Stronger Cybersecurity, Stricter Rules: What Healthcare Providers Need to Know About the Proposed Changes to the HIPAA Security RuleCyberattacks on healthcare organizations are rising, putting patient data at risk and increasing the urgency for stronger cybersecurity measures. In response, the U.S. Department of Health and Human Services (HHS) has proposed updates to the HIPAA Security Rule to address modern threats and enhance protections for electronic protected health information (ePHI).

For medical practices and healthcare organizations, these changes could mean stricter cybersecurity requirements, new documentation standards, and mandatory security upgrades. Here’s what you need to know.

Key Cybersecurity Changes in the Proposed Rule

1. Mandatory Multifactor Authentication (MFA)

MFA requires users to verify their identity using two or more methods (e.g., a password plus a one-time code sent to their phone). Currently, MFA is recommended but not required under HIPAA. The proposed changes would make MFA mandatory for all users accessing ePHI.

Why It Matters:
MFA significantly reduces the risk of unauthorized access due to stolen or weak passwords, one of the most common ways hackers breach healthcare systems.

2. Stricter Data Encryption Requirements

The proposal clarifies that ePHI must be encrypted at all times—both when stored (at rest) and when sent between systems (in transit). Currently, encryption is an “addressable” requirement, meaning organizations can determine whether it is necessary based on their risk assessments. Under the new rule, encryption will no longer be optional.

Why It Matters:
Unencrypted data is vulnerable to cybercriminals, especially in ransomware attacks. Encrypting ePHI ensures that even if data is stolen, it remains unreadable without the correct encryption key.

3. More Frequent and Detailed Risk Assessments

The proposed changes to the HIPAA Security Rule would require more frequent and comprehensive cybersecurity risk assessments. These assessments must go beyond traditional checklists and include:

  • Identifying potential threats to electronic protected health information (ePHI).
  • Conducting regular vulnerability scans to detect weaknesses in networks, software, and devices.
  • Performing penetration testing to simulate cyberattacks and evaluate how well defenses hold up against real-world threats.
  • Assessing third-party security risks to ensure vendors and business associates follow proper cybersecurity practices.
  • Implementing and documenting corrective actions to address any identified vulnerabilities.

Why It Matters:

Cyber threats are constantly evolving, and hackers often exploit vulnerabilities that organizations fail to identify. By requiring regular vulnerability scans and penetration testing, the new rule aims to help healthcare organizations detect and fix weaknesses before attackers can take advantage of them.

4. Expanded Security Policies and Documentation

Organizations will be required to document all cybersecurity policies, procedures, and risk analyses in writing. This includes:

  • Incident response plans for cyberattacks.
  • Policies for securing remote access to patient data.
  • Plans for updating and patching IT systems.

Why It Matters:
Well-documented policies ensure that organizations follow consistent security practices and can quickly respond to threats or HIPAA compliance audits.

What This Means for Healthcare Providers

If these changes go into effect, medical practices and healthcare organizations will need to:

  • Implement MFA across all systems that store or transmit ePHI.
  • Ensure encryption is applied to all stored and transmitted ePHI.
  • Perform and document regular risk assessments with a focus on cybersecurity threats.
  • Update IT policies to reflect the new security requirements.

These updates will require time and resources, but they are critical for preventing costly data breaches, protecting patient information, and maintaining HIPAA compliance.

Next Steps for Healthcare Organizations

HHS is accepting public comments on these proposed changes until March 2025. While the final rule may not take effect immediately, healthcare providers should start preparing now by:

  • Reviewing current cybersecurity policies and identifying gaps, particularly in areas like penetration testing and vulnerability scanning.
  • Implementing regular vulnerability scans to identify system weaknesses and conducting penetration tests to simulate cyberattacks and assess your defenses.
  • Working with IT providers to implement stronger security measures, including multifactor authentication (MFA) and data encryption.
  • Training staff on new security protocols and best practices to ensure everyone is aligned with updated compliance standards.

Cyberattacks on healthcare organizations are not slowing down, and these proposed updates signal a shift toward more proactive cybersecurity measures in healthcare. By implementing regular penetration testing and vulnerability scans now, your organization can stay ahead of cyber threats, avoid compliance penalties, and, most importantly, protect patient data from evolving risks.

Get ahead of the game by scheduling a free Level 1 Penetration Test to evaluate your cybersecurity defenses. Don’t wait until the final rule is in place—protect your practice now. Contact us today to schedule your free test at 434-446-1035 or click here to schedule your free pen test.