U.S. health department proposes major HIPAA overhaul to strengthen cybersecurity

WASHINGTON D.C., UNITED STATES — The U.S. Department of Health and Human Services (HHS) recently unveiled a proposed update to the HIPAA Security Rule, marking the first significant revision since 2013.
The proposal, released by the Office for Civil Rights (OCR), aims to address the growing wave of cyberattacks and data breaches targeting the healthcare sector by strengthening protections for electronic protected health information (ePHI).
The changes are designed to clarify existing requirements and provide healthcare organizations worldwide that handle American patient data with more prescriptive guidance on cybersecurity practices.
According to OCR, reports of large breaches increased by over 100% from 2018 to 2023, while the number of individuals affected surged by over 1,000%.
Critical security measures for healthcare providers
The proposed rule introduces several mandatory measures to enhance cybersecurity:
- Technology inventory and network mapping: Organizations must create and annually update a detailed inventory of technology assets and a network map showing ePHI movement.
- Risk analysis: Entities must conduct written reviews of potential vulnerabilities tied to their systems.
- Multi-factor authentication (MFA): MFA would be required for system access, with limited exceptions.
- Vulnerability scanning and penetration testing: Systems must be scanned for vulnerabilities every six months, with annual penetration testing to assess security defenses.
OCR Director Melanie Fontes Rainer emphasized the urgency of these updates, citing the “rampant escalation in ransomware and hacking” as a direct threat to patient safety. She also pointed to the Change Healthcare breach—the largest in U.S. healthcare history—as evidence of the sector’s vulnerability.
Addressing cybersecurity gaps in healthcare
The proposal seeks to tackle common compliance deficiencies observed during OCR investigations. Regulators noted that some organizations misinterpret certain HIPAA requirements as optional, leading to inconsistent implementation of safeguards.
The updated rule would eliminate distinctions between “required” and “addressable” specifications, making all provisions mandatory unless explicitly exempted.
Part of a broader cybersecurity initiative
This update aligns with the Biden Administration’s 2023 National Cybersecurity Strategy and HHS’s broader efforts to fortify healthcare cybersecurity. In late 2023, HHS introduced voluntary cybersecurity goals and outlined plans for stricter hospital requirements under Medicare and Medicaid programs.
Additionally, lawmakers such as Senators Ron Wyden and Mark Warner have proposed legislation directing HHS to establish minimum cybersecurity standards while providing financial support to hospitals for implementation.
Economic impact of compliance
HHS estimates that implementing these changes will cost $9 billion in the first year and $6 billion annually over the following four years. However, officials argue that reducing breaches by even 7% could offset these costs, making the revisions economically viable.
If finalized, these updates could significantly enhance protections for sensitive patient data amid an increasingly hostile cyber landscape.