Positive Change on the Horizon: HIPAA Security Updates for Healthcare Cybersecurity

Dorina Hamzo • February 3, 2025

In December 2024, the U.S. Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule, aiming to strengthen cybersecurity in the healthcare sector.

With 67% of healthcare organizations targeted by ransomware in 2024, the updates are a necessary response to growing cyber threats. The median ransom paid was $1.5 million, excluding investigation and recovery costs, highlighting the critical need for stronger security measures(1).



The proposed changes align with best practices from frameworks like NIST, PCI, HITRUST, and SOC2. The key difference is that, under the new rule, HIPAA compliance will become mandatory for healthcare organizations. 

Key changes include:

  • Annual Asset and Network Inventory: Healthcare organizations must maintain inventories related to ePHI data movement.
  • Comprehensive Risk Analysis: More detailed risk analysis to identify vulnerabilities in electronic systems.
  • Contingency Planning: Documenting procedures to restore lost ePHI within 72 hours of an incident.
  • Mandatory Encryption: Encryption of ePHI both at rest and in transit.
  • Annual Compliance Audits: Regular audits to ensure security measures are in place.
  • Multi-factor Authentication (MFA): A requirement for systems handling ePHI.
  • Vulnerability Scanning & Penetration Testing: Scanning every six months and penetration testing annually.

Your Voice Matters

Healthcare organizations have 60 days to provide feedback before these changes are finalized. This is your opportunity to help shape the future of healthcare cybersecurity.



For more information and to submit feedback, visit HHSHIPAA Security Rule NPRM.

Need Help Adopting These Changes?

At AdviseUp, we’re here to guide you through the process of implementing these updates. Contact us today to learn how we can help your organization stay compliant and secure.

Request a consultation

Resources

AI robot standing beside a small dog in a cage labeled wolf.

AI Is Great But Stupid [Part 2]: Where AI Goes Wrong

By Allyson Edwards (Senior Consultant) June 16, 2026
Explore common AI failures like hallucinations, hidden bias, and missing context. Learn how audit and compliance teams can govern risks and build AI controls.
Tia Persky

What Studying Abroad Taught Me About the Business Leader I Want to Be

By Tia Persky June 9, 2026
Explore how international travel to Portugal, Ireland, and Morocco taught one future leader that authentic human connection is the foundation of good business.
Skyscrapers view from a low angle.

From Scratch to SOX-Compliant in 6 Months: An Executive Guide

By Kristel Jose (Guest Writer) May 29, 2026
Master SOX compliance in 6 months. Discover the five pillars to transition from zero documented internal controls to 100% audit readiness without runaway fees.
More posts