Positive Change on the Horizon: HIPAA Security Updates for Healthcare Cybersecurity

Dorina Hamzo • February 3, 2025

In December 2024, the U.S. Department of Health and Human Services (HHS) proposed significant updates to the HIPAA Security Rule, aiming to strengthen cybersecurity in the healthcare sector.

With 67% of healthcare organizations targeted by ransomware in 2024, the updates are a necessary response to growing cyber threats. The median ransom paid was $1.5 million, excluding investigation and recovery costs, highlighting the critical need for stronger security measures(1).



The proposed changes align with best practices from frameworks like NIST, PCI, HITRUST, and SOC2. The key difference is that, under the new rule, HIPAA compliance will become mandatory for healthcare organizations. 

Key changes include:

  • Annual Asset and Network Inventory: Healthcare organizations must maintain inventories related to ePHI data movement.
  • Comprehensive Risk Analysis: More detailed risk analysis to identify vulnerabilities in electronic systems.
  • Contingency Planning: Documenting procedures to restore lost ePHI within 72 hours of an incident.
  • Mandatory Encryption: Encryption of ePHI both at rest and in transit.
  • Annual Compliance Audits: Regular audits to ensure security measures are in place.
  • Multi-factor Authentication (MFA): A requirement for systems handling ePHI.
  • Vulnerability Scanning & Penetration Testing: Scanning every six months and penetration testing annually.

Your Voice Matters

Healthcare organizations have 60 days to provide feedback before these changes are finalized. This is your opportunity to help shape the future of healthcare cybersecurity.



For more information and to submit feedback, visit HHSHIPAA Security Rule NPRM.

Need Help Adopting These Changes?

At AdviseUp, we’re here to guide you through the process of implementing these updates. Contact us today to learn how we can help your organization stay compliant and secure.

Request a consultation

Resources

The Unexpected Career That Turned Out to Be My Perfect Fit

By Allyson Edwards June 8, 2025
Discover how a childhood fascination with fairness and structure led to an unexpected yet deeply fulfilling career in compliance and internal audit. In this personal and insightful post, the author shares their journey from disliking rule-breaking fictional heroes to finding purpose in building systems, solving complex compliance puzzles, and driving continuous improvement in the business world. If you're curious about what makes a career in corporate compliance rewarding, this story offers a fresh, human-centered perspective on a field that’s often misunderstood, but vitally important.

Audit-Ready TPRM: Aligning Your Third-Party Risk Program with the IIA’s 2025 Topical Requirement

By Amy Zu June 4, 2025
Big changes ahead: The IIA's new third-party requirement could reshape internal audit The Institute of Internal Auditors (IIA) has released a public consultation draft of its new topical requirement on third parties 1 , and it’s poised to become one of the most significant updates to third-party risk management in years. This topical requirement is planned for issuance by Q3, 2025. Once finalized, this new standard will require mandatory conformance for internal auditors conducting assurance engagements related to vendors, contractors, and other third-party service providers.
Coworkers meeting

Auditing Under Pressure: Strategies for Risk Management in a Volatile World

By Dorina Hamzo March 3, 2025
In 2025, organizations face growing risks like cyberattacks and supply chain disruptions. Auditors are critical in identifying risks and ensuring accountability but face pressure to meet deadlines. This blog outlines key strategies for auditors, including writing clear findings, creating effective remediation plans, and building continuous monitoring programs to improve risk management and help organizations thrive in a volatile world.
More posts