On January 6, 2025, the U.S. Department of Health and Human Services released a Notice of Proposed Rulemaking to update the HIPAA Security Rule. This proposal marks the first major revision to HIPAA’s cybersecurity requirements in over a decade. The new rule aims to improve protection for electronic protected health information by introducing a more structured and proactive approach to cybersecurity. With digital health records becoming central to patient care, and cyberattacks growing in scale and complexity, this NPRM represents a significant policy shift for the healthcare industry.
This regulatory proposal responds to the increasing use of cloud technologies, mobile health apps, and remote work infrastructure within the healthcare sector. It also acknowledges the rise in ransomware, phishing attacks, and data theft targeting hospitals, clinics, insurers, and their business associates. The changes outlined in the NPRM are not only technical updates but also a call for a fundamental shift in how healthcare organizations manage security.
Understanding these proposed updates is critical for healthcare providers, administrators, IT professionals, legal teams, and business associates. The NPRM introduces new requirements in areas such as risk assessment, data mapping, incident response, vendor oversight, authentication, encryption, access controls, and network testing. Each of these components is designed to address specific weaknesses that have been repeatedly exploited in real-world breaches.
This section explores the first part of the NPRM, focusing on asset inventory and data mapping, stronger security risk assessments, and new responsibilities for vendor oversight. These changes lay the foundation for broader improvements in healthcare cybersecurity and require organizations to take inventory of not only their systems but also their internal practices and partnerships.
Technical Inventory and Data Mapping
The first major change proposed in the NPRM is the requirement for healthcare organizations to maintain a complete and accurate inventory of all hardware, software, and data systems related to electronic protected health information. This requirement also includes maintaining clear documentation of how ePHI flows through an organization’s network.
A technical inventory includes all systems and tools that interact with ePHI. This includes servers, workstations, mobile devices, cloud storage services, software applications, and medical devices. Each of these components must be documented with details on ownership, version, location, function, and security configuration. Additionally, data flow documentation must illustrate how ePHI is collected, stored, transmitted, and accessed across departments, systems, and even vendors.
This inventory and mapping must be updated annually or after any significant change to the organization’s IT or security infrastructure. For example, if a healthcare provider begins using a new electronic health record system or implements a new telehealth platform, the inventory and data flow diagrams must be revised accordingly.
These new requirements aim to reduce the risk of data exposure by ensuring organizations have full visibility into where sensitive data lives and how it moves. Without this level of visibility, it is difficult to detect unauthorized access, prevent data leaks, or respond effectively to security incidents.
Data mapping is also essential in supporting access control and audit logging. Understanding the flow of data allows organizations to place appropriate boundaries and checkpoints to monitor and control access. It helps security teams identify where encryption is necessary, where user authentication needs to be strengthened, and where data may be unnecessarily exposed.
To comply with this provision, many healthcare organizations will need to invest in asset management tools and data discovery platforms. These tools can automate much of the tracking and help ensure the inventory remains current. Collaboration between departments—including IT, compliance, and operations—will be crucial for building and maintaining an accurate picture of the technical environment.
This change signals a shift toward proactive defense. By requiring full knowledge of technical assets and data flows, the NPRM encourages organizations to stop treating cybersecurity as a reactive issue and instead adopt it as a fundamental operational discipline.
Stronger Security Risk Assessments
The NPRM elevates the requirements for risk assessments from general analysis to detailed, continuous risk evaluation and documentation. Previously, organizations were required to perform a risk assessment as part of their overall HIPAA compliance efforts. However, many assessments were superficial or inconsistent, failing to provide actionable insights into real security threats.
Under the new rule, organizations must conduct in-depth evaluations of their security environment, identify known and emerging threats, assess existing controls, and document both risks and the steps taken to mitigate them. These risk assessments must be comprehensive, include multiple input sources, and be reviewed regularly to ensure they reflect the evolving threat landscape.
The updated rule also requires organizations to track vulnerabilities over time. This includes documenting new risks, following up on previously identified issues, and ensuring that mitigation measures are effective. For instance, if a vulnerability scan identifies unpatched software or misconfigured firewalls, those issues must be recorded, addressed, and re-evaluated in future assessments.
A key aspect of this change is the requirement for detailed documentation. Organizations must maintain written records of their methodologies, findings, and mitigation actions. This ensures transparency and accountability and allows regulators to assess whether security programs are being taken seriously.
Risk assessments should also be tailored to the specific characteristics of the organization. A large hospital system will face different risks than a small outpatient clinic, and their assessments should reflect those differences. Factors such as patient volume, types of services offered, third-party integrations, and geographic location all influence an organization’s risk profile.
To meet these new standards, organizations may need to enhance their internal security expertise or work with outside cybersecurity professionals. Risk assessments should now involve not just technical analysis, but also legal and operational reviews to ensure that controls align with the broader business model.
Ultimately, this requirement aims to embed cybersecurity as an ongoing strategic process. Instead of assessing risks once a year and filing the results away, organizations must treat risk management as a living process. This includes constant evaluation of technology changes, user behavior, new threats, and updated legal obligations. The end goal is not just to document risk but to systematically reduce it.
Increased Vendor Oversight and Accountability
Another central change in the NPRM involves the oversight of vendors and business associates. In today’s interconnected healthcare environment, third-party service providers often play a critical role in managing ePHI. These vendors may provide billing services, data hosting, telehealth platforms, or remote IT support. While they enable healthcare organizations to operate more efficiently, they also introduce additional security risks.
Historically, vendor management in the healthcare sector has relied heavily on contractual agreements and self-attestations. Business associate agreements typically include language requiring HIPAA compliance, but enforcement has been limited. Many healthcare organizations have lacked the resources or expertise to audit their vendors effectively.
The NPRM changes this by requiring vendors to provide verifiable evidence of their security practices. Specifically, vendors must undergo review by a qualified cybersecurity expert who can assess whether their controls are sufficient to protect ePHI. This includes evaluating encryption practices, access controls, patch management, and incident response capabilities.
The rule also requires vendors to notify the covered healthcare organization within 24 hours if they activate a contingency plan in response to a security incident. This notification must happen whether or not the incident results in a known breach. The purpose is to ensure that healthcare providers are immediately aware of potential disruptions or threats that could affect their own systems or patient data.
These changes reflect the fact that many of the largest healthcare data breaches in recent years have involved vendors. Hackers often target third parties because they may lack the robust defenses of larger health systems but still provide access to valuable data. By increasing oversight and requiring faster communication, the NPRM aims to prevent secondary breaches and improve situational awareness across the healthcare supply chain.
To comply with these new requirements, healthcare organizations will need to build or strengthen their vendor management programs. This includes identifying all vendors that handle ePHI, ensuring contracts are updated with the new NPRM language, and requiring documented security assessments as part of onboarding and ongoing evaluations.
Organizations may also need to revise their procurement policies. Instead of choosing vendors based solely on cost or convenience, they must now consider cybersecurity posture as a critical factor in selection and performance reviews. This may involve using third-party certifications, requiring SOC 2 reports, or commissioning custom security assessments for high-risk vendors.
The NPRM’s focus on vendor oversight reinforces a broader principle in modern cybersecurity: that security is only as strong as the weakest link. By holding vendors to higher standards and improving visibility into third-party risks, healthcare organizations can reduce the chances of an indirect breach and ensure that their entire network of partners is working together to safeguard patient data.
Mandatory Multi-Factor Authentication for ePHI Systems
One of the cornerstone provisions in the updated HIPAA Security Rule is the mandatory implementation of multi-factor authentication for any technology that accesses, stores, or transmits electronic protected health information. This requirement significantly strengthens access controls and represents a shift toward modern cybersecurity practices in healthcare.
Multi-factor authentication, often referred to as MFA, requires users to verify their identity using at least two forms of authentication before they can access a system. This typically includes something the user knows (like a password), something the user has (such as a smartphone or security token), or something the user is (such as a fingerprint or facial recognition). The purpose of MFA is to provide a stronger, layered defense mechanism in case one form of authentication is compromised.
The NPRM requires that MFA be used on all systems that handle ePHI, regardless of whether they are accessed on-premises or remotely. This includes electronic health record platforms, billing systems, cloud storage environments, patient portals, email systems that contain ePHI, and mobile health applications. MFA must also be enforced for third-party users such as contractors, consultants, and vendor technicians who access systems containing protected health information.
One of the more nuanced elements of this requirement involves exceptions. The NPRM acknowledges that some legacy systems and medical devices, especially those approved by the Food and Drug Administration before March 2023, may not support MFA. In such cases, covered entities must create a written transition plan detailing how and when they will either phase out the unsupported system or implement compensating controls. These compensating controls may include physical access restrictions, monitoring tools, or additional authentication layers outside the system itself.
The urgency of implementing MFA stems from the growing number of cyberattacks that exploit stolen or weak passwords. Passwords alone are no longer considered sufficient protection, especially in healthcare, where systems contain sensitive and valuable data that can be sold or ransomed. A single compromised account can lead to widespread breaches affecting thousands of patients and disrupting critical care services.
Implementing MFA effectively requires thoughtful planning and investment. Organizations must first assess which systems require authentication and identify current access methods. They then need to select appropriate MFA solutions that integrate with those systems. This could involve smartphone apps for one-time codes, biometric readers for clinical access, or hardware tokens for administrative users.
User training is also essential. Staff must understand how MFA works, why it is important, and what to do if they encounter problems with authentication. Helpdesk teams must be prepared to support users in real-time, especially during the rollout phase. Clear communication and internal documentation can reduce friction and increase user acceptance.
MFA implementation should also be audited periodically. Organizations should track when MFA was enabled on each system, which users are enrolled, and whether any exceptions are in place. These audits not only ensure compliance with the NPRM but also help detect potential gaps or misconfigurations that could be exploited.
Overall, the introduction of mandatory multi-factor authentication marks a significant advancement in access control. It is a practical, proven defense against unauthorized access and a necessary step toward aligning healthcare security with modern cybersecurity expectations across other regulated industries.
Mandatory Encryption for ePHI at Rest and in Transit
Another significant update in the NPRM is the requirement that all electronic protected health information must be encrypted both at rest and in transit. This proposal transforms what was previously considered an “addressable” implementation into a mandatory requirement, eliminating ambiguity and reinforcing the importance of strong data protection practices.
Encryption is the process of converting readable data into an unreadable format using algorithms and cryptographic keys. Only users or systems with the correct decryption key can convert the data back into its original form. Encryption protects data from unauthorized access, particularly when devices are lost or stolen or when data is transmitted over insecure channels.
Under the updated rule, all ePHI stored on servers, desktop computers, laptops, tablets, smartphones, removable media, and cloud services must be encrypted. Likewise, all ePHI transmitted via email, file transfers, application interfaces, and network communications must also be encrypted using secure protocols such as TLS or VPN tunnels.
The NPRM includes very few exceptions to this requirement. One notable exception is patient consent. If a patient specifically requests that their data be transmitted in an unencrypted format, and they are informed of the associated risks, the organization may comply with that request. However, such instances must be documented and supported with clear communication that the patient accepts the risk.
Another possible exception involves systems or devices that cannot support encryption due to design limitations. In these cases, organizations must document why encryption is not feasible, what compensating controls are in place, and what steps are being taken to replace or upgrade the system. These situations are expected to be rare and temporary.
Encryption at rest ensures that even if a device is lost, stolen, or hacked, the data stored on it is not immediately readable. This reduces the risk of exposure during theft, system failures, or improper disposal of hardware. Encryption in transit, on the other hand, protects data as it moves between systems, preventing interception by unauthorized parties during communication sessions.
For healthcare organizations, meeting this requirement may involve upgrading hardware, reconfiguring software settings, or transitioning to cloud platforms that offer built-in encryption services. It may also mean revisiting third-party vendor contracts to ensure that data handled by business associates is encrypted in compliance with the rule.
Implementing encryption requires collaboration between IT, compliance, and legal teams. The encryption algorithms used must meet federal standards such as those set by the National Institute of Standards and Technology. Key management practices must be robust to ensure that encryption keys are protected, rotated, and revoked as needed.
Organizations must also maintain documentation of where encryption is applied, how it is configured, and who is responsible for its management. This documentation will be essential during audits and investigations. It will also serve as a foundation for future updates, especially as encryption technologies continue to evolve.
The inclusion of mandatory encryption in the HIPAA Security Rule is a reflection of its effectiveness. Encryption is one of the most reliable ways to safeguard data, and its widespread adoption across other industries makes it a natural fit for healthcare. While it may require upfront investment, the protection it offers far outweighs the potential costs of a breach.
Formalized Incident Response Planning and Testing
Another critical requirement introduced in the updated HIPAA Security Rule is the mandate for a formal incident response plan. This requirement compels healthcare organizations to create, document, and regularly test a detailed process for identifying, reporting, and responding to security incidents involving ePHI.
An incident response plan is a predefined, structured approach to managing security events. It typically includes protocols for identifying threats, containing damage, removing malicious actors, recovering affected systems, and notifying stakeholders. The NPRM requires that this plan be written, accessible to relevant personnel, and reviewed and tested at least once every 12 months.
The plan must clearly define the types of incidents it covers. These could include malware infections, phishing attempts, ransomware attacks, unauthorized access to data, insider misuse, and physical theft of devices. It must also define how incidents are classified based on severity, which helps teams prioritize their response.
The response process must include roles and responsibilities. Organizations must specify who is responsible for identifying incidents, escalating alerts, coordinating with legal and compliance departments, managing communications, and conducting post-incident reviews. This ensures that everyone knows what to do during an emergency and avoids confusion that can worsen the damage.
Timely communication is a central component of an effective incident response plan. The NPRM stresses the need for organizations to have clear processes for notifying internal stakeholders, law enforcement (if applicable), affected individuals, and regulators. The faster a breach is detected and disclosed, the sooner affected parties can take action to mitigate potential harm.
In addition to creating the plan, the NPRM requires organizations to test it annually. This could involve tabletop exercises, simulated phishing attacks, or full-scale penetration testing. These tests help teams identify gaps in the response process, such as communication breakdowns, insufficient documentation, or lack of access to necessary tools.
Documentation of both the plan and the testing process is required. Organizations must keep records of when the plan was created, who approved it, when it was last updated, and the results of recent tests. Any changes made as a result of testing must also be documented, showing that the organization is learning and improving its security posture over time.
Implementing an incident response plan involves collaboration across departments. IT, compliance, legal, communications, human resources, and executive leadership all play roles in incident response. Having a multi-disciplinary team ensures that incidents are managed holistically and that all aspects of the response—technical, legal, operational, and reputational—are addressed.
Organizations may also choose to work with external cybersecurity firms that specialize in incident response. These firms can assist with plan development, provide rapid response during an actual incident, and offer forensic services to determine how an attack occurred. Partnering with external experts may be especially valuable for smaller organizations that lack in-house expertise.
The goal of this provision is not just to improve the speed of response, but also the quality. A clear, tested response plan minimizes confusion, reduces recovery time, and prevents errors that could expose more data or worsen the incident. It also ensures that healthcare organizations meet regulatory requirements for breach notification and documentation.
The inclusion of formalized incident response planning in the NPRM highlights the increasing recognition that no system is completely immune to attacks. Even with strong defenses, breaches can and do occur. The ability to respond quickly, effectively, and in compliance with legal standards is critical to maintaining trust and continuity of care.
Disaster Recovery and Data Backups
The updated HIPAA Security Rule introduces clear and specific expectations for disaster recovery and data backup procedures within healthcare organizations. These requirements aim to ensure that patient data remains secure, accessible, and recoverable even during major cyber incidents, natural disasters, or system failures.
One of the central mandates in the NPRM is the creation of “exact” backup copies of all electronic protected health information. These backups must include all relevant data and must be stored in a secure format that allows for reliable recovery. The term “exact” emphasizes the need for full fidelity and integrity. This means no partial or outdated versions are acceptable when dealing with critical patient information.
The updated rule also requires organizations to restore critical systems and services within 72 hours of an event that disrupts normal operations. This requirement puts time-based pressure on organizations to build and maintain highly resilient recovery systems. Whether a ransomware attack locks down hospital systems or a server room is flooded due to a natural disaster, systems must be restored rapidly to avoid severe patient care disruptions.
Furthermore, the rule mandates that vendors who manage or store ePHI must notify the covered entity within 24 hours if they initiate a contingency plan due to a cyber event or other data disruption. This ensures transparency in the data handling chain and gives healthcare organizations early warning of issues that could affect their operations or patient safety.
Effective disaster recovery planning involves more than just creating backup copies. Organizations must implement and maintain a full disaster recovery plan that includes specific recovery procedures, assigned roles and responsibilities, designated recovery sites if needed, and clearly documented communication channels. This plan should also identify critical applications and systems and prioritize their recovery based on operational importance.
To meet these requirements, organizations may need to adopt robust backup technologies, such as cloud-based redundancy, real-time replication, and encrypted storage solutions. Regular backup schedules should be established, and backup systems must be tested periodically to verify that data can be restored accurately and quickly.
One of the common shortcomings in previous backup practices was the lack of verification and rehearsal. The NPRM implicitly addresses this by requiring fast recovery timelines and emphasizing operational continuity. Backups that have not been tested or validated often fail to perform when needed most, leaving organizations vulnerable in times of crisis.
Disaster recovery plans must be customized to the size, structure, and resources of the organization. A large hospital system with distributed data centers and complex services may need a tiered recovery process with backup sites and automated restoration tools. A smaller clinic may opt for cloud-based backup services that offer simplified management and rapid access.
Documentation plays a vital role in compliance. Organizations must keep records of their backup procedures, the technologies used, the location of stored data, the frequency of backups, and the results of periodic recovery tests. In addition, the disaster recovery plan itself must be a formal written document, subject to review and update at least annually or following any major change in infrastructure or technology.
Cyber incidents like ransomware attacks have proven the need for effective backup and disaster recovery systems. Organizations that rely solely on preventive controls are often left unprepared when those controls are breached. By requiring not just backups but also structured recovery planning and execution, the NPRM promotes resilience as a core security principle.
This focus on rapid recovery aligns healthcare cybersecurity with patient safety. When health systems go offline, even temporarily, the ability to diagnose, treat, and monitor patients is compromised. Recovery planning must therefore be viewed not only as a compliance obligation but as a clinical and operational imperative.
Mandatory Annual Compliance Audits
Another important update in the HIPAA Security Rule is the requirement for covered entities and business associates to conduct annual compliance audits. These audits are intended to ensure that organizations are actively monitoring their adherence to HIPAA security standards, identifying gaps, and taking corrective actions on a regular basis.
While periodic evaluations were part of the original HIPAA Security Rule, the NPRM formalizes the frequency and broadens the scope of these evaluations. Now, organizations must conduct a full audit of their security practices at least once every twelve months. This includes reviewing physical, administrative, and technical safeguards, as well as policies, procedures, and employee behavior related to the handling of ePHI.
The new rule does not specify whether audits must be conducted internally or by third-party assessors, leaving that decision to the discretion of each organization. However, it does emphasize that audits must be meaningful, objective, and supported by documentation. This means that self-assessments must be conducted with honesty and rigor, using measurable criteria and defined benchmarks.
Audits should cover key areas of compliance, including risk assessments, access controls, encryption practices, incident response readiness, data backups, vendor management, and employee training programs. Each of these areas must be evaluated not only for presence but for effectiveness. For example, it is not enough to have an access policy in place—it must be enforced consistently and verified through access logs and monitoring.
A successful audit also requires the participation of multiple departments. IT, compliance, legal, human resources, clinical operations, and executive leadership all have roles to play in ensuring that policies are being followed and that systems are operating securely. Cross-functional collaboration helps ensure that the audit reflects the reality of daily operations, not just the content of written policies.
Organizations must maintain thorough records of each audit. This includes the methodology used, the scope of the audit, the individuals or teams responsible, the findings or deficiencies identified, and the steps taken to remediate them. These records will be critical during investigations, external audits, or legal inquiries following a breach or complaint.
The NPRM’s emphasis on annual audits reflects a shift toward continuous improvement and accountability. In many organizations, security programs are set up once and left unchanged for years, even as the threat environment evolves. Annual audits force organizations to revisit their assumptions, update their controls, and prioritize improvements based on current risks.
Additionally, the audit requirement supports a culture of security awareness and responsibility. When employees and managers know that practices will be reviewed regularly, they are more likely to follow protocols, report concerns, and seek clarification when in doubt. This can lead to stronger internal communication and faster detection of risky behaviors.
Organizations should consider developing a standardized audit framework tailored to their size and operations. This framework can include predefined checklists, scoring systems, interview templates, and document review procedures. It may also be helpful to create a rotating schedule for deeper reviews of specific departments or systems each year.
Ultimately, annual compliance audits provide a structured way to measure progress, reduce vulnerabilities, and demonstrate a good-faith effort to meet regulatory obligations. While they require time and resources, they are a critical investment in long-term cybersecurity resilience and organizational trustworthiness.
Workforce Security and Access Management
The final area addressed in this part of the NPRM centers on workforce security and access management. This section introduces new standards for how organizations must control access to ePHI among employees, contractors, and affiliated staff. The proposed rules aim to prevent unauthorized access, minimize insider threats, and ensure that access privileges are aligned with job responsibilities.
Under the new rule, healthcare organizations must implement strict role-based access controls that limit access to ePHI only to individuals who require it to perform their duties. This principle, often referred to as the principle of least privilege, is fundamental to strong access management. Users should not have broad or unnecessary access to patient data, and access should be customized based on job role, department, and level of responsibility.
Organizations must have a process for reviewing and updating access rights regularly. This includes granting access when a user is hired or changes roles, and revoking access promptly when an employee leaves the organization. The NPRM requires that access be terminated within one hour of separation or role change, ensuring that former employees or transferred staff cannot linger with inappropriate system access.
Another new requirement is that if an employee had access to the systems of multiple healthcare organizations through a shared platform or joint agreement, all affiliated organizations must be notified of that individual’s departure within 24 hours. This provision helps ensure that access to shared systems is closed across the board, not just within the primary employer.
Effective access management also includes authentication protocols, periodic access reviews, and real-time monitoring. Organizations must be able to track who accessed what information, when, and from where. This logging capability supports both internal oversight and external investigations when a breach is suspected.
Managing workforce access requires coordination between IT and human resources. HR teams must notify IT promptly when an employee leaves or changes roles. Likewise, IT must act swiftly to adjust access rights and document those changes. Automated identity and access management (IAM) systems can streamline this process by integrating with HR databases and automating role-based changes.
Education is also key. Staff must be trained not only on the importance of protecting ePHI but also on the specific responsibilities associated with their access level. For example, a nurse accessing patient charts in an intensive care unit has a different risk profile than a billing administrator or IT technician. Security training should reflect those differences and include real-world examples to help users understand the consequences of inappropriate access.
Organizations should conduct periodic access audits to ensure that current privileges match the individual’s role. These audits help identify “access creep,” where users retain access to systems from previous roles, creating potential vulnerabilities. Any discrepancies must be corrected immediately, and patterns of improper access should be investigated.
The workforce access provisions in the NPRM recognize that insider threats, whether intentional or accidental, are a significant risk. Many breaches occur due to internal mishandling of data, weak passwords, inappropriate data sharing, or failure to follow policies. By tightening access controls and creating mechanisms for fast response, the rule aims to reduce these risks while maintaining operational efficiency.
As healthcare organizations become more complex and interconnected, managing user access will only grow in importance. From remote workers and contract staff to rotating clinical teams, the need for dynamic, secure access systems has never been greater. The NPRM’s approach promotes a more accountable and transparent model, where access is seen as both a privilege and a responsibility.
Network Testing, Segmentation, and Configuration
One of the most technically focused elements of the NPRM centers on maintaining and securing the internal network infrastructure used to store and transmit electronic protected health information. This includes mandates for routine vulnerability scanning, periodic penetration testing, network segmentation, and the removal of outdated software that presents a cybersecurity risk.
Under the proposed rule, covered entities and business associates must conduct vulnerability scans of their networks every six months. These scans are automated processes that probe systems for weaknesses, such as misconfigured services, exposed ports, unpatched applications, and known software vulnerabilities. These scans provide a regular and consistent method of identifying security issues before they can be exploited by attackers.
In addition to automated vulnerability scans, the NPRM requires penetration testing every twelve months. Unlike automated scans, penetration testing involves a human-led attempt to exploit system weaknesses in order to simulate a real-world cyberattack. These tests are designed to reveal not only technical flaws but also weaknesses in organizational practices, such as poor password hygiene, lack of monitoring, or improper firewall settings.
While these requirements may be routine in other high-security industries, their formal inclusion in HIPAA regulations signals an evolving standard in healthcare. Historically, many healthcare organizations have underinvested in these forms of proactive testing, leaving critical systems and data exposed. With this update, organizations must approach cybersecurity testing as a required element of compliance, not a discretionary enhancement.
Another key component introduced in this rule is the requirement to implement network segmentation. This involves dividing the organization’s network into smaller, isolated zones or segments so that, if an attacker breaches one part of the system, they cannot easily move laterally across the entire infrastructure. For example, the network used by administrative staff should not be directly connected to the network used by medical devices or patient monitoring systems.
Segmentation also allows for more granular access controls, monitoring, and containment. If a ransomware attack compromises one segment of the network, systems in other segments may remain protected, and recovery efforts can be localized rather than enterprise-wide. This architectural approach significantly reduces the blast radius of any given attack and helps security teams detect abnormal traffic more easily.
The NPRM also addresses the ongoing risk posed by outdated and unsupported software. Organizations are now required to identify and remove legacy software that poses security vulnerabilities unless an approved mitigation plan is in place. Many healthcare organizations continue to run outdated applications or operating systems due to compatibility issues with medical devices or software dependencies. However, unsupported software can no longer be ignored under the new rule.
Healthcare entities must assess all applications and operating systems for currency and vendor support. If a system is found to be outdated, the organization must either retire it, replace it, or implement strict compensating controls. These controls may include isolating the system on a segmented network, applying firewall rules, or disabling internet access for that device. Documentation of the decision and controls must be maintained and updated regularly.
Meeting these requirements will likely require increased investment in both technology and personnel. Organizations must allocate resources to perform regular testing, hire or contract cybersecurity professionals, and update infrastructure where necessary. While some smaller organizations may find this challenging, the long-term benefit is a significantly reduced risk of data breaches and system downtime.
Ultimately, this section of the NPRM represents a major shift in how network security is prioritized and enforced in the healthcare sector. It moves away from the idea of passive defense and embraces the concept of active, continuous security validation and hardening. This shift is essential in an era where healthcare systems are targeted more aggressively than ever before.
Removing Outdated Software and Managing Legacy Systems
One of the often-overlooked contributors to healthcare cyber risk is the continued use of outdated or unsupported software systems. These legacy systems are often kept in place due to budget constraints, compatibility with medical equipment, or simple resistance to change. However, they present a serious risk, as they no longer receive security updates, patches, or technical support from vendors.
The NPRM directly addresses this issue by requiring covered entities and business associates to remove or isolate outdated software unless they can document a valid mitigation strategy. This is a significant policy shift because older guidance left the decision up to organizational discretion. Now, unless a system can be shown to be secure through compensating controls, it must be retired or replaced.
The new rule reflects the fact that outdated software has played a role in many of the largest healthcare data breaches in recent years. Systems running obsolete versions of operating systems, web servers, or databases have been repeatedly exploited through vulnerabilities that were never patched. Attackers often use automated tools to scan the internet for these known vulnerabilities, making outdated systems easy targets.
To comply with the new requirement, organizations must first perform a comprehensive software inventory. Every application, operating system, database, and middleware tool must be cataloged along with its version number and support status. This process is closely related to the technical inventory discussed earlier in the rule but focuses specifically on software security posture.
Once outdated systems are identified, organizations must develop action plans for addressing them. In some cases, this may involve upgrading to a newer version or migrating to a different platform. In other cases, if the software is tied to medical equipment or cannot be easily replaced, it must be isolated on a secure, segmented network with minimal access and strict monitoring.
The NPRM allows for temporary exceptions, but only if they are documented through a formal risk analysis and mitigation strategy. These strategies must include technical controls, physical access restrictions, usage policies, and a roadmap for eventual system retirement or upgrade. The longer an outdated system remains in use, the stronger and more specific the compensating controls must be.
Organizations must also train staff on the risks associated with using outdated software. Clinical users and IT staff alike must understand that even if a system seems to function correctly, it may expose patient data to unnecessary risk if it is no longer supported. This awareness can lead to better decision-making and early detection of anomalies.
Vendor management also plays a role in this effort. Business associates and service providers must also account for the support status of the software they use, especially if they host or process ePHI on behalf of a covered entity. Contracts should include language requiring software updates, prompt notification of security risks, and cooperation in retiring outdated systems.
The focus on outdated software is a critical step toward raising the security baseline across the healthcare industry. While transitions can be complex and costly, they are essential for protecting sensitive patient data and ensuring long-term regulatory compliance. In the digital age, standing still is equivalent to moving backward when it comes to cybersecurity.
Final Thoughts
The proposed updates to the HIPAA Security Rule mark a turning point in how healthcare organizations are expected to approach cybersecurity. The NPRM introduces new requirements that are not merely technical enhancements, but cultural and operational shifts in how security is managed. From rigorous risk assessments and vendor oversight to modern access controls and network protections, the rule sets a new standard of accountability.
Healthcare organizations must begin preparing for these changes now. While the rule is still in its proposed stage and may be refined before final adoption, its direction is clear: stronger controls, more documentation, and faster response capabilities are essential. Organizations that begin implementing these changes early will be better positioned to comply with final regulations and avoid penalties, data breaches, or service disruptions.
The first step is education and alignment. Executive leadership, IT security teams, compliance officers, and department heads must understand the scope and implications of the new rule. Leadership must be willing to invest in tools, training, and staffing to meet the requirements effectively. Without a top-down commitment to security, even the best technical measures can be undermined by gaps in process or accountability.
Next, organizations must assess their current posture in relation to each of the proposed requirements. This includes reviewing their technical inventory, conducting a new risk assessment, auditing access controls, evaluating incident response procedures, and identifying outdated software or weak vendor relationships. These evaluations will reveal where gaps exist and help prioritize remediation efforts.
It is also advisable to revisit policies and procedures. Many healthcare organizations rely on security documentation that is outdated, incomplete, or never reviewed. Updating these materials to reflect the new NPRM language and intent is not only a compliance measure but a critical step in aligning day-to-day operations with strategic risk management.
Staff training must also evolve. The NPRM underscores the importance of workforce awareness, particularly in areas such as access management, phishing prevention, incident reporting, and secure data handling. Security awareness programs should be reviewed and updated to reflect current threats and regulatory expectations. Role-specific training is especially important, as different users face different risks and responsibilities.
Technology investments will likely be necessary for many organizations. From implementing multi-factor authentication and encryption to improving network segmentation and vulnerability scanning, these measures require both capital and operational expense. However, these investments should be viewed not just as regulatory burdens, but as necessary safeguards for protecting patients, reputations, and critical services.
Lastly, organizations should consider external partnerships where appropriate. Cybersecurity consultants, managed service providers, legal advisors, and cloud vendors may all play a role in helping healthcare organizations comply with the NPRM. Outsourcing certain tasks, such as penetration testing or audit preparation, can bring objectivity and technical expertise that is difficult to maintain in-house.
The NPRM makes one point very clear: reactive, informal, or outdated security practices are no longer acceptable in the healthcare sector. Organizations must evolve their programs to meet the complexity and urgency of modern cyber threats. By embracing the rule’s principles now—before enforcement begins—healthcare organizations can demonstrate leadership, build trust, and protect what matters most: patient safety and privacy.