Rising Cybersecurity Threats Prompt HIPAA Security Updates for Healthcare Sector

A Stoel Rives blog explains that the dramatic rise in cybersecurity incidents in the healthcare sector prompted the Office of Civil Rights at the Department of Health and Human Services (HHS) to issue a Notice of Proposed Rulemaking in December 2024, aiming to modify the HIPAA Security Rule.

The authors call updates essential given cybercriminals’ growing sophistication. Legislative efforts to enhance healthcare cybersecurity are also expected in 2025.

The HIPAA Security Rule was last updated in January 2013. The World Economic Forum’s Global Cybersecurity Outlook 2025 report highlights increasing complexities in cyberspace due to technological advancements and interconnected supply chains.

The proposed rule changes include eliminating the distinction between “required” and “addressable” specifications and mandating encryption with limited exceptions.

To protect electronic PHI, new standards, including patch management, multi-factor authentication, and network segmentation, have been introduced. However, smaller healthcare entities may face challenges adapting to these changes due to limited in-house expertise and resources.

The proposed modifications will significantly impact healthcare organizations’ operational and financial frameworks. Mandatory controls such as penetration testing will require minimal hours, but real-world implementation often demands extensive time and financial resources.

Even with full compliance, organizations remain vulnerable to cyberattacks and face potential legal liabilities, including privacy class actions, in the event of data breaches.

For legal advisers, these developments underscore the growing liability risks healthcare clients face regarding data exposure. Healthcare clients should review their cybersecurity frameworks, budget for compliance costs, and prepare for the legal issues associated with data breaches.