Healthcare leaders: Prepare for a very different HIPAA security rule | Viewpoint

In recent years, many of us in the cybersecurity profession have predicted the end of self-assessed compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the fundamental security practices it mandates.

Joe Oleksak

More specifically, some of us – myself included – believed such a shift would reflect the growing acceptance that cyber resilience no longer falls solely on the shoulders of the IT department or security professionals.

Instead, the dramatic impact of breaches like the Change Healthcare event in February 2024 have elevated cybersecurity practices, strategies and oversight to a board-level concern.

Few operational challenges have the potential to shutter entire healthcare organizations, expose them to significant liability, or subject them to devastating financial losses as swiftly or completely as ransomware or a breach of electronic protected health information. Most importantly, such breaches disrupt the delivery of care and put patients’ lives at risk.

For any healthcare leader responsible for fiduciary matters, patient care, internal operations, or vendor management, cybersecurity has become a mission-critical priority. It is a concern that has the potential to immediately overshadow practically any other operational concern without warning.

Two fundamental changes lie at the core of the proposed changes to the HIPAA Security Rule. These will occur no matter how the U.S. Department of Health and Human Services (HHS) or the Office of Civil Rights (OCR) reacts to the nearly 5,000 responses submitted during the comment period that ended on March 7, 2025. Regardless of the resources allocated for enforcement, these shifts are in motion, whether they become mandatory in this version of the rule or in a future iteration.

Importantly, both of these fundamental shifts are directly applicable to healthcare executives – and one could arguably be aimed directly at healthcare’s operational leaders. Here is a summary.

The loophole around “addressable” items is being removed.

“Addressable” requirements in HIPAA essentially allowed compliance with even the most rudimentary security practices – such as encrypting private health data at rest and in transit, implementing multi-factor authentication and adopting least-privilege or “need-to-know” access controls – to remain largely voluntary.

The proposed rule eliminates the distinction between “addressable” and “required.” For many healthcare organizations, this will necessitate the complete reinvention of the organization’s security architecture, significantly impacting nearly all existing systems.

The era of executive ownership of cybersecurity preparedness is here.

With the proposed new HIPAA Security Rule, HHS and OCR have made it clear that they have had enough. The Change Healthcare breach, along with its devastating consequences showed just how susceptible the critical infrastructure of healthcare is when even one organization fails to safeguard private health information.

The new rule overtly stresses two imperatives: cybersecurity is an enterprise-wide risk issue, not just an IT issue, and healthcare executives – including board members – will be held responsible for effectively addressing that risk. We are entering a time of personal liability.

We do not have a final rule yet, but one thing is clear. These mandates, including an emphasis on requiring compliance with the many deliverables the HIPAA Security Rule calls for and the personal liability of leaders who must not only effectively address them, but also be able to document that they have effectively discharged their duty to keep private health information secure, is the new landscape chief healthcare executives will operate in.

What do the new requirements mean for the healthcare sector?

From an operational standpoint, the proposed changes to the HIPAA Security Rule are a sea change. Not only do they eliminate the flexibility around security controls and dramatically increase executives’ accountability, but they also deem cybersecurity an absolute priority.

This in turn necessitates action from stakeholders across the entirety of the healthcare ecosystem, a complex web of interconnected systems and networks that move, store and secure private data. These stakeholders include, but are not limited to those in clinical settings, medical device manufacturers, and service providers who touch, process or move patient information.

On the most basic level, it will be imperative for each of these stakeholders to address cyber security fundamentals at a level of detail many are unaccustomed to. This is necessary to address the stricter requirements for risk management, documentation and vendor oversight included in the new rule. Among some of the topline and more immediate requirements are the following:

Hospitals and clinical settings

These organizations will need to invest in segmentation – one of the most fundamental and effective steps an organization can take to minimize the blast radius from a cyberattack.

However, implementing this will often require significant modifications to traditional flat network structures. Additionally, investments in asset management, vendor management, network mapping and continuous monitoring tools will be critical to enhancing cybersecurity resilience.

Medical device manufacturers

On the most basic level, manufacturers will need to adopt a holistic, security-by-design approach that integrates robust security measures throughout the entirety of the product lifestyle – from initial design to the decommissioning of older machines. This should include ongoing vulnerability assessments and timely patch management to effectively address emerging threats.

Service providers and third-party vendors

Service providers span a wide range, from hyperscalers to those assisting with core business functions like payment processing. They also include providers handling facilities-related tasks, such as heating and air conditioning, which now often rely on remote sensors and devices. These providers will need to clearly demonstrate that their assets, networks, and systems are secure. With accountability for cybersecurity of utmost importance, healthcare providers will accept nothing less than demonstrated and validated compliance.

Notably, these efforts will also include several universally applicable requirements as organizations of all kinds move to address the need for greater governance now inherent in HIPAA, create an effective risk mitigation plan and operationalize the effective controls infrastructure they require – all within what will likely be an urgent deadline. (The proposed rule requires compliance with all requirements within 180 days of its implementation.)

Where do we go from here?

It is imperative that every organization – even those with limited resources – do what they can to comply with the totality of HIPAA requirements. There are four initial steps that should belong in every leader’s playbook.

1. Assemble expertise

As with many things, the greater danger in cybersecurity is not knowing what you don’t know. Healthcare organizations should start conversations with experts who bring with them a broad understanding of the operational, technical, policy, procedural and governance changes impacted by the proposed rule change. This intelligence is crucial for the creation of a roadmap that enables the organization to move forward in an organized, risk-based way. Starting these conversations should be a first step.

2. Conduct a comprehensive audit

Meeting the new HIPAA requirements will require more than technical exercises like penetration testing to assess system resilience against attacks. Instead, organizations should include a conglomeration of reviews that help manage not just compliance efforts, but also reveal how effective efforts to secure the organization are. This information is needed to help management demonstrate to the board that they achieved what they set out to accomplish. Notably, such an effort should look far beyond IT controls and encompass the organization’s operational norms at a granular level. The intelligence gleaned from such efforts also needs to be digestible and actionable, not just for IT professionals, but for senior operational executives, leaders and boards.

3. Encrypt your data and segment your networks

The flat networks that emerged out of healthcare’s initial move to digitize operations are a hacker’s dream come true – often allowing attackers to navigate the ecosystem undetected, seeking the most lucrative opportunities to steal and exploit private health information. The simplest way to deter attackers is by layering networks and segmenting mission-critical functions – such as patient care systems – so they are isolated from the internet and business systems. If you can only implement two technical controls, make them encryption and segmentation.

4. Create a security-minded culture

A strong security stance starts at the top. Chief healthcare executives must prioritize security practices and controls – all while continually institutionalizing a keen understanding of the direct impact that any compromise can have on the organization’s mission, the health of patients, and the viability of the institution.

Perhaps most importantly, all healthcare leaders must take action while remaining acutely aware of a singular truth: compliance is the baseline, but security is the goal. Organizations that understand this distinction will emerge stronger, more secure and better prepared to serve and protect the patients in their care.

Joe Oleksak is a partner in Plante Moran’s cybersecurity practice.