Proposed HIPAA Changes Aim to Strengthen Healthcare Cybersecurity

Doctors, medical team and tablet with discussion, advice and above for surgery or patient records. People, tech and nurse for professional opinion, help and results in healthcare, clinic or hospital
01/14/2025 | Professional Liability Insurance Group |

As we enter 2025, significant updates to HIPAA have been proposed by The U.S. Department of Health and Human Services (HHS). This is for the first time in over a decade, that the HHS sheds light upon focusing on strengthening cybersecurity protections for healthcare data. The main cause behind this is a surge in cyberattacks and notable breaches in 2024. Recently, millions of patient records were exposed by ransomware incidents affecting Change Healthcare and Ascension. Therefore, this update was long overdue and is finally here.  

The changes aim to standardize cybersecurity measures across the healthcare industry and to ensure that all safety protocols such as two-factor authentication, data encryption, and network segmentation are carried out by all healthcare providers. Currently, HIPAA distinguishes between “required” and “addressable” rules, keeping some security measures optional. However, according to the recent updates, this distinction has been eliminated, making all cybersecurity standards crucial and non-negotiable.  

These updates are also widely supported by all cybersecurity experts, since they too, aim to address the gaps in data protection in the healthcare sector. However, this update has also raised concerns regarding the financial and operational burden, especially for smaller providers who may lack the resources to comply with these requirements. A few updates such as maintaining detailed cybersecurity documentation and conducting risk analyses would be a challenge for smaller and rural hospitals operating on a lower budget.  

HHS also stresses a specific focus in vendor management. Providers should be aware of how third-party vendors are using and transferring their data. Experts have suggested that incidents like the Change Healthcare breach indicate the risks that arise by collaborating with third-party vendors for data storage and management. Healthcare providers need to ensure that the vendors they’re working with can handle sensitive data effectively, or utilization of these vendors’ services needs to stop completely so that the risk of future data breaches can be avoided.  

Even though these changes seem to come with a few challenges, typically for smaller organizations, they do aim big. Ultimately, it is a positive step towards security improvement of sensitive healthcare data. Experts seem to be on board with these changes and, as with the ongoing cyber threats, they point out that robust cybersecurity protocols and detailed vendor management are crucial. Patient data is highly sensitive, and it must be protected at all costs. 

Recent Posts

Categories