Positive Change on the Horizon: HIPAA Security Updates for Healthcare Cybersecurity

Dorina Hamzo • February 3, 2025

In December 2024, the U.S. Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule, aiming to strengthen cybersecurity in the healthcare sector.

With 67% of healthcare organizations targeted by ransomware in 2024, the updates are a necessary response to growing cyber threats. The median ransom paid was $1.5 million, excluding investigation and recovery costs, highlighting the critical need for stronger security measures(1).



The proposed changes align with best practices from frameworks like NIST, PCI, HITRUST, and SOC2. The key difference is that, under the new rule, HIPAA compliance will become mandatory for healthcare organizations. 

Key changes include:

  • Annual Asset and Network Inventory: Healthcare organizations must maintain inventories related to ePHI data movement.
  • Comprehensive Risk Analysis: More detailed risk analysis to identify vulnerabilities in electronic systems.
  • Contingency Planning: Documenting procedures to restore lost ePHI within 72 hours of an incident.
  • Mandatory Encryption: Encryption of ePHI both at rest and in transit.
  • Annual Compliance Audits: Regular audits to ensure security measures are in place.
  • Multi-factor Authentication (MFA): A requirement for systems handling ePHI.
  • Vulnerability Scanning & Penetration Testing: Scanning every six months and penetration testing annually.

Your Voice Matters

Healthcare organizations have 60 days to provide feedback before these changes are finalized. This is your opportunity to help shape the future of healthcare cybersecurity.



For more information and to submit feedback, visit HHSHIPAA Security Rule NPRM.

Need Help Adopting These Changes?

At AdviseUp, we’re here to guide you through the process of implementing these updates. Contact us today to learn how we can help your organization stay compliant and secure.

Request a consultation

Resources

Internal auditor analyzing financial reports for an outsourcing vs. co-sourcing comparison.

Understanding Internal Audit Outsourcing vs. Co-sourcing

By Dorina Hamzo April 8, 2026
Understand the key differences between outsourcing & co-sourcing for internal audits. Choose the right model for better compliance & risk management.
Gavel and documents for Georgia's $25M parity penalty.

Georgia’s $25 Million Parity Penalty: A New Era of Accountability for Payers?

By Allyson Edwards (guest writer) February 20, 2026
Georgia's $25M fine highlights new audits for mental health parity. Ensure compliance with Advise Up Consulting's expert services.
Laptop with split screen: left shows academic thesis in library; right shows business data charts.

Your Major Could Make You a Great Auditor — Here’s How.

By Dorina Hamzo December 11, 2025
Think audit is just for accountants? Think again. From English to PoliSci, find out how your non-traditional major builds the critical skills modern firms need.
More posts