The Health Insurance Portability and Accountability Act (HIPAA) may have significant changes ahead of it. Despite being the medical industry’s primary data privacy regulation, the act has historically left much of its cybersecurity requirements up to interpretation. A recent notice of proposed rulemaking could change that, and it may impact the sector for the better.
Understanding the Proposed HIPAA Security Rule Update
The Department of Health and Human Services (HHS) proposed a HIPAA Security Rule update on December 27, 2024. This rule has remained unchanged since 2013, so the proposal aims to catch regulations up to a decade’s worth of shifts in cybercrime and health care data management.
As is to be expected of the first update in over 10 years, the document is lengthy, spanning nearly 125 pages. In general, though, the revised regulations add specificity to the Security Rule’s standards and definitions, clarify compliance requirements and hold covered entities to a higher cybersecurity standard.
Most notably, the update would require protections like encryption, multifactor authentication (MFA), network segmentation and antimalware software. Similarly, it mandates annual penetration testing, awareness training and compliance audits. Such measures are common in newer government regulations like the Cybersecurity and Maturity Model Certification but haven’t been strictly mandatory under HIPAA.
Other new requirements include:
- Regularly updated asset inventories and data maps
- Formal incident response plans
- Controls and notifications for ending a former employee’s access permissions
- Notifications when an entity enacts its contingency plans
- Considerations for third-party risks
Why HIPAA Needs Updated Cybersecurity Regulations
The extensive proposed update to the HIPAA Security Rule is an important shift. In many ways, the regulation is overdue for a change due to several key trends since its last revision.
Rising Cybercrime in Health Care
The most apparent reason why HIPAA needs a cybersecurity update is because cybercrime has skyrocketed. In the 10 years since regulators implemented the last Security Rule version, the health care sector has become a favorite target of cybercriminals.
In 2023, health care data breaches averaged $10.92 million in losses per incident, more than any other industry. Those costs do not tell the whole story, either. Hacking, ransomware and other security events can disrupt critical patient services, leaving people without access to the care they need.
Before this proposed update, HIPAA’s Security Rule did not reflect appropriate urgency relative to such attack trends. As cybercriminals’ techniques advance and target hospitals with rising frequency, tighter cybersecurity controls are essential.
Lack of Specificity in Current Rules
HIPAA also needs additional clarity within its Security Rule. The current revision leaves too much to interpretation to be a reliable standard in today’s cybersecurity environment.
As it stands today, HIPAA does not explicitly require encryption of protected health data. While it says covered entities must maintain “reasonable safeguards” to keep patient information confidential, it does not specify what such safeguards are. Many other parts of the Security Rule are similarly vague, which leaves too much room for improper protections.
While a court would likely find failing to implement encryption as a breach of the Security Rule, the regulation should be more specific upfront. The explicit standards in the proposed update would clarify expectations before covered entities experience a breach. The requirements could then protect patient data before an event, not only in post-breach litigation.
Outdated Regulations
Similarly, the existing version of the HIPAA Security Rule needs modernization. Cybercrime methods and technologies have advanced considerably over the past decade. As such, regulations need to address the threats and appropriate protections that are now prominent.
The proposed mandates for MFA, network segmentation and penetration testing are prime examples. All are standard defenses today — just 17% of security leaders in 2024 said they never pen test — but HIPAA does not yet require any of them. Consequently, medical organizations could technically be HIPAA-compliant but fall far below acceptable modern cybersecurity standards.
Requiring covered entities to implement newer defense strategies will help keep the industry up with changing cybersecurity trends. Cybercrime shifts quickly, so relevant regulations should likewise be adaptable.
Remaining Challenges to the Updated Rule
As important as an updated HIPAA Security Rule is, the proposal faces a few challenges. The medical sector and its regulators must consider these obstacles as they seek to modernize cybersecurity standards.
Implementation Costs
One significant barrier to the proposed update is how much it would cost to implement. Because the new rules cover much more and are far more specific, complying with them likely means investing in many technologies covered entities have not yet adopted. Such a transition could be prohibitively expensive in some cases.
Small and medium-sized enterprises would find it the hardest to comply. However, they may also need the additional protections the most, as attacks against them have risen by 150% in recent years. This situation leaves regulators in a difficult position of balancing appropriate security measures with making such protection accessible.
Administrative Roadblocks
The proposed update may also encounter resistance from lawmakers before it can go into effect. President Trump has already temporarily halted all rulemaking processes and has expressed interest in rolling back many of the government’s stricter regulations. It’s unclear if such a change would come to HIPAA, but the possibility may call the future of the proposal into question.
Executive administration aside, the update will likely go through at least one round of revisions before taking effect. Covered entities should not act before regulators establish a final rule, so attention to the ongoing revision process is necessary.
It’s Time for HIPAA to Evolve
While several roadblocks remain, the HIPAA Security Rule needs updating. The proposed changes — or a shift like them — are a necessary step forward to ensure regulations reflect the current threat environment.
Regardless of what happens on a regulatory level, health care businesses should consider how their security posture may need to evolve. Cybercrime is growing and transforming, so cybersecurity must do the same.
By Zac Amos, ReHack
