Melody Simpson March 04, 2025

Cybersecurity threats in healthcare are escalating. The Department of Health and Human Services (HHS) has responded with proposed updates to the HIPAA Security Rule to bolster protections for electronic protected health information (ePHI). These changes, issued in December 2024, reflect the increasing sophistication of cyberattacks and aim to close security gaps in the healthcare sector. So, what’s changing? How do these updates impact covered entities and business associates? What steps do healthcare organizations need to take to remain compliant? Adapting to these new cybersecurity protocols could expose organizations to data breaches and hefty fines.

Elimination of “Addressable” Specifications in Cybersecurity Protocols

The biggest shift in the new cybersecurity protocols is removing the distinction between "required" and "addressable" specifications. Previously, healthcare entities had flexibility with certain safeguards, allowing them to implement alternatives if they deemed specific measures unreasonable. Now, all implementation specifications are mandatory, with very limited exceptions.

This means encryption, risk assessments, and technical safeguards are no longer optional. Organizations can no longer decide if a measure fits their environment—it’s required, period. This change reflects a growing consensus that flexibility in cybersecurity has contributed to vulnerabilities. Standardizing these requirements ensures that all entities meet a baseline level of security, minimizing gaps that attackers could exploit.

cybersecurity protocols

Healthcare providers must carefully review existing security measures to identify areas where previously “addressable” controls were not fully implemented. For instance, encryption of ePHI at rest and in transit, once considered “addressable,” is now non-negotiable. Any deviation must be justified with clear, documented exceptions, though such exceptions will be rare.

This change will significantly impact small and mid-sized healthcare practices that previously relied on flexible interpretations of HIPAA requirements. These organizations will need to invest in robust security solutions to meet the new standards. While the initial costs may be high, the long-term benefits include better protection against breaches and reduced liability.

Covered entities should collaborate with IT professionals to ensure that all mandatory specifications are implemented. Relying on outdated protocols or minimal compliance will no longer suffice. The shift toward mandatory specifications signals a move towards a more secure and standardized healthcare cybersecurity landscape.

Failure to comply with these new mandatory specifications can result in severe penalties. Regulatory bodies will likely increase scrutiny and enforcement efforts, making it essential for organizations to prioritize compliance immediately. Ignoring these changes could lead to data breaches, legal consequences, and reputational damage.

Mandatory Documentation and Auditing

The updated cybersecurity protocols emphasize documentation like never before. Covered entities and business associates must maintain written records of all Security Rule policies, procedures, risk assessments, and incident response plans. This documentation ensures that organizations have clear, actionable plans to protect ePHI and can demonstrate compliance during audits.

In addition to maintaining documentation, organizations are now required to conduct internal compliance audits at least once every 12 months. These audits ensure that security measures are correctly implemented and remain effective over time. Regular audits help identify vulnerabilities and ensure that organizations can address them before they become critical issues.

Healthcare organizations must develop a technology asset inventory and a network map illustrating how ePHI moves through their systems. This inventory must be updated annually or whenever significant changes occur in the IT environment. A comprehensive understanding of data flow is essential for identifying potential security risks.

Risk assessments must now include detailed analyses of threats and vulnerabilities to ePHI. Organizations are required to document all identified risks and develop mitigation strategies. This proactive approach ensures that potential threats are addressed before malicious actors can exploit them.

Business associates must also comply with the new documentation and auditing requirements. They are required to verify, in writing, that they have implemented the necessary technical safeguards to protect ePHI. Covered entities must obtain and review these certifications to ensure their partners maintain compliance.

Failure to maintain proper documentation or conduct regular audits can result in severe penalties. Regulatory bodies will scrutinize organizations that fail to comply with these requirements, increasing the risk of fines and legal action. Ensuring thorough documentation and regular audits is essential for maintaining compliance and protecting sensitive patient information.

Enhanced Technical Security Measures

The new cybersecurity protocols introduce stricter technical controls to protect ePHI. Data encryption at rest and in transit, previously considered “addressable,” is now mandatory. This change reflects the growing recognition that encryption is a critical safeguard against unauthorized access.

Multi-factor authentication (MFA) is also required to access ePHI. This additional layer of security significantly reduces the risk of credential-based attacks, a leading cause of data breaches in healthcare. Organizations must implement MFA across all systems that handle sensitive patient information.

Organizations must perform vulnerability scans at least every six months and penetration testing at least once every 12 months. These tests help identify weaknesses in security systems before cybercriminals can exploit them. Regular assessments are now a core component of HIPAA compliance.

Network segmentation is now a mandatory requirement. This involves isolating systems containing ePHI from other parts of the network, making it more difficult for attackers to move laterally within the infrastructure. Network segmentation limits the potential damage from breaches.

Organizations must establish separate technical controls for backup and recovery systems. These controls ensure that backups remain secure and inaccessible to attackers. Regular backup integrity testing is required to ensure that data can be restored quickly in case of a breach or system failure.

New Access Control and Monitoring Requirements

Access controls are critical to cybersecurity protocols, and the updated HIPAA rules introduce more stringent requirements. Organizations must implement detailed access management policies to ensure that only authorized personnel can access ePHI. This includes defining roles, responsibilities, and access privileges.

One major change is the requirement to notify regulated entities within 24 hours when a workforce member’s access to ePHI is changed or terminated. This rapid response reduces the risk of insider threats and ensures former employees cannot access sensitive information.

Organizations must conduct regular compliance audits to evaluate whether access controls are correctly implemented. These audits help identify access management gaps and ensure policies are followed. Failure to conduct audits can result in non-compliance and increased risk of breaches.

Network segmentation plays a crucial role in access control. By isolating sensitive systems, organizations can limit access to critical data and reduce the risk of attackers' lateral movement. This approach enhances overall security and helps protect ePHI.

Organizations must also implement procedures for regularly reviewing and updating access privileges. This ensures that only authorized personnel can access sensitive information and that access rights are adjusted as roles and responsibilities change. Regular reviews are essential for maintaining compliance and minimizing security risks.

Strengthening Incident Response and Business Continuity

New cybersecurity protocols strongly emphasize incident response and business continuity planning. Organizations must have a written incident response plan detailing how to detect, contain, and mitigate security incidents. This plan must be regularly updated and tested to ensure effectiveness.

Organizations are required to restore critical systems within 72 hours following a security incident. This ensures that healthcare operations can resume quickly during a ransomware attack or other major disruption. A prioritized recovery plan is essential for minimizing downtime and maintaining patient care.

Business associates must certify that they have implemented appropriate security measures and notify covered entities within 24 hours of activating contingency plans. Covered entities must verify these certifications annually to ensure compliance and maintain trust with their partners.

Backup security requirements have been strengthened. Organizations must implement separate technical controls for backup and recovery systems to prevent unauthorized access. Regular backup integrity testing ensures data can be restored quickly and securely during a breach.

Organizations must regularly analyze the criticality of their systems and technology assets. This helps prioritize recovery efforts and ensures that the most important systems are restored first. A comprehensive understanding of system dependencies is essential for effective incident response.

Failure to implement robust incident response and business continuity plans can result in severe consequences. Regulatory bodies will closely scrutinize organizations that fail to comply with these requirements, increasing the risk of fines and legal action. Ensuring preparedness is essential for protecting patient data and maintaining compliance.

Are Your Cybersecurity Protocols Ready for the New HIPAA Rules?

The new HIPAA cybersecurity protocols represent a significant shift in healthcare security compliance. To meet these updated standards, organizations must strengthen risk management, technical controls, access controls, and incident response strategies.

With cyber threats rising, healthcare entities cannot afford to delay their compliance efforts. Implementing these measures will protect patient data and reduce the risk of costly breaches and regulatory fines.

Navigating these regulatory changes can be complex, but expert guidance ensures compliance without disrupting operations. CompassMSP provides comprehensive support to help healthcare organizations align with the new HIPAA Security Rule requirements. Contact us today to strengthen your security posture and maintain compliance.

Join Us for Our Next Webinar:

March HIPAA 2025 Webinar (1)

You're invited to join us on March 20th at 1 PM EST for "HIPAA 2025 Proposed Updates: What Healthcare Leaders Need to Know to Stay Compliant."

Register Now

Melody Simpson

Submit Your Comment

Trending

Apr 10, 2025 - PMA Chicago Suppliers Expo

Apr 10, 2025 - PMA Chicago Suppliers Expo

March 11, 2025
What Are Your Most Valuable Business Assets? A Guide to Identify and Protect Them

What Are Your Most Valuable Business Assets? A Guide to Identify and Protect Them

March 11, 2025
The Role of Employee Training in Cybersecurity: Strengthening Business Continuity Through Awareness

The Role of Employee Training in Cybersecurity: Strengthening Business Continuity Through Awareness

March 07, 2025
The Importance and Value of a Cybersecurity Risk Assessment: A Guide

The Importance and Value of a Cybersecurity Risk Assessment: A Guide

March 06, 2025
NIST Framework: Cybersecurity for Small to Mid-Sized Businesses

NIST Framework: Cybersecurity for Small to Mid-Sized Businesses

March 06, 2025

Category