When we surveyed executives and IT leaders for our 2025 Healthcare IT Landscape report, they were pretty candid: more than half (52%) of them admitted maintaining compliance with strict data privacy and protection regulations is a significant business challenge; furthermore, 60 percent said their biggest roadblock is staying up to date on evolving regulations.
With likely changes coming to the HIPAA Security Rule in the near future, it’s time for leaders to evaluate their readiness and take a closer look at healthcare cybersecurity controls and processes that may need to be implemented or enhanced to meet new compliance standards.
| Jump Ahead: |
Published in January 2025, proposed changes to HIPAA compliance requirements would mandate that regulated entities increase standards across a variety of focus areas including technical safeguards, visibility and risk analysis, documentation and vendor oversight.
Here are some of the most significant and critical proposed changes to HIPAA:
1. Mandatory Multi-Factor Authentication (MFA)
The current rule distinguishes compliance for those that are “required” vs. “addressable” (which allows for more flexibility in determining if the required action is reasonable and appropriate). Under the proposed changes, MFA would be required for all regulated healthcare companies, with limited exceptions.
2. Mandatory Encryption of ePHI at Rest and in Transit
Similarly, new changes would require the use of data encryption both at rest and in transit for all regulated entities, with limited exceptions.
3. Stronger Risk Analysis & Vulnerability Assessment Practices
Proposed changes would dictate more specific requirements as part of a company’s risk analysis (including review of a newly required technology asset inventory and network map; vulnerability scanning of IT environments would be required at least every six months; and penetration testing would be required at least every 12 months.
4. Written Incident Response Procedures & Testing
The proposed rule outlines more explicit requirements regarding the documentation, review and testing of formal incident response plans (IRPs) including a requirement that procedures target restoration of systems and data within 72 hours.
5. Greater Focus on Vendor Oversight and Compliance
Several areas of the proposal focus on vendor management practices. If implemented, the new rule would require business associates (e.g. third party vendors) and contractors to attest to their own security safeguards on an annual basis. Other provisions focus on how covered entitles handle access controls, inventory management and notification for vendors and service providers.
One of the most glaring observations from our recent healthcare survey was what appears to be a significant gap between perception and reality when it comes to healthcare security and compliance.
Consider this: 81% of leaders surveyed said they are prepared for potential changes to HIPAA compliance, but:
These numbers don’t show preparedness – they highlight a meaningful gap that healthcare companies will need to narrow in order to ensure compliance with future HIPAA updates.
When it comes to actually managing the compliance process – implementing necessary controls, performing assessments, gathering documentation, etc. – there’s a clear divide in strategy among today’s healthcare organizations.
For companies still reliant on in-house, manual processes (think: spreadsheets), HIPAA compliance management will only continue to increase in complexity as new standards are adopted. And an inherent lack of visibility coupled with inefficient evidence collection and benchmarking capabilities is a recipe not only for a mismanaged process, but ultimately for noncompliance.
Managed compliance platforms, other the other hand, can integrate sophisticated toolsets, enhance documentation gathering and even automate task management to support a more streamlined and efficient compliance audit and assessment process. Our survey respondents noted these features of a compliance platform would be most beneficial:
If your organization is a covered entity under HIPAA, the time to start preparing for potential Security Rule changes is now. While not comprehensive, we’ve outlined some initial actions your company can begin to take now to ensure future compliance.
Determine current use of key technical safeguards proposed. At first glance, do you know how many security controls or processes you don’t have enabled? Take inventory of your current practices so you know where to focus your implementation efforts in the coming months. A few areas to review:
Conduct a HIPAA gap assessment specific to the proposed rule. To determine the above, it may be worthwhile to undergo a comprehensive gap analysis to identify areas of vulnerability relative to HIPAA’s new provisions. A managed compliance partner can work alongside your team to review current controls and future state needs as well as help prioritize remediation of any known gaps or vulnerabilities.
Review your current compliance management process. Especially if you’re one of the 54% of companies using manual compliance processes, this is the perfect time to consider a change. Think about your current process for managing and assessing controls, maintaining documentation, and coordinating with third parties. Do you have the internal resources and bandwidth to scale this process as new requirements go into effect? Consider trialing a managed compliance platform that could streamline the process and alleviate the internal burden on your IT and/or compliance teams.
Research healthcare MSPs and MSSPs to find a good fit. Nearly a quarter of our survey respondents said their internal IT and cybersecurity teams are understaffed and many (21%) believe they would have difficulty recovering from a security incident due to lack of security expertise. With difficulty sourcing talent and an increasingly complex threat landscape, now is a good time to consider partnering with a managed service provider (MSP) or managed security provider (MSSP) to support your internal IT and compliance teams. Healthcare-focused MSPs/MSSPs can assist with implementing various HIPAA technical requirements as well as remediating gaps and providing 24x7x365 monitoring and response for security incidents – freeing up your teams’ time to focus on other internal priorities.
The stakes for healthcare companies have never been higher. As one of the most frequently targeted industries by cybercriminals, patient-focused organizations must take specific and sophisticated care to protect not only sensitive health information, but ultimately the lives and well-being of their patients. More than 50% of our survey respondents believe a fatal cyber-related incident is inevitable in the coming years, and proposed changes to HIPAA requirements are a necessary step in ensuring organizations take the proper steps to protect data and patient security. With regulatory fines, reputational damage and patient trust on the line, the time for comprehensive HIPAA compliance is now.
Cyberattacks. Care disruption. Outdated systems. Mounting compliance pressure. The numbers don’t lie – uncover what’s putting patients and providers at risk.