The following is a guest article by Yair Cohen, Co-Founder and VP Product at Sentra
In 2024, the U.S. healthcare sector faced a huge wave of cyberattacks — including the devastating Change Healthcare ransomware incident, which alone impacted millions of Americans and disrupted hospital operations nationwide. By year’s end, more than 182 million individuals had been affected by over 670 major health data breaches, underscoring the urgent need for stronger cybersecurity and data governance across the industry.
Now, for the first time in more than two decades, the Department of Health and Human Services (HHS) is proposing sweeping updates to the HIPAA Security Rule. These long-overdue changes aim to align healthcare security practices with today’s threat environment and will significantly reshape how organizations approach data protection and cybersecurity.
For security teams, the new rules mean that data governance must become proactive, that automation is no longer a nice-to-have, and risk accountability needs to be measurable and, above all, continuous. Let’s have a closer look at some of the key changes to the HIPAA rules and what they mean for security teams.
From Addressable to Mandatory
One of the most significant changes to the proposal is the elimination of “addressable” implementation specifications. Under the new rules, every safety feature, from encryption to incident response, must be fully implemented, documented, and enforced.
This means security teams can no longer rely on risk-based justifications for limited or incomplete implementation. Governance frameworks must now ensure every specification is operational and auditable, meaning security leaders should prioritize the development of policy engines and compliance automation tools that enforce safeguards across all digital infrastructure.
Focus on Encryption, MFA, and Access Control
The proposed amendments to HIPAA place a stronger emphasis on three core pillars: encryption, multi-factor authentication (MFA), and access control.
When it comes to electronic protected health information (ePHI), the new rules require that encryption measures be in place for all ePHI, whether the records are in transit or at rest, and accessing any system containing ePHI will require an additional safety feature, including MFA. Additionally, in the event of employee role changes or terminations of employment, organizations must ensure access to any databases and systems is cut off within 24 hours of the employee’s departure.
These changes have significant implications for organizations, demanding they revisit their identity and access management (IAM) architecture. As such, ad-hoc controls are no longer sufficient and security teams must instead enforce policy-based access and ensure rapid response to keep controls current.
Asset Visibility and Data Mapping
The rule changes mandate annual updates to technology asset inventories and network mapping; however, best practice would counsel continuous inventory and activity mapping to spot problems early. These are critical steps in tracking how ePHI flows through systems and security teams must now account for every location, every device, and every application that has access to sensitive data.
Without precise asset inventories, organizations face blind spots that offer a loophole for attackers to exploit. Therefore, businesses must ensure they have data governance tools in place that are capable of continuous monitoring and classification. Manual asset tracking will no longer be sufficient under the new rules.
Risk Analysis, Incident Response, and Business Continuity
Another novelty under the new rules requires organizations to restore lost systems and data within 72 hours of a cyber incident. This change significantly reduces the grace period for incident response and disaster recovery and will require faster, seamless coordination across IT, security, and compliance teams.
In order to remain compliant, organizations must ensure incident response plans are documented in detail and tested regularly. IT teams should test their existing disaster recovery plans, for example, by simulating breach scenarios in order to validate whether they are able to recover encrypted or compromised systems within the required window.
Additionally, risk assessments must now be conducted on a continuous and comprehensive basis, making it a daily priority rather than a sporadic exercise. Security teams must identify vulnerabilities across all systems interacting with ePHI and demonstrate remediation plans that evolve with emerging threats. This requires integration with threat intelligence, data classification engines, and compliance platforms.
The Importance of Automation and Data Security Platforms
Manual approaches to compliance, such as spreadsheets for tracking assets or human-led audits of access permissions, will no longer be sufficient in order to comply with the updated HIPAA Security Rule. Data security platforms offer tools such as automated policy enforcement for encryption and alerting on policy violations of regulatory frameworks, dashboards for monitoring compliance posture, and centralized documentation and reporting, thereby providing real-time visibility into where ePHI lives, how it’s used, and how secure it is.
By automating the classification, monitoring, and remediation of sensitive data risks, security teams can shift from reactive defense to proactive governance.
A New Era of Accountability
The proposed HIPAA Security Rule updates mark a critical transformation point for healthcare cybersecurity. Compliance is no longer about avoiding fines; it’s about creating resilient, secure systems that protect patients and maintain trust. Security teams that treat this shift as a strategic opportunity rather than a regulatory burden will emerge as leaders not just in compliance, but in healthcare innovation and digital trust.
About Yair Cohen
Yair Cohen is the Co-Founder and VP Product at Sentra. He is a passionate and customer-focused product leader with eighteen years of experience in enterprise software, security, data, and cloud. Prior to Sentra, Yair led best-in-breed products at Microsoft, Datadog, and other cloud-focused enterprises.
