A Wake-Up Call for Healthcare Organizations 

• The HIPAA Security Rule is undergoing necessary updates to reflect modern cybersecurity challenges. 
• Mandatory security measures, including multi-factor authentication and Zero Trust, will replace previously addressable requirements. 
• Continuous compliance, vendor risk management, and real-time monitoring are essential for data protection. 
• Implementing these best practices can positively impact cyber insurance coverage. 
• Healthcare organizations must act now to prepare for these changes and strengthen their security posture. 

The proposed changes to the HIPAA Security Rule were published in the Federal Register on January 6, 2025; comments are due by March 7, 2025. It can take a year until a final rule is published and enforced. 

Until then, the proposed rule signals a shift in regulatory expectations. “There is corporate value for healthcare organizations, especially those that are HIPAA-regulated, to incorporate cybersecurity best practices into their processes now,” said David Ginsberg, President of PrivaPlan Associates. “Let’s listen to the recommendations. This is a wake-up call. If it’s not enforced today, it will be soon.”  

Read our recent article: Strengthening ePHI Security: Insights on the Latest HIPAA Rulemaking  

Experts Discuss the Proposed Changes 

In our recent webinar, Ginsberg and Jay Lamb, CEO and founder of CorePLUS Technologies, provided valuable insights into the proposed changes to the HIPAA Security Rule and the implications for healthcare organizations. With technology evolving rapidly and cybersecurity threats becoming more sophisticated, these updates aim to enhance compliance, data protection, and overall security in the healthcare sector.  

Watch the full recording here.

Key Takeaways From the Webinar 

The Need for Updated HIPAA Security Regulations 

“We’ve been long overdue for a regulatory framework update,” Ginsberg said, emphasizing that the HIPAA Security Rule, originally published in 2005, has remained largely unchanged despite the vast technological advancements over the past two decades. With data now residing outside traditional office walls and in the cloud, updating security measures is crucial to protect sensitive healthcare information. 

Strengthening Data Protection Requirements 

One of the major proposed changes is making security measures, previously considered addressable, mandatory. Lamb explained, “The proposed changes remove the gray area and require accountability at the C-Suite and board level.” This includes implementing multi-factor authentication, continuous monitoring, and strict verification processes under the Zero Trust methodology.  

The Importance of Continuous Compliance and Monitoring 

Continuous compliance is a key theme in the proposed updates. “It’s not just a once-a-year check-the-box exercise; compliance is an ever-moving target,” Ginsberg noted. Organizations must constantly update asset inventories, monitor network activity, and assess vendor security to prevent breaches and data leaks. 

Vendor Risk Management and Third-Party Compliance 

Many healthcare organizations rely on third-party vendors for data storage and management, so ensuring these vendors meet the same security standards is critical. “We must assure that data stored with third parties aligns with our security charter,” Lamb stressed. Under the updated regulations, reviewing business associate agreements and continuously monitoring third-party compliance will be essential. 

Impact on Cyber Insurance 

The proposed security measures could also affect cyber insurance policies. Many insurers now require organizations to implement best practices like multi-factor authentication and Zero Trust before providing coverage. Adopting these measures strengthens security and ensures better policy terms and lower premiums. 

Addressing Challenges for Small to Mid-Size Practices 

Smaller healthcare organizations often struggle with interpreting addressable requirements, leading to security gaps. “Many believed ‘addressable’ meant optional,” Ginsberg explained. “Many of the breaches and security incidents that we can look at in the last decade alone are in these areas that have been considered addressable rather than just being required. Making it required is just another fundamental change to improve overall compliance and protect all our data.”  

The proposed changes clarify these requirements, ensuring that all healthcare entities meet fundamental security standards regardless of size. 

Zero Trust: A New Security Standard 

The Zero-Trust methodology is a core component of the new framework. “Zero trust means that if someone walks into this office with a laptop, they cannot just connect to a secure network without their device being onboarded, hardened, or protected,” Lamb stated. We do not trust network traffic unless it is known.” This approach requires strict authentication and verification for all users and devices, preventing unauthorized access and reducing vulnerabilities.