HIPAA’s New Cybersecurity Requirements: A Step Toward Global Best Practices

On January 6, 2025, the U.S. Department of Health and Human Services (HHS) proposed a landmark update to the HIPAA Security Rule. Published in the Federal Register, these changes aim to modernize protections for electronic Protected Health Information (ePHI) in response to an escalating wave of cyber threats. While these updates are essential for strengthening the healthcare sector’s cybersecurity posture, they are also part of a broader trend toward aligning U.S. regulations with global standards.

For compliance leaders, these changes offer both challenges and opportunities. They address well-known gaps in HIPAA’s existing framework and align it more closely with international standards like GDPR, NIS2, and ISO 27001. By adopting a global perspective, organizations can turn these updates into a springboard for broader strategic alignment and innovation.

What’s Changing?

The proposed updates focus on key areas critical to modern cybersecurity:

1. Mandatory Implementation Specifications
   The flexibility of “addressable” controls is removed, making all implementation specifications mandatory. This means safeguards like encryption, access controls, and incident response measures are now non-negotiable for all covered entities.

2. Mandatory Encryption and Multi-Factor Authentication (MFA)
   Encryption for ePHI at rest and in transit is now required, with few exceptions. Multi-factor authentication is also mandatory for accessing ePHI systems, ensuring stronger identity verification.

3. 72-Hour Recovery and 24-Hour Notification Requirements
   Organizations must restore critical systems and data within 72 hours of an incident and notify partners within 24 hours of activating contingency plans in response to an ePHI-related disruption.

4. Regular Security Assessments
   Biannual vulnerability scans and annual penetration testing are now required to identify and mitigate risks proactively.

5. Enhanced Documentation and Training
   Policies and procedures must be reviewed and updated annually, with employee training programs focusing on emerging threats like social engineering.

How These Changes Fit Into the Global Landscape

HIPAA’s updates are not happening in isolation. They reflect principles already embedded in international frameworks, showcasing a shift toward global alignment. For example, the move to mandatory implementation specifications mirrors GDPR Article 32, which explicitly requires encryption, pseudonymization, and other technical controls to protect sensitive data. Similarly, the NIS2 Directive emphasizes standardized risk management practices for essential service operators, including healthcare, ensuring consistent safeguards across organizations.

Incident response timelines under the proposed HIPAA updates align closely with established global benchmarks. Both GDPR Article 33 and NIS2 require breach notifications within 72 hours. However, NIS2 introduces an additional requirement: organizations must submit an initial notification within 24 hours of discovering a significant cybersecurity incident. This early notification ensures authorities are informed as quickly as possible, even if all details are not yet available. Similarly, HIPAA’s proposed 24-hour notification for activating contingency plans underscores the growing expectation for organizations to act swiftly during incidents to mitigate risks.

The focus on encryption and MFA aligns with global best practices. ISO 27001 specifies secure authentication mechanisms, such as MFA, for high-risk systems. GDPR highlights encryption as a critical measure for minimizing breach impact, and PCI DSS mandates similar controls for safeguarding sensitive financial information. These changes ensure HIPAA catches up with what many frameworks already consider fundamental to modern cybersecurity.

The inclusion of regular vulnerability scanning and penetration testing also closely aligns with proactive risk management strategies outlined in ISO 27001. These practices shift the focus from reactive compliance to continuous improvement—a critical aspect of maintaining security in an evolving threat landscape.

What This Means for Healthcare Leaders

These updates aren’t just regulatory mandates—they’re a strategic opportunity. For healthcare leaders, the proposed changes demand a reevaluation of cybersecurity priorities, resources, and processes.

Take encryption and MFA, for example. These controls are table stakes across most frameworks, from HIPAA to GDPR to PCI DSS. Investing in scalable, interoperable solutions ensures compliance with HIPAA while aligning with other global standards, reducing the need for redundant efforts. Similarly, the focus on incident response provides a chance to operationalize best practices for breach reporting and recovery.

Smaller organizations and those reliant on legacy systems may face unique challenges. Retrofitting older infrastructure to support encryption or MFA can be resource-intensive. Leaders should prioritize building scalable solutions that address immediate gaps while preparing their organizations for future regulatory demands.

Engaging employees through targeted training on emerging threats like social engineering is another critical component. A well-trained workforce is often the first line of defense against data breaches, and these updates provide the perfect opportunity to elevate security awareness across the organization.

Taking Action: Leadership Insights

To navigate these changes effectively, healthcare leaders should:

1. Conduct a Gap Analysis
   Identify gaps in your current compliance posture, particularly around encryption, MFA, and incident response. Prioritize addressing areas that carry the highest risk.

2. Leverage Global Lessons
   Study publicly available frameworks like GDPR, NIS2, and ISO 27001 to guide implementation. Resources such as the NIST Cybersecurity Framework and the Center for Internet Security (CIS) Controls offer actionable roadmaps for compliance.

3. Invest in Technology and Processes
   Implement tools like automated vulnerability scanning and centralized logging to reduce operational burdens. Scalable solutions that address multiple frameworks simultaneously will maximize efficiency.

4. Engage in the Public Comment Process
   Use the public comment period, open until March 7, 2025, to advocate for practical timelines and clarifications. Active participation can shape the final rule to benefit organizations of all sizes.

A Global Mindset for HIPAA Compliance

The proposed updates to the HIPAA Security Rule signal a shift toward harmonized cybersecurity standards. By aligning with frameworks like GDPR, NIS2, and ISO 27001, these changes set the stage for a more resilient healthcare sector.

For leaders, the challenge is to think beyond HIPAA and seize this moment to build globally aligned, future-proof security programs. By leveraging global best practices, adopting scalable solutions, and fostering a culture of proactive risk management, organizations can position themselves as leaders in protecting patient data and trust.