Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

The HIPAA Security Rule Update Is Coming: From “Trust Us” to “Show Us”

The HIPAA Security Rule Update Is Coming: From “Trust Us” to “Show Us”

For more than two decades, the HIPAA Security Rule has served as a foundation for healthcare cybersecurity. It established the baseline for how covered entities and business associates protect electronic protected health information, or ePHI. But the threat landscape has changed dramatically since the Rule’s last meaningful refresh. Ransomware, third-party risk, cloud adoption, connected medical devices, remote work, and increasingly complex healthcare IT environments have all changed the way patient data must be protected.

Now, the industry is facing a proposed update that reflects that reality.

The proposed modifications to the HIPAA Security Rule represent a meaningful shift in cybersecurity expectations across healthcare. Providers, payers, vendors, and business associates will all feel the impact. But this is not a moment to panic. It is a moment to plan.

And for organizations that approach it deliberately, the path forward is manageable.

From “Trust Us” to “Show Us”

If there is one phrase that captures the spirit of the proposed changes, it is this: healthcare cybersecurity is moving from “trust us” to “show us.”

For years, the Security Rule gave organizations significant flexibility in how they implemented safeguards. That flexibility made sense. A large health system, a rural hospital, a specialty clinic, and a business associate all have different resources, architectures, and risk profiles.

But flexibility also created variability.

In many cases, compliance relied heavily on attestation. Trust that the right controls were in place. Trust that policies matched actual practice. Trust that systems were being monitored, patched, tested, segmented, backed up, and protected in the way the documentation suggested.

The proposed Rule moves the center of gravity toward evidence.

Specific technical and operational expectations are being brought forward more clearly, including encryption of ePHI at rest and in transit, multi-factor authentication, network segmentation, anti-malware protections, vulnerability scanning, penetration testing, compliance audits, asset inventories, ePHI network mapping, business associate verification, and written restoration procedures with a 72-hour restoration target for certain systems and data.

The expectation is no longer simply that security controls exist. The expectation is that organizations can demonstrate they exist, show how they are managed, and provide evidence that they are tested.

That is a healthy evolution for healthcare.

It gives organizations a clearer target. It gives regulators, partners, and customers a more consistent yardstick. Most importantly, it acknowledges that healthcare data, clinical operations, and patient care deserve an evidence-based security model.

Most of This Reflects Recognized Best Practice

It is worth saying plainly: much of what is being proposed is not new from a cybersecurity best-practice perspective.

Encryption, MFA, segmentation, current asset inventories, mapped data flows, vulnerability management, tested backups, third-party oversight, and formal risk analysis are already common expectations across recognized security frameworks and mature healthcare security programs.

The proposed Rule is largely formalizing what the broader security community has been moving toward for years.

That said, every organization is on its own journey.

Healthcare operates under a unique set of pressures: thin margins, legacy systems, clinical priorities, staffing constraints, capital limitations, vendor dependencies, and environments where downtime can directly impact patient care. For community and rural hospitals in particular, the challenge is not always awareness. Often, the challenge is sequencing, resourcing, and execution.

If your program is not yet where you want it to be across every proposed requirement, you are not alone. Many capable and well-intentioned organizations have areas that are still maturing.

The proposed Rule should not be viewed as a judgment on past decisions. It should be viewed as a forward-looking target that the entire industry will need to work toward.

The better question is not, “How far behind are we?”

The better question is, “Where do we need to be when this Rule becomes final, and what is the most practical path to get there?”

Where Organizations Can Start

Organizations do not need to wait for the final Rule to begin making progress. There are several low-regret steps that strengthen the security program regardless of the final regulatory language.

Start with visibility. Refresh the technology asset inventory and ePHI network map. Understanding where ePHI lives, how it moves, which systems support it, and which third parties interact with it is foundational to everything else.

Modernize the risk analysis. A current, thoughtful risk analysis should capture reasonably anticipated threats, vulnerabilities, likelihood, impact, existing controls, and the operational realities of the environment. It should not be a check-the-box exercise. It should be the tool leadership uses to prioritize investment.

Work toward the core technical controls. Encryption, MFA, segmentation, endpoint protection, patching, vulnerability management, backup validation, and restoration planning are areas where flexibility is narrowing. These are also the areas where early, planned progress is far easier than a last-minute scramble.

Tighten operational cadence. Vulnerability scans, penetration tests, compliance reviews, backup testing, policy reviews, incident response exercises, and restoration procedures all need defined ownership, documented frequency, and evidence.

Strengthen third-party oversight. Business associates and contractors are part of the healthcare risk surface. Annual verification of security measures, stronger BAA language, and a repeatable review process will become increasingly important.

Start With an Impact Assessment

With so many provisions potentially landing at once, it can be tempting to try to do everything immediately. That usually leads to frustration, scattered investment, and unclear priorities.

A better starting point is a structured impact assessment.

An impact assessment maps each proposed requirement against the organization’s current state. It identifies where the program already aligns, where gaps exist, what level of risk those gaps create, and what it would take to close them.

Done well, it answers three critical questions.

First, where are we already aligned?

Second, where are the highest-risk or longest-lead-time gaps?

Third, what will alignment require in terms of dollars, people, tooling, process, and timeline?

That matters because not every gap carries the same risk, and not every requirement takes the same amount of time to address. MFA expansion, network segmentation, asset inventory, backup restoration testing, third-party verification, and documentation maturity may each require different stakeholders, budgets, and implementation paths.

An impact assessment turns a complex regulatory update into a practical roadmap.

It helps leadership make informed decisions. It helps security and IT teams prioritize the work. It helps finance understand the investment. And it gives the organization a defensible, evidence-based plan.

The Bottom Line

The proposed HIPAA Security Rule update is significant, but it is not something healthcare organizations should fear.

It reflects where the industry has already been moving: toward stronger controls, clearer expectations, better documentation, tested recovery, and evidence-based security.

The shift from “trust us” to “show us” is real. But it is also necessary.

Every organization will be at a different point in the journey. That is okay. The opportunity now is to assess honestly, prioritize wisely, and build a roadmap that supports both compliance and resilience.

Start with the assessment. Let risk drive the sequence. Use this time well.

Because in healthcare, cybersecurity is not just about protecting data. It is about protecting the systems, people, and clinical workflows that allow care to continue when it matters most.

 

Mike Donahue
Chief Operating Officer