The HIPAA Security Rule Overhaul: What the Proposed Changes Mean for Healthcare Cybersecurity

As of mid-2025, it’s clearer than ever: HIPAA compliance is the foundation of healthcare

cybersecurity, but it’s not the fortress. With ransomware surging, regulators tightening

requirements, and the HIPAA Security Rule undergoing its most significant update in over a

decade, healthcare leaders must recognize what compliance alone doesn’t cover.

Too often, leadership teams assume that “checking the HIPAA box” means they’re protected. The reality? That mindset overlooks blind spots that leave organizations — and patients — dangerously exposed.

HIPAA: Still the Foundation, but Not the Fortress

The HIPAA Security Rule established vital safeguards — administrative, physical, and technical

— to protect electronic protected health information (ePHI). These include risk analysis, access

controls, backups, and workforce training.

But here’s the catch: much of HIPAA’s technical guidance has historically been “addressable,”

giving organizations flexibility in how they implement it. While helpful, that flexibility often results

in inconsistent or incomplete protections. Cyber threats evolve faster than static policies,

meaning organizations that treat HIPAA as the finish line instead of the starting point are falling

behind.

Leadership blind spot: Believing that compliance = protection. In reality, HIPAA was designed

as a framework, not a defense strategy.

Where Things Stand in September 2025

A Major HIPAA Security Rule Overhaul Is Pending

On December 27, 2024, HHS issued a Notice of Proposed Rulemaking (NPRM) — the most

comprehensive Security Rule update since 2013. The goal: strengthen cybersecurity protections

for ePHI in light of escalating healthcare attacks and in alignment with the Biden-Harris

Administration’s National Cybersecurity Strategy.

Key proposals include:

No more “addressable” vs. “required.” All safeguards would become required, with narrow

exceptions.

• Mandated controls. MFA, encryption of ePHI in transit and at rest, annual asset

inventories, network maps, vulnerability scanning (every six months), and annual

penetration testing.

• Stronger incident response. Written response plans, testing and revision, 72-hour

restoration requirements, and workforce reporting protocols.

• Greater vendor accountability. Business associates would need annual security

certifications and must notify covered entities within 24 hours of activating contingency

plans.

• Continuous oversight. Annual compliance audits, 12-month reviews of security

measures, and separate controls for backup and recovery.

• Cultural shifts. Workforce access termination notifications within 24 hours, required

documentation of all policies and procedures, and expanded definitions to reflect modern

threats.

The public comment period closed in March 2025, with over 4,600 responses now under review.

While no final rule has been issued yet, experts expect publication in late 2025 or early 2026.

Enforcement Is Already Accelerating

Even before these changes go final, regulators are turning up the heat:

● OCR is demanding more robust Security Risk Analyses, not just check-the-box

assessments.

● Patient right-to-access cases continue to drive settlements.

● Healthcare ransomware attacks spiked 264% in 2024, underscoring the urgency for

stronger defenses.

Leadership blind spot: Waiting for the final rule. Enforcement is already happening — and

attackers aren’t waiting either.

Why HIPAA Alone Is No Longer Enough

• Reactive, not proactive. HIPAA ensures policies exist, but doesn’t guarantee they

stand up against phishing, ransomware, or zero-day exploits.

• Technical shortfalls. Controls like MFA, segmentation, and encryption are table stakes

— not optional best practices.

• Top-down pressure. Regulators, partners, and patients all expect resilience, not just

compliance.

Leadership blind spot: Assuming compliance-driven IT teams can handle security without

broader organizational involvement. Cybersecurity is a leadership issue — not just an IT one.

What Healthcare Leaders Should Do Now — Not Later

Don’t wait for the final rule. Organizations that act now will be ahead of both regulators and

attackers. Leaders should:

• Deepen risk assessments. Move beyond surface checklists with SRAs that evaluate

vulnerabilities across systems, vendors, and processes.

• Implement key security controls today. MFA, encryption, segmentation, and incident

response should be deployed now.

• Test readiness. Tabletop exercises and disaster recovery testing reveal gaps before attackers do.

• Tighten vendor oversight. Business associates remain a weak link under increased

scrutiny.

• Invest in culture. Regular workforce training builds a security-first mindset, reducing

human error — still the #1 cause of healthcare breaches.

Leadership blind spot: Assuming improvements can “wait until required.” The costs of waiting —

operational disruption, fines, and loss of patient trust — far outweigh the cost of acting now.

Conclusion: From Compliance to Resilience

As of September 2025, HIPAA remains essential — but insufficient on its own. The proposed

Security Rule overhaul signals rising compliance expectations, while real-world attacks highlight

the urgency of moving beyond minimums.

Healthcare leaders who recognize and address these blind spots — treating HIPAA as a

foundation, not a finish line — will build organizations that are not only compliant, but resilient,

trusted, and prepared for the future.