New HIPAA Regulations for 2025: Security Updates You Need to Know

Until now, Health Insurance Portability and Accountability Act (HIPAA) security regulations have permitted organizations to exercise considerable discretion in determining how to implement the general imperative to protect data. The latest proposed update tightens up security guidelines with stricter requirements. These changes require you to document your security policies, maintain asset inventories, conduct risk analysis, and implement various security controls. In this blog, we'll cover what healthcare organizations and their partners need to know about the latest changes to become HIPAA compliant.

Background: Making Healthcare-Specific Cybersecurity Performance Goals (CPGs) Mandatory

The proposed HIPAA changes implement a framework introduced in a 2023 U.S. Department of Health and Human Services (HHS) Healthcare Sector Cybersecurity Strategy proposal. The framework focused on four main steps for improving healthcare security:

• Establishing voluntary cybersecurity goals for healthcare providers
• Providing resources to support cybersecurity implementation
• Enacting an HHS-wide cybersecurity strategy to promote enforcement
• Enhancing HHS cybersecurity support coordination with other federal agencies

Toward implementing the first step, HHS identified a list of voluntary healthcare-specific cybersecurity performance goals (CPGs) for organizations to prioritize. These are divided into essential goals defining minimal cybersecurity safeguards against the most common attacks and enhanced goals promoting more advanced security against other attack vectors.

Essential goals include:

• Mitigating known vulnerabilities
• Securing email against phishing, spoofing, and fraud
• Adding multifactor authentication (MFA)
• Providing basic cybersecurity training to staff
• Revoking credentials of departing workforce members
• Planning and preparing for basic cybersecurity incidents
• Assigning unique credentials to network users
• Separating common user accounts from privileged accounts
• Mitigating risks from third-party vendors and suppliers

Enhanced goals include:

• Tracking inventory assets
• Disclosing third-party vulnerabilities
• Reporting third-party incidents
• Establishing cybersecurity penetration testing (pentesting) and attack simulation processes
• Creating mitigation procedures
• Developing detection and response protocols for threats and adversarial tactics, techniques, and procedures (TTPs)
• Segmenting networks
• Building centralized security logs
• Centralizing incident planning and preparedness
• Implementing configuration management

While still describing these goals as voluntary, the framework noted that voluntary goals alone would not affect the desired security changes in the healthcare industry. It proposed integrating CPGs into existing regulatory frameworks to promote enforceable cybersecurity standards.

The new proposal implements this directive by removing a distinction between "required" and "addressable" changes in the previous version of HIPAA security rules. This distinction was intended to allow healthcare providers flexibility in implementing security guidelines, but it conveyed the misimpression that certain mandatory regulations were optional. The new proposal clarifies the mandatory nature of all HIPAA security guidelines.

Proposed HIPAA Changes for 2025

The proposed new HIPAA security rule strengthens the HIPAA security rule in numerous areas, notably including:

• Written documentation requirements
• Detailed security control requirements

Compliance in both these areas is now explicitly mandatory. Here's a more detailed breakdown of these requirements:

You Must Put Everything in Writing

Under the proposed changes, you must document all security rule policies and procedures in writing. Documentation must cover:

• Your technology assets inventory and network map
• Annual risk analyses
• Change management controls
• Patch management procedures
• Risk management planning
• Monitoring and incident response policies and procedures, covering reviews of relevant IT systems, disaster recovery 
• procedures for restoring IT systems within 72 hours and annual compliance audits

The proposal elaborates on these documentation requirements in a framework informed by two dozen detailed definitions of key terms reflecting the current state of technology. These definitions add specificity to the new requirements, making them clearer while imposing greater responsibilities for compliance.

Under the proposal's definitions, technology assets include all components of your electronic information system, including but not limited to hardware, software, electronic media, information, and data. Your documented technology assets inventory must cover all these components.

Relevant Electronic Information Systems

To clarify this requirement, the update modifies the current rule's definition of "information system" and introduces stricter definitions of "electronic information systems" and "relevant electronic information systems":

• To account for developments such as cloud computing, the proposal changes the language describing information systems as "normally" including hardware, software, data, communications, and people to stating that information systems "generally" include these components. This acknowledges that responsibility for protecting ePHI may lie with multiple regulated entities, such as healthcare providers and cloud providers with access to the same technology asset. Additionally, to avoid redundancy, the modified definition removes "applications" from the current list of technology assets, as this falls under "software".
  
  
• To distinguish electronic information systems from the broader concept of information systems, the proposal limits the former term to an interconnected set of electronic information resources under the same direct management control sharing the same functionality, including technology assets such as hardware, software, electronic media, data, and information.
  
  
• To clarify the role electronic information systems play in protecting ePHI, the proposal defines relevant electronic information systems as electronic information systems that create, receive, maintain, or transmit ePHI or that otherwise affects the confidentiality, integrity, or availability of ePHI. This definition emphasizes to organizations their obligation to understand how their electronic information systems affect ePHI confidentiality, integrity, and availability.

Risk Analysis

The new proposal requires greater specificity for risk analysis than previous guidance. Annual risk analyses now must include:

• Recognition of all reasonably anticipated threats to electronically protected health information (ePHI) confidentiality, integrity, and availability
• Enumeration of potential and existing vulnerabilities to relevant IT systems
• Determination of the likelihood of identified threats exploiting identified vulnerabilities
• Assessment of risks to ePHI from current or prospective business associates

Documentation Update Requirements

The update would require you to revise your written documentation at least every 12 months and whenever you make an operational change or experience an environmental change that may affect ePHI.

You Must Implement Specified Security Controls

The proposed update would require you to implement specific security measures or, in some cases, provide an alternative measure with an explanation of its substitution. Required controls include:

• Encrypting ePHI at rest and in motion
• Using multi-factor authentication
• Technical controls for consistent system configuration
• Configuration management controls, including anti-malware protection, removal of unnecessary software, and port disablement based on risk analysis
• Vulnerability scanning every 6 months and penetration testing (pentesting) every 12 months
• Network segmentation
• Technical controls for creating and maintaining backups, tested every six months

As with the new proposed documentation requirements, these security controls are framed in the context of the detailed definitions laid out in the new proposal.

Multifactor Authentication

The proposal defines "multifactor authentication" as user identity authentication employing verification by at least two or three of the following categories:

• Information known by the user, including but not limited to passwords and personal identification numbers (PINs)
• Items possessed by users, including but not limited to tokens or smart identification cards
• Personal characteristics of users, including but not limited to fingerprints, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.

Malicious Software

Concerning vulnerability scanning, the proposal updates the definition of malicious software to reflect the current state of technology. The current rule defines malicious software in terms of software designed to damage or disrupt a system, giving only viruses as an example. The proposed update would expand this to either software or firmware that could have a range of negative effects beyond damaging or disrupting systems, including any adverse impact on electronic information systems and the confidentiality, integrity, or availability of ePHI. To illustrate this, the proposal advances a non-exhaustive list of examples, including not only viruses but also worms, Trojan horses, spyware, and some types of adware.

Technical Controls

Technical controls include technical mechanisms contained in hardware, software, or firmware components of electronic information systems implemented and executed by the system primarily to protect itself and its data.

Passwords

For passwords, the proposal anticipates adding examples to clarify the definition of a password. The current rule defines a password as confidential authentication information composed of character strings. The new proposal suggests supplementing the existing definition with reference to letters, numbers, spaces, and other symbols to provide context for regulated entities. However, the current version of the proposal does not flesh this out.

HIPAA Security Update Implementation Timetable

The notice of proposed rulemaking changes was published in the Federal Register on Jan. 6, 2025. This initiated a 60-day period for accepting public comments on the proposed changes. The comment window closed March 7, 2025. The current security rule remains in effect during this period.

Achieve HIPAA Compliance with Cobalt

The proposed rule updates impose significant requirements on healthcare providers and their partners, including annual pentesting. 

The Cobalt pentesting team provides HIPAA compliance testing to help you keep up with the latest regulatory requirements. We offer pentesting as a service (PTaaS) on demand to provide you with audit-quality attestation reports tailored to your requirements. 

Our user-friendly PTaaS platform lets you tap into our community of experienced pentesters to conduct tests 50% faster than traditional pentesting at 25% less cost. The Cobalt platform lets your team collaborate with our experts, giving you complete visibility into your tests and results. Use our platform to tell us about your testing requirements and assets, and we'll match you with the expertise to set up compliance tests customized to your needs.