A Major Overhaul in Healthcare Cybersecurity
The healthcare industry is on the brink of a significant cybersecurity shake-up with the latest proposed HIPAA Security Rule amendments released in early January 2025. These changes, aimed at modernizing security practices, will bring stricter enforcement, new technical requirements, and reduced flexibility for covered entities and business associates.
If finalized, these rules will reshape how healthcare organizations protect electronic Protected Health Information (ePHI), implement cybersecurity controls, and respond to cyber threats.
Here’s an executive breakdown of the most critical updates:
The 10 Most Important Proposed Changes
1. Mandatory Multi-Factor Authentication (MFA)
Cybersecurity threats targeting credential-based access have skyrocketed. In response, the new rules will require all remote access to ePHI systems to be protected by MFA. This means healthcare entities will need to implement:
- Two-factor authentication (2FA) for remote workforce members.
- Stronger identity verification for technology assets interacting with ePHI.
- Automated logging and alerts for failed authentication attempts.
2. Encryption Becomes Non-Negotiable
Historically, HIPAA treated encryption as “addressable,” allowing organizations to justify alternative measures. That loophole is now closing. The new rule mandates:
- End-to-end encryption for ePHI, both in transit and at rest.
- Annual key rotation for encryption management.
- Strict encryption enforcement on mobile and cloud-based systems.
3. Patch Management Deadlines Tighten
To prevent widespread vulnerabilities like Log4j and MOVEit, the proposed changes introduce strict patching deadlines:
- Critical vulnerabilities must be patched within 15 days.
- High-risk vulnerabilities must be patched within 30 days.
- Organizations must maintain a formal, written patch management policy.
4. Risk Assessments Must Be Annual (No More “As Needed” Reviews)
Under the new proposal, risk analyses and security assessments must be:
- Conducted at least once per year.
- Fully documented and stored for six years.
- Reviewed before any major system or process change.
This is a major shift from previous guidelines, where organizations could define their own assessment frequency.
5. Business Associates Face Stricter Compliance Requirements
Business associates (BAs) are a significant vector for data breaches. The new rule places stronger accountability on BAs, requiring them to:
- Submit security attestations annually.
- Report security incidents within 24 hours (previously 60 days).
- Ensure subcontractors comply with HIPAA safeguards.
6. Security Logs and Incident Response Must Be More Robust
The new rule strengthens audit controls and incident response expectations, including:
- Log reviews every 90 days to detect unauthorized access.
- Automated alerts for potential security breaches.
- Annual security tabletop exercises to test incident response plans.
7. Elimination of “Addressable” Controls — Everything Is Now Required
HIPAA previously allowed organizations to choose whether to implement or justify alternative measures for certain security controls. This is changing. The proposal:
- Removes the “addressable” designation for key security elements.
- Mandates universal compliance with access controls, encryption, and logging.
- Requires documentation explaining any deviations from compliance.
8. Compliance Timelines and Transition Periods
If adopted, the proposed rule will include:
- 6-month implementation period for covered entities.
- 12 months for business associates to update their agreements.
9. New and Emerging Technologies: AI, Quantum Computing, VR/AR
One of the most forward-looking aspects of the proposed changes is the recognition of new and emerging technologies in healthcare security. The rule seeks to establish a foundation for handling the cybersecurity risks associated with:
- Artificial Intelligence (AI): Organizations must evaluate AI-driven decision-making processes, ensuring transparency and security in automated workflows.
- Quantum Computing: Although not yet mainstream, the rise of quantum computing poses a potential risk to traditional encryption methods. Organizations should begin planning for post-quantum cryptography.
- Virtual and Augmented Reality (VR/AR): As VR/AR applications grow in healthcare (for medical training, remote surgeries, and patient treatments), security controls must be established to protect immersive patient data environments.
These technologies introduce new attack surfaces and require tailored security approaches that will evolve alongside the industry.
10. Supply Chain & Third-Party Risk
The proposed rule also strengthens vendor risk management by clarifying compliance obligations when delegating security responsibilities to business associates. Key highlights include:
- Regulated entities remain responsible for HIPAA compliance, even if they delegate security functions to a business associate.
- A new standard at 45 CFR 164.308(b)(3) explicitly allows business associates to serve as designated security officials.
- This change would potentially allow providers like Blackwell Security to be formally recognized as an organization’s Security Official, raising questions about liability and risk ownership in the future.
Organizations must carefully assess vendor partnerships and clearly delineate security responsibilities to avoid compliance gaps.
What This Means for Healthcare Organizations
These changes represent the most significant shift in enforcing the HIPAA Security Rule in nearly two decades. Organizations must prepare for the following:
✅ Higher security costs (MFA, encryption, monitoring tools).
✅ More frequent audits and documentation updates.
✅ Faster response times for patching vulnerabilities.
✅ Greater accountability for business associates.
✅ New strategies to address AI, Quantum Computing, and VR/AR risks.
While these proposed updates introduce stricter requirements, they also align HIPAA with modern cybersecurity best practices, helping organizations reduce breach risks and improve resilience.
What should healthcare security leaders start considering?
- Assess current gaps — Conduct an internal audit to identify where your organization falls short of these upcoming requirements.
- Strengthen authentication and encryption — Begin implementing MFA and encrypting all ePHI if not already in place.
- Revise business associate agreements — Ensure your BAs are aware of their new security obligations.
- Prepare for faster patch deployment — Develop a patch management playbook to meet the 15/30-day timelines.
- Enhance incident response — Establish automated threat detection and logging systems.
- Prepare for AI, quantum computing, and VR/AR security — Stay ahead by adopting emerging security strategies tailored to these technologies.
- Evaluate third-party risk management practices — Review vendor agreements and assess compliance readiness.
Final Thoughts
HIPAA’s new security rule changes are a direct response to rising cyber threats and healthcare data breaches. By understanding these potential requirements now, organizations can avoid compliance pitfalls and build a more assertive security posture in an increasingly hostile digital landscape. Even if the proposed rules aren’t adopted in their entirety, these proposed changes represent the baseline cyber hygiene that healthcare organizations should adopt.
Are You Ready?
Healthcare security leaders must act immediately to evaluate their risk posture and implement necessary safeguards before these changes become law. If you need help preparing, now is the time to start.
Stay tuned for further updates as these proposed regulations move closer to adoption!
Sources: https://public-inspection.federalregister.gov/2024-30983.pdf
Blackwell is cybersecurity made for healthcare.
Our comprehensive security platform and expert managed services provide the most complete protection for healthcare organizations. Leading providers across North America trust Blackwell to reduce cyber risk, stay compliant, and build trusted experiences across the care continuum.
© 2025 Blackwell Security | Privacy Policy | Sitemap