks, and standardize compliance across the industry. However, meeting these new requirements will require healthcare organizations to invest in modern security tools, adopt proactive risk management strategies, and continuously educate their workforce on best practices.

By taking action now, healthcare providers can ease the transition to compliance and strengthen the protection of patient data. For expert guidance, contact the Elliott Davis healthcare team today. Our advisors can help you implement security measures, meet compliance requirements, and enhance cybersecurity. Staying ahead of these updates will protect sensitive health information and position organizations for long-term success.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.