.png)
2025 HIPAA Security Updates: What Healthcare Organizations Need to Know
Cyberattacks are hitting healthcare harder than ever. With patient safety and sensitive data on the line, the new proposed HIPAA Security Rule updates are a bold call to action: resilience over excuses.
Proposed updates to the Security Rule aim to strengthen the protection of electronic protected health information (ePHI). For years, healthcare organizations have struggled to follow cybersecurity guidance. Many have left critical gaps in their defenses.
Now, the Office for Civil Rights (OCR) is calling for a stronger, clearer approach to secure the nation’s healthcare systems. The message? It’s time to prioritize action over intention.
Here’s a breakdown of what the proposed changes mean and how healthcare providers can prepare.
The 3 biggest proposed HIPAA security changes
The new HIPAA proposals aren’t just small changes to the existing Security Rules. They’re game-changers for healthcare cybersecurity. Here are the three biggest shifts every healthcare organization needs to prepare for now.
1. Moving from a prevention to resilience mindset
One big change in the proposed updates is the shift from focusing only on security to focusing on cyber resilience.
It’s not enough to keep threats out — you need to be prepared to contain attacks and reduce their impact. Healthcare organizations are critical infrastructure, and any disruption to their operations can be catastrophic. They must be able to recover quickly when attacks happen.
As the proposal explains, “Regulated entities must consider how their security measures support resilience in the face of an adverse event.”
This is a powerful shift in thinking. Healthcare organizations are being asked to build systems that can adapt and recover during crises.
The new requirements mean that cyber resilience isn’t just a bonus. It’s essential for protecting patients, data, and operations in today’s threat landscape.
2. Building customized, risk-based cybersecurity
Another key update is the move to a risk-based security approach.
Instead of treating all risks the same, organizations must evaluate their specific threats and focus on addressing the most critical ones.
The draft rule states, “Entities must reduce risks to their ePHI to a level that is reasonable and appropriate for their specific circumstances.”
This approach recognizes that not all healthcare organizations are the same. A large hospital network has different risks than a small clinic. By tailoring security efforts to their unique situations, providers can ensure their defenses are both effective and efficient.
3. Tackling security for legacy devices
One of the toughest challenges for healthcare organizations is dealing with outdated medical devices. These legacy systems often lack modern security features, leaving networks vulnerable to attack.
The new proposal doesn’t sugarcoat this issue. The draft acknowledges, “Some regulated entities may incur costs for replacing legacy medical devices that cannot be reasonably protected against current threats.”
While necessary, these updates could strain small and rural providers with limited budgets. But ignoring the problem isn’t an option. Cyberattacks targeting vulnerable devices could cost even more in the long run.
HIPAA’s proposed technical requirements for healthcare cybersecurity
The proposed updates aren’t just about broad ideas. They include specific actions healthcare organizations must take to improve security:
- Incident response: Organizations must create and test incident response plans regularly to ensure they’re ready for potential cyber events.
- Supply chain security: Providers need to assess risks in their business partners and supply chains to address third-party vulnerabilities.
The draft also highlights technical requirements, making them mandatory instead of optional:
- Vulnerability mitigation
- Encryption
- Multi-factor authentication (MFA)
- Data backup and recovery
- Restricting open ports
- Segmentation
Segmentation, in particular, is worth noting. While it’s been considered best practice for years, it’s now becoming a compliance and insurance requirement.
Why microsegmentation matters now for healthcare
The draft mentions network segmentation, but healthcare organizations should take it a step further with microsegmentation.
Microsegmentation breaks networks into smaller, isolated zones. This limits the movement of attackers if they breach the system, also called lateral movement.
Unlike traditional segmentation, which relies on perimeter defenses, microsegmentation works at a granular level. It can stop threats from spreading while maintaining normal operations. For healthcare providers, this means fewer disruptions and stronger protection for sensitive data.
At Illumio, we’ve seen how microsegmentation transforms security strategies. It’s not just about meeting regulations — it’s about creating a proactive defense system that’s ready for new threats and resilient when an attack happens.
What’s next for healthcare cybersecurity?
The proposed HIPAA updates are more than regulatory tweaks — they’re a wake-up call for the healthcare industry. Healthcare organizations must move beyond outdated practices and adopt a forward-thinking approach to cybersecurity.
Resilience is no longer optional; it’s a necessity.
These changes won’t be easy. Implementing them will require time, money, and a shift in mindset. But the cost of inaction is far higher. Cyberattacks are becoming more sophisticated, and the stakes are too high to ignore.
Healthcare organizations should see these updates as an opportunity, not a burden. By investing in resilience and adopting best practices like microsegmentation, they can build a stronger, more secure future.
The organizations that rise to this challenge will be better prepared for the threats of tomorrow — and will gain the trust of their patients and partners in the process.
Read our guide on how the Illumio Zero Trust Segmentation Platform can help you meet new HIPAA security requirements.
.webp)
.webp)