In late 2024, the Department of Health and Human Services proposed the most significant update to the HIPAA Security Rule since it was last revised in 2013. The proposed changes would make several currently “addressable” requirements mandatory: multi-factor authentication, network segmentation, encryption of electronic protected health information at rest and in transit, and annual penetration testing.

The proposal also included updated requirements for business associate oversight, technology asset inventory, incident response testing, and vulnerability scanning on a defined schedule.

The timing was not coincidental. The Change Healthcare breach earlier in the year exposed just how fragile healthcare cybersecurity infrastructure had become. A single vendor without MFA on a remote access portal brought down prescription processing for the entire country for weeks.

The proposed rule updates reflect a broader shift in how regulators are approaching cybersecurity: moving from guidance and addressable standards toward mandatory, auditable controls. The comment period drew extensive industry response, with healthcare organizations raising concerns about implementation costs and timelines.

Whether the final rule matches the proposal remains to be seen. But the direction is clear. Healthcare organizations that have deferred security investments on the grounds that HIPAA requirements were soft are running out of runway.