Spring 2025 Issue
A HIPAA Security Overhaul
By Elizabeth S. Goar
For The Record
Vol. 37 No. 2 P. 10
What will it take to modernize HIPAA?
In the two decades that have passed since the HIPAA Security Rule was first implemented, security risks have escalated to unprecedented levels across the health care industry. Consider that in 2013—the year of the last update to the rule—health care organizations experienced 269 data breaches, compared with 725 in 2023.
According to the Office for Civil Rights (OCR)1:
• Hacking-related data breaches against health care organizations increased 239% between January 1, 2018, and September 30, 2023.
• Ransomware attacks increased 278% over the same period.
• Hacking accounted for 49% of all reported breaches in 2019 and nearly 80% in 2023.
• The 2024 Change Healthcare breach was the largest in United States history, affecting approximately 190 million individuals, roughly 57% of the United States population.2
Times have changed since the security rule was updated in 2013, and few in the industry question the impetus behind OCR’s decision to overhaul the regulations.
“With the pace of technology change, and with the natural pace of health system change being a little bit slow, an update is required,” says Ryan Bengtson, CEO of Panda Health. “The most obvious [reason] is just the ever-increasing amount of cybersecurity and malware attacks. … The scale and magnitude of those things, plus the duration since it’s been updated, are driving that impetus [to overhaul the rule].”
HIPAA Security Then and Now
OCR echoes those sentiments in the executive summary of its HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information proposed rule, published to the Federal Register in January 2025.3 OCR states that “cybersecurity is a concern that touches nearly every facet of modern health care, certainly more so than it did in 2003, or even 2013. Almost every stage of modern health care relies on stable and secure computer and network technologies.”
With technology now deeply ingrained in every aspect of health care operations, there are numerous opportunities for malicious actors to cause harm. Health care’s risk profile is further elevated by covered entities and business associates, where unintentional and nefarious events can endanger electronic protected health information (ePHI) and other sensitive data. This, along with the escalating number of large-scale breaches and cyberattacks, played a role in the designation of health care and public health as a critical infrastructure sector and OCR as a Sector Risk Management Agency (SRMA). The president also charged federal agencies, including those overseeing health care, with establishing and enforcing minimum requirements for risk management.
“We believe that a comprehensive and updated Security Rule is critical to accomplishing these directives and to the Department’s effectiveness as the SRMA for the Healthcare and Public Health sector,” OCR wrote.
Thus, while stating it believes the Security Rule “generally continues to accomplish the goals of HIPAA,” OCR nonetheless determined that modifications would be appropriate to address the following:
• significant changes in technology;
• changes in breach trends and cyberattacks;
• OCR’s enforcement experience;
• other guidelines, best practices, methodologies, procedures, and processes for protecting ePHI; and
• court decisions that affect enforcement of the Security Rule.
David White, a cyber risk management expert and cofounder and president of Axio, is more blunt: “The health care industry is facing a crisis. The proposed updates to the HIPAA Security Rule are a direct response to a problem that’s been growing unchecked for years—health care organizations are not prepared for the sophistication or scale of today’s cyber threats. While compliance frameworks like HIPAA set a foundation, they have historically been reactive, evolving only after a crisis.”
The challenge confronting OCR with regulating security is the rapid evolution of both health IT and the methods employed by malicious actors. If mandates are too prescriptive, it would likely be necessary to undergo the onerous process of updating rules far more frequently than is feasible. Earlier versions of the HIPAA Security Rule attempted to address this by being flexible with how health care organizations complied with required actions. Additionally, many security measures were classified as addressable implementations—strongly recommended but not explicitly required.
One example is the requirement that any organization that touches ePHI must conduct a security risk assessment to evaluate potential risks and vulnerabilities, mitigate any identified vulnerabilities, and document the measures taken. OCR even provides a tool that organizations can use to conduct that assessment. But beyond that, there is no prescriptive guidance.
As a result, compliance with the mandate does not always translate into risk mitigation, says George Pappas, CEO of Intraprise Health, a Health Catalyst Company. When his company gets involved, the first step is to review a client’s current security posture, open vulnerabilities, and risk management execution.
“Many clients struggle with completing full risk assessments due to manual effort and cost required. As a result, some organizations will choose to self-assess, which can lead to more issues downstream. In our experience, a self-assessment will have several areas that don’t accurately reflect a client’s risk posture, [so] closing this loophole of self-assessment without evidence is very important.”
Pappas points out another flaw in the current security rule: squishy requirements around demonstrating compliance.
“You can say you’re doing multifactor authentication [MFA], but … there isn’t verification at a tangible level, which is something we must do in other risk assessments that are more stringent, such as HITRUST,” he says. “In the pantheon of cybersecurity risk assessments, HIPAA is the easiest one. It’s the least demanding, but it’s the only one that is federally required.”
Layna Cook Rush, CIPP/US, CIPP/CI, a shareholder with Baker Donelson who leads the law firm’s Data Incident Response Team, concurs that the flexibility and scalability were intentional and appropriate at the time. However, the unintended consequence of the law’s malleable nature was that many covered entities skirted compliance.
To correct that, the proposed rule is “a lot more fulsome, and they are adding a lot of direct, more specific requirements. I think the hope from HHS [Health and Human Services] and OCR is that we’ll have better compliance and fewer cybersecurity incidents in the health care space,” she says.
Rush also highlights the uncertainty surrounding technical controls in the current regulations. For example, she says her firm urges its clients to implement MFA as a cost-effective technical control. Nonetheless, many organizations have resisted investing in technical controls, often for very valid budgetary reasons.
“Now, under the proposed rule, you must have multifactor authentication. … When you read the commentary, OCR says—and I agree—that MFA is a technical control that every organization should have at this point, so they went ahead and made it a specific requirement,” she adds.
Too Much, Too Fast
A common theme emerges from the nearly 4,750 comments submitted to OCR during the proposed rule’s two-month public comment period: the overhaul is needed, but the compliance burden is too much for most organizations to bear.
“In general, the Kansas Hospital Association [KHA] and our member hospitals support the desire to protect the information of the patients that we serve. There isn’t any question about that,” says Larry Van Der Wege, director of regulatory affairs and preparedness for the KHA. But “without any additional reimbursement, hospitals simply cannot afford mandates like this. It is our opinion [that] this appears to be too onerous.”
Coming at a time when the average operating margin for Kansas hospitals is -7% and only 33% of the state’s hospitals are breaking even, per the Kansas Hospital Association,4 the proposed rule “doesn’t take into account resources that each entity may or may not have, whether that’s financial resources or workforce resources,” he adds.
It’s a market reality that led the KHA to state in its comment letter that “given the financial and workforce challenges existing with rural hospitals today, we agree with the American Hospital Association that this entire rule should be rescinded,” adding that it “goes against the Administration’s desire to improve efficiency and reduce regulatory burdens.”
To develop its comments on the proposed rule, KHA convened a Health Information Technology Committee, with facility IT experts representing a cross-section of its membership. In its review of the rule, KHA called out the following requirements that would be challenging, if not impossible, for many organizations to meet without clarification and/or resource assistance:
• Document all Security Rule policies, procedures, plans, and analyses.
• Develop and maintain a technology asset inventory and network map of ePHI movement.
• Identify potential vulnerabilities and predisposed conditions.
• Notification within 24 hours of changing or terminating an employee’s ePHI or information system access.
• Establish written procedures to restore the loss of specific information systems and data within 72 hours.
• Annual compliance audits, in addition to regular risk assessments.
• Collect annual written verification of compliance from business associates.
• Encrypt ePHI at rest and in transit.
• Establish technical controls for consistent configuration of information systems.
• Use MFA.
“There is often benefit to making things more clear. However, [the proposed rule] just went too far. It is too broad and one-size-fits-all,” Van Der Wege says. He emphasized that security is a priority for KHA member organizations, citing findings by its HIT Committee that strong technical controls are already in place.
“We are working hard every day to protect our patients’ and employees’ information,” he said. “It is very important to them to protect [ePHI], but the work is never done.”
KHA was not alone in its concerns over the scope of the proposed rule, which transitioned many previously “addressable” implementation specifications to “required,” thereby removing a core flexibility aspect. Other industry groups (see sidebar) also expressed concerns about the burden compliance would place on all regulated entities.
The College of Healthcare Information Management Executives, the American Dental Association, the American Health Care Association, and five other organizations shared their unified opposition to the proposed HIPAA Security Rule in a March 2025 letter to President Donald Trump and HHS Secretary Robert F Kennedy, Jr.5
Citing a range of issues, including its economic impact, threat to innovation, potential legal conflicts, and progress already being made in hardening security across the industry, the group wrote, “Despite our diverse perspectives, we stand together in our belief that this proposal should be rescinded immediately … The combination of the depth and breadth of the proposed requirements on an unreasonable timeline presents significant challenges, and the unfunded mandates associated with this regulation would place an undue financial strain on hospitals and health care systems.”
In its comment letter, the Medical Group Management Association (MGMA) urges OCR to withdraw the proposed rule. It points out that many medical groups are already facing financial hardships and staffing shortages, which compliance efforts will exacerbate—especially with a compliance date just 180 days after the final rule.
MGMA goes on to say that the $183 million estimated annual cost of compliance cited in the Regulatory Impact Analysis is “a woefully inaccurate estimate” and that the actual cost would be in the billions of dollars.
“We believe in the importance of strengthening cybersecurity across the health care industry, but this proposed one-size-fits-all approach fails to meaningfully improve security and is detrimental to the sustainability of medical groups,” MGMA wrote. “Under current law, medical groups are already fully accountable for complying with HIPAA. They know the best methods and processes for ensuring strong cybersecurity practices within their organizations and should not be subject to additional, overly prescriptive government requirements.”
More Than Mandates
Despite immense pushback from across the industry, commentors generally did not outright dismiss the need for stricter controls to protect ePHI and other sensitive data. In fact, many experts argue that the HIPAA rule is actually the bare minimum.
“Stronger mandates are necessary, but they are not a silver bullet. Cybersecurity isn’t about checking boxes—it’s about understanding the full attack surface,” says Axio’s White, noting that even with stronger regulatory mandates, many organizations will still be playing catch-up. “The reality is compliance should be the floor—not the ceiling. Organizations need to go beyond what’s required, focusing on continuous risk analysis, rapid response capabilities, and a security culture that prioritizes resilience. Because in health care, a cyberattack isn’t just an IT issue—it’s a patient safety crisis waiting to happen.”
The greatest security challenge for many organizations is not just the cost of compliance, but the reality that their existing technical infrastructure simply cannot handle the higher-level controls necessary to present a hardened security front.
Those facilities saddled with outdated and antiquated technologies will need to make significant changes to protect ePHI, regardless of how much or little of the proposed rule is incorporated into the final version, Bengtson says. Achieving optimal security will require sacrifices that may be too much for some organizations.
“They may have to rip and replace existing technologies that have been working for a long time in order to get to compliance, which then also creates a whole other downstream cost for change management, training, potential downtime, etc,” he says. “For your typical medium to large health system that has already been trying to cut costs and manage declining margins, this is going to be more than they can realistically take on.”
Bengtson says a collaborative approach has the potential to overcome some of the resource and design barriers that aren’t taken into consideration by regulators. If industry organizations such as the College of Healthcare Information Management Executives can “take the reins and lead the way on this, it won’t feel like this is being forced down your throat by a government that doesn’t recognize the financial and other realities of the system,” he says.
Bengtson adds that he’d like to see provider organizations take advantage of the knowledge and resources available from both industry associations and their vendor partners. “That is going to be the fastest path to success; leveraging that full network of relationships and not trying to go it alone, [because] in most cases, they won’t be able to.”
Pooling expertise will also help health care organizations over an often-overlooked barrier, the complexity of designing and deploying a robust security system, Pappas says. Even well-financed health care systems with multiple tools like endpoint detection, identity proofing, micro segmentation, and more can come up short if they do not have a comprehensive plan to make them work together.
Also vital is making the dangers clear enough and the rules transparent enough so others outside of IT can understand why enforcement is crucial, as is controlling exceptions. This also comes into play when there is pushback for taking devices and systems offline to update patches and other vulnerabilities.
“Getting the leadership team to see that cybersecurity is a team sport and understanding where all these hidden risks are is the biggest challenge that these large organizations have today,” Pappas says. “The CEO level has to be clear-eyed about the risks and be practical and make sure they’re doing enough to protect [the organization].
“It should be just like protecting your own family,” he adds. “If you’re trying to find the least amount you can do to claim compliance, that’s like saying you’re going to take your son and daughter to the cheapest brain surgeon.”
Meanwhile, Rush points out that not every security investment has to break the bank, and taking small steps now can make a huge difference when it comes time to comply with stepped-up mandates.
She participated in a panel with security experts from Microsoft and health care organizations who were asked where those with limited budgets should spend their cybersecurity dollars. “Everyone on the panel said MFA,” she says. “It’s very reasonable … and you get a lot of bang for your buck with it.”
Along with MFA to protect against infiltration, such as phishing, and backups to ensure continuous data access, Rush advises every health care organization to have ransomware or exfiltration protection in place that does more than encryption—a requirement that has evolved with the sophistication and motivation of bad actors.
These days, “once threat actors have gained access to a system, they’ll do a little reconnaissance, they will exfiltrate data, and then they may or may not embed the malware, launch, and encrypt it,” she says. “Under HIPAA, we have notification obligations, so even if you pay a ransom and the threat actor agrees not to disclose any of the data, you still have notification obligations, which are significant. If you notify enough people, your name will appear on the OCR Wall of Shame, and you’re likely to be subject to a class-action lawsuit.”
Other actions health care organizations should take regardless of regulatory mandates include conducting a security risk assessment and drafting a mitigation and remediation plan. Doing so lets them prioritize where to invest limited resources.
Rush adds, “Regardless of whether [the proposed Security Rule] does or doesn’t get passed, the controls that are discussed in [it] are things organizations should be considering and implementing anyway. It’s just best practice.”
— Elizabeth S. Goar is a freelance health care writer in Wisconsin.
INDUSTRY GROUPS WEIGH IN ON THE PROPOSED SECURITY RULE CHANGES
Professional associations and organizations representing every facet of the health care industry weighed in on OCR’s proposed changes to the HIPAA Security Rule. Nearly 4,750 comment letters were submitted before the two-month public comment period closed.
In its comment letter, HIMSS expresses concerns that the proposed rule is “too prescriptive and not scalable according to diverse levels of resources and risk of the wide range of functions and sizes of regulated entities.”
The organization expresses its support for many proposed measures, including multifactor authentication, encryption, patch management, and security incident reporting. However, HIMSS is concerned that compliance would be out of reach for many regulated entities, particularly smaller facilities, tribal organizations, postacute care facilities, and their business associates.
In addition to the costs associated with compliance, “documentation requirements are overly administratively and financially burdensome and prescriptive. The level of prescriptiveness for how regulated entities must implement and document those actions is simply not necessary to protect ePHI … The security and risk assessment needs to appropriately protect ePHI will range widely from a large health system to a single provider practice. This proposed rule is a one-size-fits all solution that does not fit the actual risk level as well as capabilities of many regulated entities,” HIMSS wrote.
The association recommends that cybersecurity requirements apply best practices based on risk levels and be scalable for different sizes and types of regulated entities. It also called for minimizing barriers to health information exchange by “harmonizing security laws, regulations, directives, and industry-led guidelines that are standardized across the United States” and for OCR to clarify that compliance cannot be used as justification for information blocking.
AHIMA also agrees that changes are needed to better protect ePHI and that “work must continue to increase resiliency in the health care system, improve protection against cyber threats and attacks, and support health care organizations in preparation against, during, and after cyber incidents.”
In its letter, the group also recommends OCR conduct a risk stratification analysis and prioritize requiring proposals that will lead to meaningful and measurable improvements in security and consult with impacted entities “to create more comprehensive cost and impact analyses to better understand the feasibility of implementation,” as well as provide resources to support compliance.
While indicating its support for many of the changes, along with the added clarity and specificity in the proposed rule, the HIMSS EHR Association echoes concerns with OCR’s cost analysis in its comment letter. It notes that in summarizing the estimated costs that regulated entities and plan sponsors would incur in the first year of implementing the proposed regulatory changes, the department “fails to account for the substantial time and cost required for EHR developers to develop and implement the necessary technology to enable these functionalities.”
The EHR Association provided its own analysis showing compliance would require 12,572 hours, or over 314 person-weeks, in addition to OCR’s estimates for regulated entities and urged OCR “to factor in this significant burden when determining compliance timelines and requirements to ensure that EHR developers can effectively meet expectations without disrupting essential health IT services.”
— ESG
References
1. Alder S. Healthcare data breach statistics. HIPAA Journal. https://www.hipaajournal.com/healthcare-data-breach-statistics/. Updated April 17, 2025. Accessed April 4, 2025.
2. Johnson L. 190 million individuals affected by Change Healthcare data breach. HIPAA Guide website. https://www.hipaaguide.net/change-healthcare-data-breach/. Published January 24, 2025. Accessed April 4, 2025.
3. United States Department of Health and Human Services, Office for Civil Rights. HIPAA security rule to strengthen the cybersecurity of electronic protected health information. Federal Register. January 6, 2025. https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information#h-10
4. Kansas Hospital Association. "Financial Stability Resources." Kansas Hospital Association, www.kha-net.org/CriticalIssues/FinancialStability/FinanceResources/d168369.aspx?type=view. Accessed 29 Apr. 2025.
5. CHIME-led stakeholder letter to Trump Administration: HIPAA proposal rescission. College of Healthcare Information Management Executives website. https://chimecentral.org/resource-post/chime-led-stakeholder-letter-trump-administration-hipaa-proposal-rescission. Published February 17, 2025. Accessed April 4, 2025.