January 2025 is ushering in a significant development in healthcare cybersecurity. With the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) proposing modifications to the HIPAA Security Rule, the healthcare sector faces its most consequential regulatory shift since the rule’s inception. If you’re reading this and thinking, “Another compliance hurdle?”—you’re not alone. But these changes go beyond ticking boxes. This is about addressing the evolving cyber risks threatening healthcare. Here’s what you need to know.
Healthcare Cybersecurity in 2025: A Reality Check on Risks and Resilience
We don’t need more headlines to remind us of the healthcare industry’s vulnerability to cybercriminals. Ransomware is responsible for killing one Medicare patient every month in the United States, according to a recent study. Cyberattacks on healthcare organizations surged 55% in 2024, exposing millions of patient records. Ransomware crippling hospitals, breaches exposing patient records, and supply chain risks in medical devices illustrate the sector’s urgent need for stronger defenses. While progress has been made, the proposed changes in the HIPAA Security Rule make clear that incremental steps aren’t enough. January 2025 brings the most significant update to the HIPAA Security Rule in decades, aiming to close critical gaps in healthcare cybersecurity.
The HHS published its notice of proposed rulemaking (NPRM) on January 6, 2025, signaling a call for cybersecurity maturity. This NPRM aligns with broader initiatives like the National Cybersecurity Strategy, emphasizing resilience over mere compliance.
What’s in the Proposed HIPAA Security Rule Update?
OCR’s proposed modifications aim to modernize decades-old standards with actionable safeguards. Here are the highlights:
1. From “Addressable” to “Required”
For years, “addressable” implementation specifications allowed flexibility—sometimes too much. Under the NPRM, most specifications will now be “required,” with limited exceptions. Encryption and multi-factor authentication (MFA), for example, are now non-negotiable to prevent unauthorized access and data breaches.
2. Risk Analysis Becomes More Rigorous
Risk analysis is often the weak link in security programs. The NPRM strengthens this process by:
- Requiring written assessments that include technology asset inventories and network maps.
- Identifying specific threats, vulnerabilities, and risks.
- Assigning risk levels based on threat likelihood and impact.
This forces entities to adopt a threat-informed security posture.
3. Asset Management Meets Network Visibility
The NPRM emphasizes visibility by requiring:
- Updated technology asset inventories for systems handling ePHI.
- Network maps showing ePHI flows.
- Annual reviews or updates following significant changes.
This focus on visibility encourages continuous monitoring.
4. Incident Response and Contingency Planning
Regulated entities must:
- Develop incident response plans with clear reporting and response protocols.
- Restore critical systems within 72 hours.
- Regularly test and update contingency plans.
These measures formalize best practices like tabletop exercises to validate readiness.
5. Encryption, MFA, Network Segmentation, and Technical Controls
The NPRM mandates:
- Encryption of ePHI at rest and in transit.
- Network segmentation.
- Deployment of anti-malware, port management, and software hardening techniques.
- Consistent configuration management across systems.
These changes address baseline cybersecurity hygiene.
6. Audits and Penetration Testing
Organizations must conduct:
- Annual compliance audits.
- Semi-annual vulnerability scans.
- Annual penetration tests.
This integrates assessments into the security lifecycle.
7. Accountability for Business Associates
Business associates must:
- Verify technical safeguards annually.
- Provide written certification of compliance.
- Notify covered entities within 24 hours of activating contingency plans.
This extends accountability across the supply chain.
How CIS and NIST Frameworks Align with Proposed HIPAA Security Rule Update
Achieving compliance with the proposed HIPAA Security Rule update doesn’t have to mean starting from scratch. The CIS Critical Security Controls (CIS CSC v8.1), NIST 800-66, and NIST Cybersecurity Framework (NIST CSF 2.0) provide roadmaps for building robust security programs. Here’s how these frameworks align with the NPRM’s goals:
CIS CSC v8.1
- Asset Management (Control 1) ensures visibility into technology assets, a requirement under the NPRM.
- Data Protection (Control 13) emphasizes encryption and secure data handling, aligning with HIPAA mandates for ePHI.
- Incident Response (Control 17) helps formalize response protocols, including testing and reporting procedures.
NIST 800-66
- Guidance on Implementing HIPAA Security Rule: NIST 800-66 provides detailed, practical guidance on interpreting and implementing the administrative, physical, and technical safeguards required under the HIPAA Security Rule, helping organizations achieve compliance.
- Risk Management Framework: It aligns with NIST’s broader risk management framework, offering a structured approach to identifying, assessing, and mitigating risks to electronic protected health information (ePHI).
- Emphasis on Current Threats: The publication highlights best practices for addressing modern cybersecurity threats, such as ransomware and phishing, which are likely focal points of the proposed modifications to ensure the protection of ePHI.
- Scalability and Flexibility: NIST 800-66 supports the scalability of security measures, making it particularly useful for covered entities and business associates of varying sizes to adopt tailored safeguards in line with updated Security Rule requirements.
NIST CSF 2.0
- The Identify and Protect functions guide risk analysis and safeguard implementation.
- The Detect function emphasizes continuous monitoring and threat identification, supporting NPRM’s focus on network visibility.
- The Respond and Recover functions align with incident response and contingency planning requirements.
These frameworks not only guide compliance but also foster a culture of proactive cybersecurity.
Compliance vs. Security: The True Impact of the HIPAA Security Rule Update
It’s tempting to view the NPRM as red tape, but doing so misses the point. This isn’t about adding rules—it’s about closing exploitable gaps. Organizations must avoid treating this as a “compliance exercise.”
1. Cybersecurity & Compliance Is a Journey, Not a Destination
The NPRM emphasizes ongoing activities like annual audits and regular updates to policies and procedures. These aren’t “one-and-done” tasks—they’re integral to an evolving cybersecurity program.
2. Risk-Based Decision-Making
Despite stricter requirements, the NPRM reinforces risk-based approaches. Meaningful risk analyses will distinguish resilient organizations from those simply seeking compliance.
3. Security by Design
Mandates like encryption, network segmentation, and MFA are foundational to reducing the attack surface. Treat these as building blocks for a secure architecture.
Challenges Ahead
Embracing security as a journey is key, but navigating these changes requires overcoming significant challenges, especially for smaller organizations and business associates. These include:
- Resource Constraints: Limited budgets and expertise may hinder compliance. Managed security services will play a larger role.
- Cultural Resistance: Change is hard in underfunded sectors. Leadership buy-in is critical.
- Supply Chain Complexity: Ensuring third-party compliance requires robust vendor management programs.
Action Steps
Today’s evolving threat landscape calls for proactive preparation. Here are critical steps that healthcare entities and business associates should take to strengthen your cybersecurity posture today:
- Assess Current State: Conduct a gap analysis against the proposed requirements. Identify strengths and areas needing improvement.
- Update Policies and Procedures: Draft or revise documentation for risk analysis, incident response, and contingency planning.
- Invest in Technology: Address gaps in encryption, MFA, network segmentation, network mapping, vulnerability management, and penetration testing. Ensure to include cloud service provider environments that handle ePHI and assess the security posture of those environments.
- Engage Leadership: Use the NPRM to secure funding and leadership support.
- Monitor the NPRM Process: Submit comments and stay informed on final rule developments.
Deadlines to Watch
The NPRM sets forth key timelines:
- Comment Period Ends: Stakeholders can submit comments on the proposed rule until March 7, 2025.
- Final Rule Publication: While the exact date is uncertain, finalization is expected in late 2025 or early 2026.
- Compliance Deadline: Entities typically have 180 days after the final rule’s effective date to achieve compliance. Organizations should start planning now.
Final Thoughts
The long-overdue proposed modifications to the HIPAA Security Rule mark a transformative moment for healthcare cybersecurity. These changes aren’t just about compliance—they’re a call to address the escalating cyber risks threatening patient safety and data integrity. By adopting a proactive, risk-based approach, organizations can build not just compliant but resilient security programs.
Don’t wait to act—start preparing now. Assess your current state, align with industry frameworks like NIST and CIS CSC, and develop a roadmap to the future of healthcare compliance and cybersecurity maturity.
How Converge Can Help
Navigating regulatory changes like this NPRM doesn’t have to be overwhelming. Let Converge Technology Solutions be your partner in turning compliance into a strategic advantage. At Converge, we specialize in:
- Gap Analysis: We’ll assess your current security posture against HIPAA requirements and industry frameworks like CIS CSC v8.1, NIST 800-66, and NIST CSF 2.0. This identifies areas where you excel and where improvement is needed.
- Roadmap Development: Based on your gap analysis, we’ll create a clear, actionable roadmap to help you achieve compliance while strengthening your cybersecurity program.
- Managed Services: From vulnerability scans to penetration testing, we can handle the technical aspects so your team can focus on strategic priorities.
- Leadership Engagement: Our team helps you build a compelling business case for leadership buy-in, creating a roadmap and rough order of magnitude for remediation, ensuring you secure the necessary resources.
With our expertise, you can move beyond compliance to build a resilient, secure environment for your organization.
Contact us today to schedule a gap analysis or explore how our managed services can guide your journey from compliance to resilience.
Let’s build a stronger, safer healthcare system together.
For more information on the proposed rule, visit the Federal Register publication.