Understanding the Proposed HIPAA Security Rule Updates & Why You Should Take Action Now

Last year, the records of 82% of the United States population were exposed, stolen, or disclosed without permission, according to the HIPAA Journal. With AI making cyberattacks faster, increasingly sophisticated, and harder to spot, it’s no surprise that the U.S. Department of Health and Human Services (HHS) has proposed HIPAA Security Rule updates to strengthen cybersecurity protections for electronic protected health information (ePHI).

The proposed HIPAA Security Rule updates, announced on December 27, 2024, are designed to address modern threats in the healthcare sector. While the rules are not final yet, impacted organizations should start implementing these measures now to reduce the risk of data breaches and compliance issues. But these updates aren’t just about meeting regulations—they’re about creating a robust cybersecurity posture that protects patient data and minimizes organizational risk. Read on for our recap of some of the notable changes and advice on what to prioritize.

What Are the Proposed HIPAA Security Rule Updates?

The proposed HIPAA Security Rule updates include several significant changes that codify multiple cybersecurity best practices. Here is a recap of the key proposed updates:

1. Mandatory Vulnerability Scans & Penetration Testing: Organizations will need to conduct vulnerability scans at least every six months and penetration testing annually. This ensures that vulnerabilities are identified and addressed proactively, reducing the likelihood of exploitation by attackers. Check out our Penetration Testing Best Practices Tip Sheet for guidance.
2. Encryption of ePHI at Rest and in Transit: Encryption will be required for ePHI both at rest and in transit, with limited exceptions. This measure provides an added layer of security, making it more difficult for unauthorized parties to access sensitive data. If you need more information on this issue, watch our video, “How Encryption in Transit and End-to-End Encryption Work.”
3. Mandatory Multi-Factor Authentication (MFA): MFA will become a requirement for accessing systems containing ePHI. This is a critical step in preventing unauthorized access, even if credentials are compromised.
4. Stronger Risk Assessments & Asset Inventories: Organizations must create a detailed asset inventory and network map, updated at least annually, and conduct a thorough risk analysis. This includes identifying threats, vulnerabilities, and the likelihood of exploitation, and providing a clear understanding of potential risks. A cybersecurity risk assessment should be prioritized to ensure that vulnerabilities are identified and remediation efforts are properly planned.
5. Incident Response & Contingency Planning: Preparedness is key to minimizing the impact of a cybersecurity incident. Organizations will need to develop written incident response plans, test them regularly, and ensure they can restore critical systems within 72 hours in case of an incident. Testing and revising these plans regularly ensures that they remain effective and actionable during emergencies.
6. Business Associate Oversight: Business associates must verify compliance with technical safeguards annually through audits and certifications, ensuring accountability across the supply chain. This ensures that all entities handling ePHI adhere to the necessary security standards.

Creating a Plan and Prioritizing Cybersecurity Updates

Once the proposed HIPAA Security Rule updates go into effect, you will need to bring your organization into compliance (if it’s not already). Since all of these updates are practical cybersecurity best practices, we recommend starting now to reduce your risk and avoid tight timelines. You should start with any areas that your current cybersecurity plan does not address. If you need to address multiple areas, contact our team and they can help you prioritize the work.

• Risk Assessment: If you have never had a risk assessment, this can be a good place to start. “A risk assessment helps your IT and executive teams understand the level of risk and prioritize steps to reduce that risk,” stated Madison Iler, interim CEO of LMG Security. “Our experts work with you to identify potential threats, assess existing security controls and vulnerabilities, and evaluate the likelihood and potential impact of an exploit to assign risk ratings. These ratings can then be used to prioritize your risks in light of today’s top cybersecurity threats. This helps take the guesswork out of what to do next in your pursuit of continuous risk reduction.” We also suggest reading Madison’s blog on how to get the maximum value from your risk assessment.
• Vulnerability Scans & Penetration Testing: Regular scans and penetration testing help identify vulnerabilities before attackers exploit them. “Expert penetration testers are trained to think like attackers,” Tom Pohl, LMG Security’s penetration testing manager and principal consultant shared. “They string together security gaps and escalate privileges in a way automated testing can’t replicate.” Penetration testing is a crucial way to find vulnerabilities before the attackers do. Our LMG Security team suggests taking the HIPAA requirement for vulnerability scanning one step further and implementing continuous vulnerability scanning as part of a continuous attack surface monitoring solution, as well as regular, comprehensive penetration testing that includes cloud and Web Apps/APIs. We further recommend focused pen testing after notable updates to your environment.

For a real-world example of why penetration testing is so important, read our blog on how a hacker can breach your organization in a weekend and our tip sheet on Penetration Testing Best Practices. We also recommend reading our blog on why continuous attack surface monitoring is crucial.

• Encryption Requirements: Encrypting ePHI ensures that even if data is intercepted or your network is compromised, it remains unreadable to unauthorized users. Organizations should evaluate their existing encryption protocols and make upgrades as necessary. Please check out our Data Encryption Best Practices blog for advice.
• Incident Response & Recovery: Preparedness is key to minimizing the impact of a cybersecurity incident. In fact, IBM found that having an updated incident response plan and a properly trained IR team can save your organization $2.6 million in data breach costs. The proposed HIPAA Security Rule update emphasizes contingency planning to ensure organizations can recover quickly and maintain operations during an incident. If you don’t have an IR plan or if you have not updated your plan in the past year, it’s time. Read our blog on IR plan development.

In addition to an IR plan, our LMG Security team also highly recommends training your IR team (it was one of our top four featured cybersecurity controls last year) on how to identify and minimize the damage from a breach, as well as running tabletop exercises to test for gaps in your IR plan. We share tips and some of our favorite tabletop scenarios in our evergreen and 2024’s most popular tabletop exercises blogs.

• Asset Inventory: Maintaining an up-to-date inventory of assets helps to provide a clear view of your organization’s vulnerabilities. If you don’t know what you have, how can you protect it? For example, when zero-day vulnerabilities are announced, you can quickly check your asset inventory to see if your organization is impacted. Watch our Asset Inventory video for a quick overview.

Take Action Now

Don’t wait for the proposed HIPAA Security Rule updates to become final. Start chipping away at these requirements now to reduce your risk of a breach and to ensure compliance. By acting now, you’ll not only protect your organization from data breaches, hefty fines, reputational damage, and operational disruptions that impact patient care and/or business continuity, but you’ll also set yourself up for success when the new regulations take effect.

If you need help implementing any of these updates, please contact us. Our expert team provides technical testing, compliance and policy consulting, training, and more.