Healthcare's Insecurity Cure?

A Rule for a New Era

HIPAA's Security Rule governed how covered entities protect electronic protected health information (ePHI) since 2003. The last significant update was in 2013. Since then, most healthcare systems have made significant transformations, with more than 90% of hospitals using electronic healthcare management systems. PHI has migrated to the cloud, business associate SaaS platforms, and ransomware attacks against healthcare targets have surged 264% between 2018 and 2023. The regulatory framework stayed largely the same throughout, but that changes in 2026.

The HHS Office for Civil Rights (OCR) is set to publish a final rule this month (May 2026) that represents the most substantive HIPAA update since the 2013 Omnibus Rule. For some IT leaders and security teams across the healthcare sector, this may be an active compliance emergency. Organizations with known weaknesses that have not started remediation are behind.

HIPAA Security Rule Updates

The centerpiece of this overhaul is the elimination of the "addressable" implementation specification category. Under the existing framework, organizations could document why a particular safeguard (e.g., encryption) was not "reasonable or appropriate" for their environment and substitute an alternative. That flexibility is gone.

The new rule upgrades previously addressable specifications to "required" status, allowing narrow, documented exceptions for specific legacy medical devices and genuine emergencies. Here is what that means in practice:

1. Mandatory MFA: Multi-factor authentication is required across all systems that access ePHI, not just EHRs, but billing systems, imaging platforms, and any other relevant electronic information system. This may be the highest-impact change for day-to-day IT operations, and it applies universally regardless of organization size.
2. Full ePHI Encryption: Encryption at rest and in transit are not optional. It must be implemented in alignment with NIST standards, including secure key management and access controls. Organizations that previously relied on documented alternatives will be out of compliance when the rule takes effect.
3. 72-Hour System Restoration: Written procedures must demonstrate the capability to restore critical ePHI systems within 72 hours of a major security incident. This creates a hard operational deadline that existing disaster recovery and business continuity plans may not currently support.
4. 72-Hour Breach Notification to HHS: 72-Hour Breach Notification to HHS: For breaches affecting 500 or more individuals, the previous "without unreasonable delay" standard is replaced by a strict 72-hour notification window to HHS. This tightening may require incident response workflow redesign.
5. Penetration Testing and Vulnerability Scanning: Security testing moves from a recommended best practice to a mandatory, recurring requirement. Penetration tests must be conducted annually by qualified cybersecurity professionals, with records of findings and corrective actions. Vulnerability scanning must occur at a minimum every six months.
6. Network Segmentation: Under 45 CFR 164.312, ePHI systems must be isolated from general-purpose networks. A breach originating in a low-security area like a guest Wi-Fi network, point-of-sale system, or connected medical device, should not be able to negatively impact clinical systems. This has direct architectural implications for most healthcare environments.
7. Continuous Technology Asset Inventory: Organizations must maintain a running inventory of all systems that access or store ePHI, updated at least annually and following any operational change. This is a foundational prerequisite for almost every other requirement on this list.
8. Business Associate (BA) Certification: Business associates must provide written certifications every 12 months confirming they have deployed required technical safeguards. The certification must be based on an analysis performed by a qualified Subject Matter Expert (SME). Simple sign-off on a compliance document without professional technical verification behind it is no longer a thing . BAs must also notify covered entities within 24 hours of activating contingency plans.

Impact on Healthcare IT

For IT leadership, the shift from "addressable" to "required“ fundamentally alters the risk calculus. Organizations that achieved HIPAA compliance through alternate controls, partial encryption, or password-based authentication are now noncompliant when the rule takes effect. The OCR imposed 21 financial penalties in 2025, up from 16 in 2024, and civil monetary penalties now reach up to $2.19 million per violation category. A reactive, post-publication compliance program for a mid-sized hospital is estimated to cost between $600,000 and $900,000, double the cost of a proactive approach begun now.

There are three risk dimensions IT teams need to address simultaneously. The first is regulatory exposure since OCR enforcement is trending upward, and the new rule's specificity reduces the gray areas that gave organizations room to maneuver. The second is operational risk with 72-hour restoration and notification hard deadlines that current incident response plans frequently cannot meet. The third is third-party risk. Business associates bear the same obligations as covered entities. A covered entity can achieve full internal compliance and still face OCR scrutiny through a vendor breach. Third-party risk monitoring must be active and continuous..

The legacy device problem deserves particular attention. FDA-cleared medical devices with pre-March 2023 approval dates receive a narrow exception, but invoking that exception requires documentation and migration planning. For organizations with large fleets of connected medical equipment, isolating these devices so a compromise of a non-patchable system cannot reach other clinical network assets is a practical interim control..

Steps Towards Compliance

Organizations best positioned for the compliance deadline are moving now, before the final rule is published. Proactive remediation is estimated to be 40–50% less costly than reactive remediation. Here is a roadmap:

Immediately perform a gap analysis: Map your current controls against every proposed mandatory specification. This is the foundational step from which all other remediation flows.

Within 30 days inventory ePHI systems: Identify every system that accesses or stores ePHI. Flag those without encryption at rest or in transit, and those relying solely on password-based authentication. This inventory is required by the rule itself and is also your prioritization framework for the remediation work.

Within 60 days audit business associate agreements: Update BAA templates to reflect the new SME certification and 24-hour notification requirements. Issue compliance attestation requests to critical vendors now. Consider that vendors are operating on their own timelines, which may present downstream liability for your company.

Within 90 days update incident response plans: Within 90 days, update incident response plans: Revise your security incident response plan to reflect the 72-hour restoration and breach notification requirements. Walk through a tabletop scenario with key stakeholders and ensure the capability to back up and restore critical data exists. Do not rely solely on replication - in the event of a ransomware attack, replication paths may also be susceptible.

Within 90 days schedule penetration testing and vulnerability scanning: Qualified testers are in high demand sector-wide. Organizations that wait until after publication will compete for scarce resources at premium rates. We recommend scanning on 30-day intervals to discover weaknesses as soon as possible. Alternatively, monitoring threat feeds may help if you're concerned that active scanning may impact sensitive equipment availability.

Deploy MFA: Since MFA is a primary target of the rule and carries a 80–95% probability of being retained in the final text, early deployment across all relevant electronic information systems will materially reduce compliance friction. Prioritize high-risk ePHI systems (EHRs, billing, imaging) first, then address legacy systems in parallel under documented remediation timelines.

The threat environment that drove the rule (e.g., 167 million individuals affected by healthcare data breaches in 2023, ransomware attacks against the U.S. healthcare sector up 128% between 2022 and 2023), persists regardless of regulatory timelines.