Network Segmentation
The newly proposed HIPAA Security Rule updates will require network segmentation as a security measure to be implemented “in a reasonable and appropriate manner” to create clear boundaries between networks that process ePHI (electronic patient health information) and sensitive or privileged processes. The purpose of network segmentation is to create a boundary to contain breaches and prevent the lateral movement of an attack once a network is infiltrated.
In many healthcare breaches, attackers first gain access to less critical or lower‑security areas of a network. A prime example is the use of phishing attacks through which phishing or malware is delivered to end‑user systems. Without proper segmentation, attackers can then move laterally (east‑west traffic) to reach systems that store or process ePHI, dramatically increasing the scope and impact of the breach.
An example is the ransomware attack that Ascension Health experienced in May of 2024, which affected some 5.6 million patients. In this incident, an employee downloaded a malicious file that provided attackers with an initial foothold in the environment. From there, the attackers were able to move laterally across the network into more sensitive systems, encrypting files and disrupting critical operations. Strong network segmentation could have limited the attacker’s ability to pivot beyond the initially compromised system and reduced the overall impact of the attack.
Ransomware attacks are prime examples of lateral attacks on networks in which attackers gain access to the network through a phishing attack. In the Covenant Health data breach and ransomware attack that occurred last year, attackers were able to move laterally for 8 days across the network until finally detected. The attackers were able to exfiltrate the data of more than 478,000 patients before the data was encrypted. Once again, network segmentation could have limited the blast radius of this attack by containing its spread, even though it could not have prevented the initial compromise.
Encryption No Longer Optional
With the coming HIPAA NPRM updates, the option to “decline” encryption is effectively disappearing, aside from rare, narrowly defined, and well‑justified exceptions. Encryption of data at rest now applies to every location where ePHI resides. This includes file shares, on‑prem and cloud storage, backups and archives, laptops, workstations, and even powered‑off removable media. In all these storage areas, strong, standards‑based security is expected by default.
For data in transit, any ePHI crossing any type of network, including internal LAN, WAN, internet, and VPN, or cloud interconnect must be protected with modern, secure transport protocols such as TLS 1.2/1.3 or IPsec. In other words, encryption for ePHI, both at rest and in transit, is no longer something nice to have. It is the baseline assumption regulators will use when evaluating your environment.
There is no doubt that stricter encryption requirements are necessary in the healthcare industry. A 2025 study showed that of the 364 hacking incidents reported by the American Hospital Association, 100% of the hacked data was not encrypted. This was due to either stolen credentials granting access to encrypted data or data being stored in an unencrypted format outside the EHRs.
A recent example in 2025 involved a New Jersey health technology company, ESHYFT, where 86,000 records were compromised due to a misconfigured AWS S3 bucket. Post analysis of the incident proved that the attack could have been prevented had the data been encrypted. Encryption would have also played a critical role in preventing the successful retrieval of data in the above-mentioned Ascension and Covenant attacks.
Conclusion
Things have been changing quickly since the Notice of Proposed Rulemaking was released just over a year ago. If you are unsure whether your organization is prepared for the upcoming rule changes or how to implement some of them, such as network segmentation or data encryption, our HIPAA and security specialists at Halock Security Labs can help.
Through our offensive security approach, we help organizations move from uncertainty to actionable clarity. Our HIPAA security risk assessments provide plain‑language reporting for leadership, clearly explaining what could go wrong with protected health information (PHI) and electronic medical records (EMR), while also validating alignment with both current requirements and the newly proposed safeguards.
More HIPAA Insights and Resources
Review Your HIPAA Security and Risk Posture
