New 2025 HIPAA Cybersecurity Rules: What Healthcare Providers Need to Know

Carl Ballenger, CISSP -

  In 2025, new HIPAA Security Rules will take effect, imposing stricter standards on healthcare organizations of all sizes. This is a major change from previous HIPAA regulations and will require a significant investment in new security measures.

Want to listen to this as a podcast?

New 2025 HIPAA Cybersecurity Rules What Healthcare Providers Need to Know
0:00
/4:46

The Problem with the Old HIPAA

Since 2005, healthcare organizations have been required to follow the Security Rule under HIPAA, which aims to protect electronic protected health information (ePHI). However, the original HIPAA rules, last updated in 2013, have become inadequate in the face of evolving cyber threats, particularly ransomware.

  • HIPAA focused more on patient privacy than data security. This led organizations to prioritize compliance over actual security measures.
  • The original rules allowed for flexibility, with a distinction between "addressable" and "required" rules. This allowed some organizations to avoid investing in necessary security defenses. Some organizations treated the addressable rules as optional, weakening their overall security.
  • As a result, healthcare data breaches have skyrocketed, with a 102% increase in large-scale breaches and a 1,002% increase in affected individuals from 2018 to 2023. In 2023 alone, over 167 million individuals were affected.
"Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks," Microsoft noted in October 2024. "However, a more significant reason these facilities are at risk is the potential for huge financial payouts."

The New, Stricter HIPAA Rules

The new HIPAA Security Rule is designed to address these shortcomings with a more prescriptive approach. The distinction between addressable and required rules will be eliminated, meaning all organizations will be held to the same standards, regardless of size or circumstance.

These new rules will include requirements for:

  • Patch management
  • Access controls
  • Multifactor authentication (MFA)
  • Encryption
  • Backup and recovery
  • Incident reporting
  • Risk assessments
  • Compliance audits

The Cost of Compliance

The White House estimates implementation will cost around $9 billion in the first year and another $6 billion over the next four years.
  • Even organizations already following NIST controls may face costs ranging from $100,000 for small practices to millions for large medical groups.
  • Many healthcare organizations already operate on thin margins, making these costs particularly challenging.

How to Prepare

Healthcare organizations need to start preparing for these changes now. Some possible steps include:

  • Conduct thorough risk assessments to understand your organization’s vulnerabilities.
  • Implement the new security requirements, including MFA and encryption.
  • Consider utilizing a virtual Chief Information Security Officer (vCISO) to help navigate the complexities of the new rules.
  • Develop a budget that accounts for the costs of compliance.

The new HIPAA Security Rules represent a significant shift in how healthcare organizations must approach cybersecurity.  While the costs of compliance will be substantial, they are necessary to protect patient data and prevent costly data breaches.

By taking proactive steps to prepare, healthcare providers can ensure they are ready for the 2025 deadline.

Additional Resources