Cybersecurity, Regulatory Compliance
Preparing for the Proposed HIPAA Security Rule Update

Written By
The healthcare sector has been significantly impacted by cybersecurity incidents, with ransomware and hacking breaches being the most prevalent. In 2023, 167 million individuals were affected, marking a 102% increase in data breach reports from 2018 to 2023. In response, the U.S. Department of Health and Human Services (HHS) has proposed substantial cybersecurity updates to the Health Insurance Portability and Accountability Act of 1996, (HIPAA) Security Rule. The updates highlight enhanced risk management strategies, robust technical controls and advanced security protocols. Here's what you need to know:
Timeline and Context:
- December 27, 2024: The Office of Civil Rights at HHS issued a Notice of Proposed Rulemaking (NPRM) as an overarching update the HIPAA Security Rule.
- March 7, 2025: Deadline for public comments on proposed changes.
- Expected Implementation: If finalized, regulated entities will be given 180 days from the effective date to implement the new requirements. However, most likely it will be a long time before HHS finalizes the Security Rule.
The update to the HIPAA Security Rule represents the most substantial overhaul since 2013 and emphasizes cybersecurity protections for electronic protected health information (ePHI). The proposed changes represent a shift from reactive guidelines to a proactive, advanced, security defense position and mandatory safeguards:
“This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient.”
Prevention and Resilience:
There is a clear theme throughout the NPRM that it is not enough to secure your digital perimeter against threats. Rather healthcare organizations must also contain attacks, reduce the impact, adapt and recover during a cyberattack. The following details of the proposed changes reflect this emphasis on building greater cyber resilience:
- Asset Inventory and Network Mapping: Think of this requirement as a current and accurate representation of regulated entities’ digital infrastructure. Specifically, a full inventory of all technology assets and a detailed network map illustrating the flow of ePHI throughout electronic information systems.
- The update requires regulated entities to conduct both a technology an asset inventory and network map at least once a year, especially when there are changes to an organizations’ environment.
- Contingency Planning in the event of a security incident: Enhanced contingency and response planning for cyberattacks with clear incident response plans, procedures and documentation. For example:
- Documented procedures outlining recovery protocols to restore critical ePHI and electronic systems; as well as how workforce members should report suspected or known security incidents. Prioritization of systems and assets based on importance is also to be included.
- Written procedures for testing and revising incident response plans.
- Implementation of stricter timelines, such as 24-hour notification for changes in workforce access to ePHI and 72-hour system restoration post incident.
- Technical Controls:
- Data encryption requirements for all ePHI at rest and in transit.
- Requirements for network segmentation, separate backup, recovery of ePHI and relevant electronic information systems.
- Implementation of anti-malware protection, removal of extraneous software that is not relevant to electronic information systems and network port management to reduce risk depending on the entity’s risk analysis.
- Require the use of multi-factor authentication for all electronic information systems.
- Preventative Controls:
- Conduct vulnerability scanning at least once every six months.
- Annual penetration testing.
- Conduct compliance audit at least once a year to ensure compliance with rule requirements.
- Greater specificity for conducting risk analysis including written identification, classification and assessment. of threats.
In terms of compliance and enforcement, the Office of Civil Rights administers and enforces the HIPAA Security Rule. Perhaps the most pertinent update in terms of compliance lies in the removal of the distinction between "required" and "addressable" implementation specifications; meaning all implantations specifications are required. In addition, there are specific compliance time periods for several of the existing requirements.
Preparing for the Changes
To prepare for these upcoming changes, our team at Capsicum Group can assist with:
• Conducting a thorough assessment of current cybersecurity practices;
• Update cybersecuirty policies and procedures;
• Conduct Vulnerability Assessments and Penetration Testing;
• Write technology risk management and incident response plans;
• Provide additional HIPAA training to workforce members; and
• Assess and implement IT environment upgrades (including hardware and software).
As we await the final rule, it's crucial for healthcare organizations to start preparing now. These updates mandate comprehensive technical, operational, and procedural changes designed to protect electronic protected health information (ePHI). As cyber threats continue to evolve, these proposed changes are not just regulatory compliance—they are essential safeguards for patient data, organizational resilience, and the integrity of healthcare digital infrastructure.