• Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • Community
  • About
  • Services
  • Contact

Created by ChatGPT

Understanding the 2025 HIPAA Security Rule Proposal: Key Changes and Implications

February 17, 2025

In January 2025 I put together a presentation on the proposed changes to the HIPAA Security Rule. You can view the live recording on the ExplorSec YouTube channel. With Valentines Day recently passing I though this would be a good time for a blog post on the proposals for the HIPAA Security Rule. Below is a ChatGPT generated blog post using the transcript from that session that I’ve reviewed and edited .

The U.S. Department of Health and Human Services (HHS) recently proposed updates to the HIPAA Security Rule, aiming to enhance the cybersecurity resilience of healthcare organizations. These changes are in response to the evolving threat landscape, rising breach costs, and the need for stronger regulatory oversight. Let’s explore the proposal, its timeline, and the most significant updates impacting the healthcare industry. The proposal can be viewed at this link: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html

Why the Change?

HIPAA, originally enacted in 1996, has undergone several updates, with the most recent in 2013. However, with data breaches in healthcare rising sharply, the government is taking action. The cost of healthcare breaches has surged by 50% since 2020, with an average breach costing $10.1 million per organization. Additionally, cybercriminals continue to target healthcare organizations despite previous claims that they would avoid them. In 2023 alone, the FBI received 250 ransomware reports from healthcare organizations—the most of any industry.

Proposed Timeline

  • January 6, 2024: Proposal released

  • March 7, 2024: Public comment period closes

  • Spring 2025: HHS reviews comments and finalizes the rule

  • 2026: Full compliance expected for specific requirements

Organizations have an opportunity to provide feedback before implementation, making this a crucial period for healthcare entities to review the proposed changes and assess their impact.

Key Changes in the HIPAA Security Rule Proposal

Revised Terminology and Definitions

Several terms are being modified or newly defined to eliminate ambiguity and prevent misinterpretations that have historically allowed organizations to circumvent security requirements. Notable changes include:

  • Security Measures: Clarified to apply to both systems and information.

  • Technical Controls & Safeguards: Expanded definitions to include firmware and hardware components.

  • User Definitions: Adjusted to remove ambiguity between human users and system entities.

  • Addressable and Reasonable & Appropriate Requirements: Refined to ensure organizations do not misinterpret them as optional.

Asset Inventory and Risk Analysis

One of the most critical updates is the requirement for a comprehensive asset inventory of all technical assets that create, receive, maintain, or transmit electronic protected health information (ePHI). Organizations must:

  • Maintain a written inventory including device IDs, software versions, responsible personnel, and locations.

  • Conduct annual risk analyses aligned with NIST cybersecurity standards.

  • Update network maps to track ePHI movement and access points.

Patch Management Requirements

For the first time, HIPAA is setting explicit timelines for patch management:

  • Critical vulnerabilities must be patched within 15 days.

  • High vulnerabilities must be patched within 30 days.

  • Organizations must document any exceptions and review them annually.

Workforce Security and Training Enhancements

Organizations must establish stronger internal security measures, including:

  • Mandatory security training for new hires within 30 days.

  • Job description reviews to align role-based access controls with actual job functions.

  • Regular cybersecurity performance goals for employees, focusing on increasing phishing report rates and improving security awareness.

  • Security training on new technology implementations, such as new systems that handle electronic health records (EHRs).

Strengthened Physical and Technical Safeguards

The proposal mandates that organizations demonstrate operational enforcement of security policies rather than relying solely on documentation. This includes:

  • Mandatory encryption of ePHI at rest and in transit.

  • Elimination of default passwords for all devices.

  • Multi-Factor Authentication (MFA) requirements (with exceptions for FDA-approved medical devices).

  • Stricter controls for legacy systems, including the requirement that manufacturers must still provide security updates; otherwise, organizations must replace outdated systems.

Business Associate Agreements (BAA)

Healthcare organizations rely on third-party vendors to handle sensitive patient data, and the proposal introduces stricter rules around vendor agreements:

  • Vendors must report security incidents within 24 hours of detection.

  • Organizations will have up to one year to update contracts.

  • New requirements will apply to healthcare plan sponsors, who previously were not subject to the same security obligations.

Addressing Emerging Technologies

The proposal acknowledges the impact of new technologies in healthcare, requiring organizations to assess and prepare for:

  • Quantum Computing: Organizations must develop a roadmap for quantum-resistant encryption.

  • Artificial Intelligence (AI): Organizations must inventory AI use cases and assess associated security risks.

  • Virtual Reality (VR) in Healthcare: VR devices must comply with access management, patch management, and risk management protocols.

Financial Impact and Justification

The estimated cost for implementing these new security controls across all healthcare organizations is $6.8 billion annually. However, HHS argues that if these measures will reduce healthcare breaches by 7-16% and will effectively pay for itself. For individual organizations, first-year compliance costs are estimated at $4.65 million, but with healthcare breaches averaging $10.95 million in damages per incident, the investment is likely to yield significant long-term savings.

What’s Next?

The proposed HIPAA Security Rule updates aim to close loopholes, modernize security requirements, and enforce stricter compliance. Healthcare organizations should begin:

  • Reviewing their current security policies, training programs, and technical safeguards.

  • Assessing their vendor contracts and business associate agreements.

  • Engaging with industry groups or submitting public comments before the March 7 deadline.

For additional details on the HIPAA Security Rule proposal and how to submit public comments, visit the official HHS website.

What are your thoughts on the proposed changes? Let us know in the comments below!

In Opinion, News Tags Healthcare, HIPAA, GRC
Comment

Free security policy templates available for download

December 13, 2023

When I started up this website last summer one of the first things I was asked about was creating security policies for a company that didn’t have any. I thought it would be a good opportunity to try out ChatGPT and the results were very exciting. Within a couple hours I had ten policies for a small business that needed them as part of a security review. I had them review and then had them sign them.

ChatGPT provided me the first draft and then I edit and customized it to the company. For large companies this isn’t a big deal but for small companies that need security policies this is a good first step. I’ve decided to release the templates I made on my website. Feel free to provide any feedback in the comment section below.

As I’ve written before, I think AI is going to have a huge impact on society similar to computers or mobile phones. Specifically, in the security space it will impact anyone that creates documents like policies.

You can click the link below to access the policies for download. If you need help with your policies or need other consulting services click the contact link below and fill out the form.

This blog post first appear on Exploring Information Security.

Security Policies
image-asset.jpg
Contact

Subscribe

Sign up with your email address to receive news and updates.

We respect your privacy.

Thank you!


In Product Tags security policies, GRC
Comment

Latest PoDCASTS

Featured
Oct 14, 2025
Exploring AI, APIs, and the Social Engineering of LLMs
Oct 14, 2025
Oct 14, 2025
Oct 7, 2025
How to Prepare a Presentation for a Cybersecurity Conference
Oct 7, 2025
Oct 7, 2025
Sep 23, 2025
Exploring the Rogue AI Agent Threat with Sam Chehab
Sep 23, 2025
Sep 23, 2025
Sep 16, 2025
A conversation with Kyle Andrus on Info Stealers and Supply Chain Attacks
Sep 16, 2025
Sep 16, 2025
Sep 9, 2025
The Winding Path to CISO: Rob Fuller's Leadership Journey
Sep 9, 2025
Sep 9, 2025
Sep 2, 2025
Kate Johnson's Winding Path to a Director Role in Cybersecurity
Sep 2, 2025
Sep 2, 2025
Aug 26, 2025
LIVE: Unraveling the SharePoint Zero-Day Exploit (CVE-2025-53770)
Aug 26, 2025
Aug 26, 2025
Aug 19, 2025
How to Launch Your Own Cybersecurity Podcast
Aug 19, 2025
Aug 19, 2025
Aug 12, 2025
How BSides St Louis Can Help Take The Next Step in Cybersecurity
Aug 12, 2025
Aug 12, 2025
Aug 5, 2025
[RERELEASE] What it's like in the SECTF sound booth
Aug 5, 2025
Aug 5, 2025

Powered by Squarespace