Positive Change on the Horizon: HIPAA Security Updates for Healthcare Cybersecurity

Dorina Hamzo • February 3, 2025

In December 2024, the U.S. Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule, aiming to strengthen cybersecurity in the healthcare sector.

With 67% of healthcare organizations targeted by ransomware in 2024, the updates are a necessary response to growing cyber threats. The median ransom paid was $1.5 million, excluding investigation and recovery costs, highlighting the critical need for stronger security measures(1).


The proposed changes align with best practices from frameworks like NIST, PCI, HITRUST, and SOC2. The key difference is that, under the new rule, HIPAA compliance will become mandatory for healthcare organizations. 

Key changes include:

  • Annual Asset and Network Inventory: Healthcare organizations must maintain inventories related to ePHI data movement.
  • Comprehensive Risk Analysis: More detailed risk analysis to identify vulnerabilities in electronic systems.
  • Contingency Planning: Documenting procedures to restore lost ePHI within 72 hours of an incident.
  • Mandatory Encryption: Encryption of ePHI both at rest and in transit.
  • Annual Compliance Audits: Regular audits to ensure security measures are in place.
  • Multi-factor Authentication (MFA): A requirement for systems handling ePHI.
  • Vulnerability Scanning & Penetration Testing: Scanning every six months and penetration testing annually.

Your Voice Matters

Healthcare organizations have 60 days to provide feedback before these changes are finalized. This is your opportunity to help shape the future of healthcare cybersecurity.


For more information and to submit feedback, visit HHS HIPAA Security Rule NPRM.

Need Help Adopting These Changes?

At AdviseUp, we’re here to guide you through the process of implementing these updates. Contact us today to learn how we can help your organization stay compliant and secure.

REQUEST A CONSULTATION

Resources

Auditing Under Pressure: Strategies for Risk Management in a Volatile World

By Dorina Hamzo March 3, 2025
In 2025, organizations face growing risks like cyberattacks and supply chain disruptions. Auditors are critical in identifying risks and ensuring accountability but face pressure to meet deadlines. This blog outlines key strategies for auditors, including writing clear findings, creating effective remediation plans, and building continuous monitoring programs to improve risk management and help organizations thrive in a volatile world.

How to Choose the Right GRC Tool for Your Organization: A Comprehensive Guide

By Andrea St. Pierre December 23, 2024
Choosing the right Governance, Risk, and Compliance (GRC) tool can transform your organization's risk management and compliance efforts. In this guide, we walk you through the key steps to select, implement, and measure the success of your GRC solution—while avoiding common pitfalls. Learn how AdviseUp can help you design and implement a customized GRC strategy tailored to your needs.

Turning Today's Security Trends Into Strategies for Tomorrow

By Dorina Hamzo October 14, 2024
In the face of rising data breaches and evolving regulations, organizations must enhance their cybersecurity strategies. This blog explores key insights from a recent webinar, emphasizing the importance of year-round security practices, effective AI governance, and cultivating a strong culture of compliance. Discover how a second set of eyes can ensure that today’s security measures remain effective for tomorrow’s challenges, along with practical strategies to navigate the complex cybersecurity landscape.
More Posts