On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rules to strengthen cybersecurity protections for electronic protected health information (ePHI). A public comment period took place in January of 2025, and the final published ruleset will be published later this year, possibly in May. The rules will be enforced sometime after that.
The Addressable Becomes Required
One of the most significant changes in the updated HIPAA Security Rules is the removal of “addressable” safeguards. Under the current model, a HIPAA‑compliant organization can choose to:
- Implement a security rule as formerly stated
- Implement an equivalent alternative control
- Not implement it, with a documented, risk‑based justification
While the addressable option provided flexibility, it also created ambiguity. Organizations will still be able to decide how to meet the requirements, such as which encryption technology or MFA (multifactor authentication) method to use, but they will no longer be able to opt out of these safeguards entirely.
A key driver behind this transition is the widespread move toward Zero Trust Security, built on the principle of “never trust, always verify.” In a Zero Trust model, foundational security controls such as strong authentication, encryption, network segmentation, and continuous validation cannot be optional. Any gap becomes a potential attack path.
The urgency for clearer, mandatory controls is reinforced by the sharp rise in healthcare cyberattacks. In 2024 alone, 742 data breaches involving 500 or more records were reported to the Department of Health and Human Services (HHS). The current estimate for 2025 is more than 700 Healthcare organizations. The numbers clearly show that healthcare is under sustained attack, and optional security controls are no longer sufficient
Multifactor Authentication Required
MFA is already mandatory under several regulatory frameworks, including PCI DSS 4.x, NIST 800-171, and NYCRR Part 500. The proposed HIPAA Security Rule update is expected to follow suit, requiring multi-factor authentication for remote access and privileged accounts. Some examples include:
- Remote access to internal networks and ePHI systems using VPN, RDP, or direct‑to‑app
- Workforce access to EHR/EMR (Electronic Health Records/Electronic Medical Records) and other core clinical/claims/billing systems containing ePHI (Electronic Protected Health Information).
- Privileged and admin access for servers, domain controllers, cloud applications, and security tools.
- Third‑party or vendor access
HIPAA will not dictate which factor types to use, but will require at least two independent factors for covered users and systems. While most people are familiar with using traditional SMS/voice codes for MFA, this method is considered weaker than newer approaches due to its susceptibility to SIM‑swap and phishing. Some other MFA options that are stronger include:
- Authenticator apps such as Microsoft/Google Authenticator that issue time‑based one‑time passcodes and align with NIST 800‑63 AAL2
- Push approvals to a registered mobile app for workforce access to VPN, EHR, and critical SaaS apps that involve number‑matching
- FIDO2/WebAuthn keys or platform passkeys that a user is in possession of
Many data breaches are implemented by acquiring the credentials of a valid user and using them to gain access. For instance, a U.S. House subcommittee found that a breach of United Healthcare in February of 2024 occurred because UnitedHealth wasn’t using multifactor authentication to secure one of its most critical systems. United Healthcare acquired Change Healthcare in 2022 and found that Change Healthcare had not applied MFA to a particular server in question. The attack leveraged remote access via stolen credentials that lacked a second factor of authentication.
Required Scanning and Penetration Testing
The NPRM included a proposal to require vulnerability scanning at least every six months and penetration testing at least once every 12 months. These requirements shift healthcare organizations from reactive security postures to proactive threat hunting and remediation.
Regular vulnerability scanning keeps an up‑to‑date inventory of missing patches, misconfigurations, and exposed services across servers, endpoints, networks, and medical devices. According to HHS, unpatched software vulnerabilities caused nearly one in five healthcare ransomware attacks in 2024.
Annual penetration tests simulate real-world attacks to identify which vulnerabilities can be exploited, how attackers might chain them together, and whether defenses such as segmentation, MFA, and logging hold up.
HALOCK Security Labs provides penetration testing as part of its Offensive Security practice, which combines adversarial testing, penetration testing, and application testing to uncover, measure, and reduce real-world risk. Our testers emulate threat actors to expose exploitable weaknesses, validate defensive controls, and deliver clear, actionable remediation guidance.
If you aren’t aware of the coming HIPAA rule changes or are unsure how to implement them, our HIPAA experts can help by conducting an evaluation of where you are currently and outlining a strategy that navigates you to where you need to be by year’s end.
MORE HIPAA and HEALTHCARE INSIGHTS
How Healthy is Your HIPAA Security Risk?
7 HIPAA Security Tips for Managing AI Risk
Healthcare Web Application Penetration Testing: Offensive Security to Protect Patient Data
AI & THE HEALTHCARE INDUSTRY
What’s New in Healthcare Risk and AI?
Top Cyber Threats in Healthcare
Surgical Device Cybersecurity: Understanding AI and Medical Device Risks in Healthcare
Elder Care Technologies & Trends With Artificial Intelligence (AI)
What’s New with AI, the Increasing Neurodivergent and Special Needs Population, and Cybersecurity?
The Mental Health Industry and AI: Transparent, Intelligent, Human.
AI, Genetics, and Biometric Data: Breaches, Regulations, and Cyber Risk
Review Your HIPAA Security and Risk Posture
