What’s Happening

The feds proposed new HIPAA security rules in January 2025 with more prescription, less flexibility, and arguably more pain. Compliance requirements are still pending but based on typical rule-making timelines, they will likely kick in between May 2026 and February 2027.

A Great Core Message

The security rule boils down to four basic tenets.

• Know what you have (Asset awareness)
• Protect it properly (Security controls )
• Plan for problems (Incident readiness)
• Make sure the rules are followed (Accountability)

Having ethically hacked into dozens of organizations, I can certainly attest to the importance of these themes above. But the tricky part is how you accomplish those goals and prioritize what gets done.

‍What They’re Proposing

The Department of Health and Human Services (the Department)’s proposed rule is lengthy but has ten key requirements, from tracking equipment to backing up data. Briefly, these proposed additions are as follows:

1. Maintain a technology inventory and map out how patient data moves through systems.
2. Do more thorough written risk assessments and threat modeling, documenting eight areas of potential security threats to patient data.
3. Have security incident response plans and be able to restore critical systems within 72 hours. Business associates must notify covered entities of breaches.
4. Providers must verify annually that business associates handling patient data follow proper security measures with written verification.
5. Critical security updates must be installed within 15 days.
6. More rules are being set for managing employee access to patient data, including quickly removing access when employees leave and their roles change.
7. Organizations must do yearly audits to ensure they follow all security rules.
8. All security policies and procedures must be documented in writing and reviewed annually.
9. Organizations must have clear written policies about consequences for employees who break security rules.
10. New mandatory security measures include encryption, two-factor authentication, network security testing, anti-malware protection, and regular backups of patient data.

These sound reasonable, as much of it is basic cyber hygiene. But gone is the flexible approach. It’s also a one-size-fits-all approach: from a 10-provider vision clinic to a 1000-bed hospital system.

‍Fantasy Costs

According to the rule, implementing all this will take you just 23 hours and cost under $3,000 for most small to mid-sized providers.

And yes, perhaps if we wait long enough, AI-augmented robots, people, and technology will help make that a reality.

But looking at realistic industry average costs and rates for this type of work, initial implementation will likely cost 10-20x that estimate, with annual costs running 5-10x their projections.

I value the privacy of my health information, but healthcare costs are already astronomical, and this will not help.

‍A Better Approach

‍Knowing that even major organizations with massive security budgets still get breached, we can see that throwing money at compliance and documentation isn’t a cure-all. A better approach is practical risk reduction that meets compliance requirements while driving down the actual likelihood of a breach.

The Department should keep its flexible risk-based approach outlining addressable security fundamentals with increased assurance verification and monitoring as an organization handles increasingly sensitive data. For example, a baseline non-negotiable set of controls by all organizations with an increasing level of controls.

‍Non-Negotiables

• Multi-factor authentication on publicly accessible health portals
  • Why? If it’s publicly accessible, the likelihood of an attack is significantly higher.
• Business-grade anti-malware protection
  • Why? Built-in antivirus is sufficient for many use cases but not a determined attacker targeting health data.
• Encourage automatic patching on risky workstations and servers
  • Why? Many compromises occur simply because the vulnerability hasn’t been patched. Make it occur automatically.
• Mandatory restriction on storing unsecured passwords in files
  • Why? This is one of the primary ways organizations are compromised, and security software won’t protect against this.
• Encrypted backups of patient data (if you’re not using a hosted medical records system)
  • Why? When databases are inevitably stolen, that data should be difficult or impossible to recover.
• Basic incident response plan with required reporting for data theft
  • Why? Individuals have a right to know if their data has been compromised, and businesses should know their reporting obligations.

And security requirements should scale primarily with data sensitivity, not organizational size. Arguably, a small mental health practice needs stronger security controls than a large vision center.

‍Tier 1 - Basic Health Data

‍For example, you focus on non-negotiables and access controls if you only process and store basic contact information and less sensitive health information such as a vision prescription and basic vitals.

‍Tier 2 - Sensitive Health Data

‍For example, your primary care provider records, social security numbers, imaging and labs. Now, you add more technical restrictions with strict network segmentation, identity provider controls, logging, and regular penetration testing.

‍Tier 3 - Highly Sensitive

‍For example, mental health records, medications, and genetics data. Now, you add Yubikeys (FIDO2), increased monitoring and alerting, and access reviews with strict data handling requirements.

Offboard your Risk

‍Just as very few organizations manage their own mail servers and infrastructure anymore, relying on highly robust vendors and teams to do this for them, most organizations should rely on robust web-based health record solutions with hardware-based authentication requirements.

Arguably, most practices are using dedicated software to manage health data. However, you take on significant technical risk if you manage the systems and databases on-site. For most small or mid-sized providers, it should be cost-effective to use a vendor’s solution (and avoid some of the Security Rule requirements, such as encrypted backups, since the vendor should take on that risk).

‍Use a Risk-Based Approach Today

‍Your practice can take this approach today with technology controls taking a risk-based approach. Granted, the existing HIPAA Security Rule doesn’t necessarily allow for this exact approach, but its current implementation does allow for an addressable approach and compensating controls.

‍Essential Questions for Your IT Provider

‍Lastly, many small providers think "my IT company is HIPAA compliant, so I'm covered." That's like saying "my accountant follows tax laws, so I don't need to worry about my taxes."Your managed service provider being compliant with HIPAA as a business associate is separate from them actively managing your organization’s compliance program.A few questions to help determine if you need to take additional action.

1. "How are you helping us meet each HIPAA security requirement?"
2. "Can you show me our current risk assessment?"
3. "Where's our asset inventory and data flow map?"
4. "What's our incident response plan?"
5. "How are you documenting our security measures?"

If they can't answer these clearly, they might be "HIPAA compliant" themselves but not actively managing your compliance program.

‍Bottom Line

‍It’s better to have widespread adoption of good security practices than perfect security, which only the largest organizations have the time and resources to achieve. The government's asking for feedback - let's hope they listen to what actually works in the real world.