October 14, 2025

9 Major Updates Proposed to the HIPAA Security Rule – What Healthcare Leaders Need to Know

9 Major Updates Proposed to the HIPAA Security Rule – What Healthcare Leaders Need to Know

The U.S. Department of Health and Human Services (HHS) has unveiled a sweeping proposal to overhaul the HIPAA Security Rule for the first time in over a decade. Announced in late 2024, this update aims to strengthen cybersecurity across the healthcare sector in response to escalating digital threats.

Healthcare organizations have faced a 1,000%+ increase in affected individuals from data breaches between 2018 and 2023, exposing millions of patient records. These attacks threaten patient safety, erode trust, and disrupt care delivery. Now, HHS is moving to modernize the Security Rule, aligning it with today’s cyber risks and frameworks like NIST.

This article outlines the top nine proposed updates and what they mean for healthcare executives and digital health leaders.

1. Annual Asset Inventory and ePHI Data Mapping

HHS proposes a new requirement to maintain an annual technology asset inventory and data flow map for all systems containing electronic protected health information (ePHI).

Healthcare organizations must:

  • Document every asset (hardware, software, and data repositories).
  • Map how ePHI moves through systems.
  • Review and update this inventory annually or after significant changes.

Why it matters: Visibility is the foundation of security. Executives will need to invest in asset management tools and data governance to maintain compliance. Digital health vendors must clearly document how their systems process ePHI.

2. More Rigorous and Specific Risk Assessments

Risk analysis will no longer be a check-the-box exercise. The proposed rule requires:

  • A written risk assessment identifying all threats and vulnerabilities.
  • Evaluation of each risk’s likelihood and impact.
  • Documentation of current controls and remediation plans.

Why it matters: This creates a uniform standard across the industry. Executives should expect more time-intensive assessments, likely requiring third-party validation. The outcome: clearer visibility into where to focus security investments.

3. Strengthened Vendor and Business Associate Oversight

Covered entities must actively verify and certify that vendors with access to ePHI maintain proper safeguards.

Business associates will be required to:

  • Conduct annual technical security analyses.
  • Provide written certifications signed by an executive.
  • Notify covered entities within 24 hours of activating contingency plans (e.g., during ransomware recovery).

Why it matters: The days of “trust but don’t verify” are over. Vendor oversight becomes a strategic risk area. Healthcare organizations should demand annual proof of compliance. Vendors must be ready to produce it.

4. Mandatory Multi-Factor Authentication (MFA)

MFA will move from a flexible “addressable” safeguard to a mandatory requirement for all ePHI systems.

Key takeaways:

  • Applies to all workforce and admin accounts.
  • Exceptions only for legacy devices with documented migration plans.
  • Password-only access will no longer meet compliance standards.

Why it matters: Credential theft remains the leading cause of breaches. Executives must prioritize MFA implementation across EHRs, cloud apps, and email systems. For smaller providers, this may require new tools and training.

5. Required Encryption of Data at Rest and in Transit

Encryption will now be mandatory—not just “addressable.” All ePHI, whether stored or transmitted, must be encrypted using industry-standard protocols.

Why it matters: Encryption drastically reduces breach impact, even if systems are compromised. While it introduces costs for legacy system upgrades, it also strengthens data protection across endpoints and networks. This change sets a new baseline for data privacy.

6. Formalized Incident Response Planning and Testing

Organizations must create written incident response plans that outline how to detect, report, and recover from security incidents. Plans must be tested annually through drills or simulations.

Why it matters: Preparedness is now a compliance requirement. Executives should ensure their teams have a defined playbook for containment, communication, and recovery. A tested plan can mean the difference between a quick recovery and a prolonged crisis.

7. Enhanced Contingency Planning and Disaster Recovery

HHS proposes a 72-hour recovery requirement for restoring critical systems and data after disruptions. Organizations must:

  • Conduct a criticality analysis to prioritize essential systems.
  • Maintain exact, retrievable backups.
  • Test recovery procedures regularly.

Why it matters: Extended downtime threatens patient safety. Leaders should evaluate whether their backup and recovery capabilities can realistically meet a 72-hour recovery objective—and plan investments accordingly.

8. Annual Security Compliance Audits

A new requirement mandates annual security compliance audits to verify adherence to every HIPAA Security Rule standard.

Why it matters: Continuous compliance replaces periodic checks. Executives should view these audits as opportunities for proactive improvement rather than reactive enforcement. Expect to dedicate resources or engage third-party auditors annually.

9. Tightened Workforce Access Controls and Monitoring

Organizations must enforce role-based access and terminate system access within one hour of employment ending. If the individual also worked with partner entities, those organizations must be notified within 24 hours.

Why it matters: Insider risk is a top breach vector. Integrating HR and IT workflows for automated access removal will be essential. Executives should prioritize modern identity and access management (IAM) solutions to meet this standard.

Bonus: New Technical Safeguards

Additional technical requirements include:

  • Vulnerability scans (semi-annual) and penetration tests (annual).
  • Network segmentation to prevent lateral movement in attacks.
  • Configuration management (e.g., patching, anti-malware, removing outdated software).

Why it matters: HHS is codifying cybersecurity hygiene. These controls reflect NIST-aligned best practices and will demand continuous security monitoring.

Preparing for the New Regulatory Landscape

These proposed changes mark the most comprehensive modernization of the HIPAA Security Rule since its inception. The intent is clear: align healthcare with modern cybersecurity realities.

Executive action items:

  1. Conduct a gap analysis against the proposed updates.
  2. Form a cross-functional task force across IT, legal, and clinical teams.
  3. Engage the board early to secure funding for necessary upgrades.
  4. Work with vendors to ensure they can meet new compliance expectations.
  5. Foster a security-first culture across all levels of the organization.

Forward-looking leaders will treat these changes not as burdens, but as opportunities to enhance resilience, patient trust, and operational continuity.

In today’s healthcare ecosystem, security is leadership — and HHS’s proposed HIPAA updates make that clearer than ever.

Dark Analytics delivers specialized cybersecurity solutions for healthcare. We partner with leading technologies to protect your medical data, ensuring compliance and security against evolving cyber threats.

info@darkanaltyics.com

Powered by Dark Analytics LLC