In January 2025 I put together a presentation on the proposed changes to the HIPAA Security Rule. You can view the live recording on the ExplorSec YouTube channel. With Valentines Day recently passing I though this would be a good time for a blog post on the proposals for the HIPAA Security Rule. Below is a ChatGPT generated blog post using the transcript from that session that I’ve reviewed and edited .

The U.S. Department of Health and Human Services (HHS) recently proposed updates to the HIPAA Security Rule, aiming to enhance the cybersecurity resilience of healthcare organizations. These changes are in response to the evolving threat landscape, rising breach costs, and the need for stronger regulatory oversight. Let’s explore the proposal, its timeline, and the most significant updates impacting the healthcare industry. The proposal can be viewed at this link: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html

Why the Change?

HIPAA, originally enacted in 1996, has undergone several updates, with the most recent in 2013. However, with data breaches in healthcare rising sharply, the government is taking action. The cost of healthcare breaches has surged by 50% since 2020, with an average breach costing $10.1 million per organization. Additionally, cybercriminals continue to target healthcare organizations despite previous claims that they would avoid them. In 2023 alone, the FBI received 250 ransomware reports from healthcare organizations—the most of any industry.

Proposed Timeline

January 6, 2024: Proposal released
March 7, 2024: Public comment period closes
Spring 2025: HHS reviews comments and finalizes the rule
2026: Full compliance expected for specific requirements

Organizations have an opportunity to provide feedback before implementation, making this a crucial period for healthcare entities to review the proposed changes and assess their impact.

Key Changes in the HIPAA Security Rule Proposal

Revised Terminology and Definitions

Several terms are being modified or newly defined to eliminate ambiguity and prevent misinterpretations that have historically allowed organizations to circumvent security requirements. Notable changes include:

Security Measures: Clarified to apply to both systems and information.
Technical Controls & Safeguards: Expanded definitions to include firmware and hardware components.
User Definitions: Adjusted to remove ambiguity between human users and system entities.
Addressable and Reasonable & Appropriate Requirements: Refined to ensure organizations do not misinterpret them as optional.

Asset Inventory and Risk Analysis

One of the most critical updates is the requirement for a comprehensive asset inventory of all technical assets that create, receive, maintain, or transmit electronic protected health information (ePHI). Organizations must:

Maintain a written inventory including device IDs, software versions, responsible personnel, and locations.
Conduct annual risk analyses aligned with NIST cybersecurity standards.
Update network maps to track ePHI movement and access points.

Patch Management Requirements

For the first time, HIPAA is setting explicit timelines for patch management:

Critical vulnerabilities must be patched within 15 days.
High vulnerabilities must be patched within 30 days.
Organizations must document any exceptions and review them annually.

Workforce Security and Training Enhancements

Organizations must establish stronger internal security measures, including:

Mandatory security training for new hires within 30 days.
Job description reviews to align role-based access controls with actual job functions.
Regular cybersecurity performance goals for employees, focusing on increasing phishing report rates and improving security awareness.
Security training on new technology implementations, such as new systems that handle electronic health records (EHRs).

Strengthened Physical and Technical Safeguards

The proposal mandates that organizations demonstrate operational enforcement of security policies rather than relying solely on documentation. This includes:

Mandatory encryption of ePHI at rest and in transit.
Elimination of default passwords for all devices.
Multi-Factor Authentication (MFA) requirements (with exceptions for FDA-approved medical devices).
Stricter controls for legacy systems, including the requirement that manufacturers must still provide security updates; otherwise, organizations must replace outdated systems.

Business Associate Agreements (BAA)

Healthcare organizations rely on third-party vendors to handle sensitive patient data, and the proposal introduces stricter rules around vendor agreements:

Vendors must report security incidents within 24 hours of detection.
Organizations will have up to one year to update contracts.
New requirements will apply to healthcare plan sponsors, who previously were not subject to the same security obligations.

Addressing Emerging Technologies

The proposal acknowledges the impact of new technologies in healthcare, requiring organizations to assess and prepare for:

Quantum Computing: Organizations must develop a roadmap for quantum-resistant encryption.
Artificial Intelligence (AI): Organizations must inventory AI use cases and assess associated security risks.
Virtual Reality (VR) in Healthcare: VR devices must comply with access management, patch management, and risk management protocols.

Financial Impact and Justification

The estimated cost for implementing these new security controls across all healthcare organizations is $6.8 billion annually. However, HHS argues that if these measures will reduce healthcare breaches by 7-16% and will effectively pay for itself. For individual organizations, first-year compliance costs are estimated at $4.65 million, but with healthcare breaches averaging $10.95 million in damages per incident, the investment is likely to yield significant long-term savings.

What’s Next?

The proposed HIPAA Security Rule updates aim to close loopholes, modernize security requirements, and enforce stricter compliance. Healthcare organizations should begin:

Reviewing their current security policies, training programs, and technical safeguards.
Assessing their vendor contracts and business associate agreements.
Engaging with industry groups or submitting public comments before the March 7 deadline.

For additional details on the HIPAA Security Rule proposal and how to submit public comments, visit the official HHS website.

What are your thoughts on the proposed changes? Let us know in the comments below!

Let’s face it: regulatory updates like those from the Department of Health and Human Services (DHHS) often come wrapped in a blanket of formal language that makes you wonder, What are they really saying? Enter the DHHS Angry Translator, here to break it down and tell it like it is. Like the recently introduced CISA Angry Translator, the DHHS Angry Translator, Hank, has a no-nonsense take on the proposed changes to the HIPAA Security Rule—because sometimes, you need a little fire to get the message across.

Created with help from ChatGPT

DHHS Says:
"Covered entities and business associates must adopt reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI."

Hank:
"Look, people! You’re handling sensitive health information here—stop treating it like a casual to-do list. Lock it down! If you wouldn’t leave patient records lying around in a coffee shop, don’t let your servers be a free-for-all!"

DHHS Says:
"We propose clarifying the definition of 'security incident' to ensure timely identification and response to unauthorized access, use, or disclosure of ePHI."

Hank:
"Translation: Stop pretending you didn’t notice the breach. When someone jiggles the doorknob, that’s your cue to ACT, not wait for the whole door to come down!"

DHHS Says:
"Entities must perform regular risk assessments to identify vulnerabilities and implement measures to mitigate those risks effectively."

Hank:
"Let me break it down for you: Take a good, hard look at your systems. If you see a crack, fix it! Don’t wait for a cybercriminal to make it a canyon!"

DHHS Says:
"The proposed changes aim to enhance accountability and transparency in managing ePHI security."

Hank:
"Translation: If you mess up, we’re coming for you. There’s no hiding anymore. Either you get your house in order, or we’ll do it for you—with penalties."

DHHS Says:
"We propose revisions to the administrative safeguards, emphasizing the necessity of documented policies and procedures for incident response and risk management."

Hank:
"Y’all need to WRITE THIS DOWN! A half-baked plan in someone’s head doesn’t cut it. If a breach happens and your response is ‘Uh... what now?’—you’re already toast!"

DHHS Says:
"The proposal includes requirements to integrate continuous monitoring into risk management practices for ePHI security."

Hank:
"‘Continuous monitoring’ means don’t just check your security once a year like it’s a New Year’s resolution. Stay on top of it! Hackers aren’t taking vacations—they’re coming for you every day!"

DHHS Says:
"Entities must evaluate their use of encryption to ensure ePHI remains secure during transmission and storage."

Hank:
"If your data isn’t encrypted, it’s like sending patient records via postcard: everyone can see it! Encrypt. Everything. Period."

DHHS Says:
"We are revising technical safeguard requirements to account for emerging technologies and new cybersecurity threats."

Hank:
"Translation: If you’re still using security from the early 2000s, it’s time for an upgrade. Hackers have moved on, and so should you!"

DHHS Says:
"Workforce training should address phishing attacks, unauthorized device use, and secure access to ePHI."

Hank:
"Teach your people that clicking shady links isn’t just a bad idea—it’s a disaster waiting to happen. Also, tell them to stop using their cousin’s unsecured iPad for work!"

DHHS Says:
"The proposed changes highlight accountability mechanisms for business associates handling ePHI."

Angry Translator:
"Listen up, third parties: If you’re touching ePHI, you’re on the hook too. No more pointing fingers when things go wrong. Handle the data like it’s your grandma’s—or get burned!"

DHHS Says:
"Periodic evaluations of safeguards will ensure compliance with evolving security standards."

Angry Translator:
"‘Periodic evaluations’ means you don’t just set it and forget it. Check your defenses regularly, or you’ll be picking up the pieces after the next attack!"

Final Note from the Angry Translator:
"This proposal isn’t just about checking boxes—it’s about protecting people. If your security plan is older than your favorite streaming service, fix it. Now. Because when things go wrong, it’s not just your reputation on the line—it’s patients’ trust and safety too."

The commenting period for the HIPAA Security Rule Draft is open until March 7, 2025. If you’re at a healthcare organization make sure to consume it and submit your public comments. I am currently doing a deep dive on the proposal and will have thoughts in a future blog post.