Securafy | Knowledge Hub

5 Key Cybersecurity Practices to Meet the Updated HIPAA Security Rule Standards

Written by Randy Hall | Mar 21, 2025 4:00:00 AM

In response to escalating cyber threats, the U.S. Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule, aiming to enhance the protection of electronic protected health information (ePHI). These proposed modifications, published on January 6, 2025, are designed to address technological advancements and the evolving cybersecurity landscape. Federal Register

To align with these updated standards, healthcare organizations should implement the following key cybersecurity practices:

 

1. Implement Multifactor Authentication (MFA)

As cyber threats grow more sophisticated, traditional password protection is no longer sufficient to safeguard electronic protected health information (ePHI). Recognizing this, the updated HIPAA Security Rule now mandates the implementation of Multifactor Authentication (MFA) to reinforce access controls and reduce the risk of data breaches. BIPC

What is MFA and Why Does It Matter?

MFA is a security protocol that requires users to provide two or more forms of authentication before accessing sensitive systems, applications, or databases containing patient information. This layered security approach significantly enhances protection by ensuring that even if one authentication factor is compromised, unauthorized access remains blocked.

How MFA Works in Healthcare IT Environments

Under the new HIPAA guidelines, healthcare organizations must adopt strong authentication measures that verify a user’s identity using a combination of the following factors:

  1. Something You Know – A password or PIN.
  2. Something You Have – A secure device, such as a smartphone (for a one-time passcode) or a smart card.
  3. Something You Are – Biometric verification, such as a fingerprint or facial recognition.

For example, a doctor accessing an electronic health records (EHR) system may be required to enter a password (something they know) and authenticate via an SMS or authenticator app-generated code (something they have) before being granted access.

Why MFA is Now a HIPAA Requirement

The push for mandatory MFA in healthcare cybersecurity is driven by the growing volume of credential theft and phishing attacks targeting healthcare providers. Stolen credentials are one of the leading causes of healthcare data breaches, exposing patients’ sensitive data to cybercriminals. By requiring MFA, healthcare organizations can:

  • Prevent Unauthorized Access – Even if a hacker steals login credentials, they won’t gain access without the second authentication factor.
  • Reduce Phishing Risks – Many phishing scams rely on obtaining user passwords, but MFA adds an extra layer of defense.
  • Ensure Compliance with HIPAA – Failure to implement MFA can now result in penalties due to non-compliance with the updated HIPAA Security Rule.

MFA Best Practices for Healthcare Organizations

To effectively implement MFA while maintaining efficiency in daily healthcare operations, providers should:

  • Use Modern Authentication Methods – Move beyond SMS-based MFA to more secure methods like app-based authentication (Google Authenticator, Microsoft Authenticator) or hardware security keys.
  • Apply Risk-Based Authentication – Require MFA only for high-risk logins (e.g., logging in from a new device, accessing critical patient records, or making administrative changes).
  • Train Staff on Security Best Practices – Ensure employees understand the importance of MFA and recognize phishing attempts aimed at bypassing it.
  • Integrate MFA Seamlessly with EHR and Cloud Systems – Choose MFA solutions that integrate with existing healthcare applications without disrupting workflows.

With the HIPAA Security Rule reinforcing MFA as a requirement, healthcare organizations must act now to protect patient data. Implementing a strong MFA strategy is one of the most effective ways to reduce cyber risks, enhance compliance, and build a resilient healthcare IT infrastructure.

Would you like to explore HIPAA-compliant MFA solutions for your organization? Let’s discuss how to secure your healthcare systems effectively.

 

2. Encrypt ePHI Both In Transit and At Rest

With cyberattacks on healthcare organizations increasing and patient data becoming a prime target, the updated HIPAA Security Rule now mandates robust encryption for electronic protected health information (ePHI) both in transit and at rest. These requirements ensure that even if data is intercepted or accessed without authorization, it remains unreadable and secure. Hyperproof

What is Encryption and Why is it Essential for Healthcare IT?

Encryption is a security measure that converts readable data into an unreadable format using complex algorithms. Only users with the correct decryption key can revert the information to its original state. Without encryption, patient records, billing details, and medical histories stored or transmitted electronically are vulnerable to hacking, data breaches, and ransomware attacks.

Understanding ePHI Encryption: In Transit vs. At Rest

Encryption In Transit

  • Protects data while it is being transmitted between systems, such as between a hospital’s electronic health records (EHR) system and a cloud storage provider or from a healthcare provider to a third-party lab.
  • Uses secure transmission protocols like TLS (Transport Layer Security), HTTPS, and Secure FTP (SFTP) to prevent unauthorized interception.
  • Ensures that if a hacker tries to intercept patient data during transmission, it remains encrypted and unreadable.

Encryption At Rest

  • Secures ePHI when it is stored on a device, server, database, or in the cloud.
  • Uses Advanced Encryption Standard (AES) with at least 256-bit encryption, which is considered unbreakable with current computing power.
  • Ensures that even if attackers gain access to the physical storage or backup systems, they cannot decipher the data without the encryption keys.

Why HIPAA Now Mandates Stronger ePHI Encryption

The push for mandatory encryption under the updated HIPAA Security Rule is driven by the growing number of healthcare data breaches, ransomware attacks, and insider threats. According to reports:

  • Healthcare data breaches cost an average of $10.93 million per incident, the highest among all industries.
  • 45 million healthcare records were exposed in cyberattacks in 2023, with projections increasing for 2025.
  • Ransomware attacks on hospitals have doubled, with many incidents leading to data exposure and operational disruptions.

Without proper encryption measures, stolen ePHI can be sold on the dark web, used for identity theft, or exploited for fraudulent billing scams, putting patients and healthcare organizations at risk of compliance penalties and legal liabilities.

Best Practices for Encrypting ePHI and Achieving HIPAA Compliance

  • Use End-to-End Encryption (E2EE) – Ensure that ePHI is encrypted the moment it is created, transmitted, stored, and accessed.
  • Adopt AES-256 Encryption – Healthcare organizations should implement AES-256-bit encryption, which is the highest industry standard for securing sensitive medical data.
  • Utilize Encrypted Cloud Storage – Storing patient data in HIPAA-compliant cloud platforms with built-in encryption provides an additional layer of security.
  • Encrypt Backups and Archive Data – Historical patient records, imaging files, and backups should also be encrypted to prevent unauthorized access in the event of a data breach.
  • Manage and Protect Encryption Keys – Use secure key management solutions to store and rotate encryption keys periodically, ensuring only authorized personnel can decrypt sensitive data.
  • Enable Disk-Level and Database Encryption – Hard drives, portable devices, and databases containing ePHI should have full-disk encryption to prevent unauthorized data extraction.

The Consequences of Non-Compliance

Failure to implement strong encryption protocols can result in severe HIPAA violations, financial penalties, and reputational damage. In 2024, the Office for Civil Rights (OCR) issued record-breaking fines to healthcare organizations for failing to secure ePHI properly. Under the proposed 2025 HIPAA Security Rule updates, enforcement is expected to become even stricter.

Encryption is no longer optional—it is a necessity. Implementing robust encryption for ePHI at rest and in transit ensures healthcare providers stay compliant with HIPAA, protect patient data, and reduce the risk of costly breaches.

Organizations that proactively adopt strong encryption strategies will not only meet regulatory standards but also build trust with patients and stakeholders in an era where data security is paramount.

 

3. Maintain a Comprehensive Asset Inventory

One of the most critical yet often overlooked aspects of healthcare cybersecurity is maintaining an up-to-date and comprehensive asset inventory. In the latest HIPAA Security Rule updates, healthcare organizations are required to develop, document, and continuously update a detailed inventory of all assets that handle electronic protected health information (ePHI). Health Law Advisor

This requirement is essential for ensuring better oversight, stronger risk management, and more effective security controls. Without a clear understanding of which devices, applications, and systems store or process ePHI, healthcare providers cannot fully protect sensitive data or comply with federal regulations.

What is an Asset Inventory in Healthcare IT?

An asset inventory is a structured record of all hardware, software, and network devices that store, process, or transmit ePHI. This includes:

  • Physical Assets: Servers, desktops, laptops, mobile devices, network routers, firewalls, backup storage, and medical devices connected to IT systems.
  • Software Assets: Electronic health record (EHR) systems, patient management applications, cloud services, security software, and telehealth platforms.
  • Data Storage Locations: On-premise databases, cloud-based storage, external drives, and backup repositories that contain ePHI.

Why a Detailed Asset Inventory is Now Mandatory

The increase in cyberattacks on healthcare organizations, including ransomware, phishing, and insider threats, has exposed gaps in asset management. Healthcare providers often struggle to track all IT assets, leading to unsecured devices, outdated software, and unknown vulnerabilities.

The updated HIPAA Security Rule now mandates that organizations establish a formal process to identify, document, and monitor all IT assets that interact with ePHI. This is crucial for:

  • Identifying security risks: Ensuring that every device and system is accounted for helps mitigate potential cyber threats.
  • Preventing unauthorized access: Healthcare providers can restrict access to sensitive data by keeping track of all devices that handle patient information.
  • Ensuring compliance with security policies: Organizations must regularly audit their IT environments to confirm that assets are properly secured and up to date.
  • Minimizing operational disruptions: Knowing what assets are in use and where ePHI is stored helps healthcare organizations respond quickly to security incidents and system failures.

Best Practices for Maintaining a Comprehensive Asset Inventory

To meet HIPAA compliance and strengthen healthcare cybersecurity, organizations should implement the following best practices for asset inventory management:

  1. Develop a Centralized Asset Management System

    • Use automated asset tracking tools to create a real-time, dynamic inventory of all IT assets.
    • Ensure all devices, software, and cloud services are properly categorized and labeled for easy identification.

  2. Regularly Audit and Update Asset Inventories

    • Conduct quarterly or semi-annual audits to verify that all assets are properly documented and secured.
    • Remove outdated, unused, or unauthorized devices from networks to reduce security risks.

  3. Classify Assets Based on Risk and Sensitivity

    • Categorize assets by their level of exposure to ePHI and other sensitive information.
    • Apply enhanced security controls to high-risk assets, such as multi-factor authentication (MFA) and encryption.

  4. Implement Endpoint Security and Monitoring

    • Ensure that every endpoint device (laptops, mobile devices, remote workstations) is secured with endpoint detection and response (EDR) tools.
    • Enable remote tracking and wipe capabilities for mobile and cloud-connected devices to protect ePHI in case of theft or loss.

  5. Integrate Asset Inventory with Incident Response Plans

    • Link asset management with cybersecurity response protocols to ensure rapid response when a security threat is detected.
    • Establish clear procedures for decommissioning or replacing compromised assets to prevent data breaches.

The Consequences of Failing to Maintain an Asset Inventory

Without a comprehensive, up-to-date asset inventory, healthcare organizations face increased risks of compliance violations, data breaches, and operational failures. The Office for Civil Rights (OCR), responsible for HIPAA enforcement, has escalated penalties for organizations that fail to properly track and secure their IT assets.

Fines for non-compliance can reach millions of dollars, especially if a data breach occurs due to unsecured or unmonitored devices. Additionally, the lack of an accurate asset inventory can slow down incident response efforts, increasing downtime and financial losses.

Maintaining a comprehensive asset inventory is no longer just a cybersecurity best practice—it is a HIPAA-mandated requirement essential for protecting ePHI and ensuring healthcare organizations remain compliant with federal regulations.

By implementing proactive asset management strategies, healthcare providers can enhance security, reduce cyber risks, and maintain patient trust in an increasingly digital healthcare environment.

 

4. Conduct Regular Risk Analyses

Risk analysis is a fundamental aspect of healthcare cybersecurity, ensuring that electronic protected health information (ePHI) remains secure against evolving threats. The updated HIPAA Security Rule strengthens requirements around risk assessments, emphasizing proactive identification and mitigation of vulnerabilities within an organization’s IT infrastructure. CITI Program

What is a HIPAA Risk Analysis?

A risk analysis is a systematic evaluation of security risks that could impact the confidentiality, integrity, or availability of ePHI. This process helps organizations:

  • Identify security weaknesses within IT systems, cloud storage, and network environments.
  • Assess potential threats such as cyberattacks, insider threats, and data leaks.
  • Determine the likelihood and impact of security incidents.
  • Develop strategies to reduce risks and comply with HIPAA security requirements.

Why Regular Risk Analyses are Now Mandatory

The increase in healthcare data breaches, ransomware attacks, and compliance violations has led to stricter enforcement of risk management requirements. Under the proposed HIPAA Security Rule updates, healthcare entities must:

  • Perform risk analyses on an ongoing basis, rather than treating it as a one-time requirement.
  • Evaluate risks across all IT environments, including cloud storage, third-party vendors, and remote work systems.
  • Document security gaps and remediation plans to ensure continuous compliance.
  • Align security measures with industry standards, such as NIST Cybersecurity Framework and Zero Trust Architecture.

Failure to conduct regular risk analyses can result in significant penalties, with the Office for Civil Rights (OCR) imposing fines on organizations that fail to implement adequate risk management practices.

Key Components of an Effective Risk Analysis

  1. Identify All IT Assets and Data Sources

    • Catalog hardware, software, cloud applications, and third-party integrations that store or transmit ePHI.
    • Assess data flows to understand how patient information moves within and outside the organization.

  2. Assess Potential Threats and Vulnerabilities

    • Identify risks such as phishing, malware, unauthorized access, and insider threats.
    • Evaluate technical vulnerabilities, including outdated software, weak encryption, and improper access controls.

  3. Determine Risk Impact and Likelihood

    • Use a risk scoring model to evaluate how likely a security threat is to occur and what impact it could have on operations and compliance.
    • Prioritize high-risk areas that could result in HIPAA violations or disrupt patient care.

  4. Implement Security Controls and Mitigation Strategies

    • Strengthen password policies, multifactor authentication (MFA), and encryption standards.
    • Apply real-time monitoring and intrusion detection systems to detect threats early.
    • Ensure staff training to reduce human errors that could expose patient data.

  5. Monitor, Update, and Document Findings

    • Conduct annual risk assessments and additional evaluations whenever there are system changes, new technology implementations, or security incidents.
    • Keep detailed documentation of risk analysis reports, security updates, and mitigation efforts to demonstrate HIPAA compliance in case of an audit.

The Consequences of Non-Compliance

Failing to conduct regular risk analyses increases the risk of data breaches, regulatory penalties, and reputational damage. The HIPAA Security Rule updates include stricter enforcement, with audits focusing on whether healthcare organizations have proactively identified and mitigated risks.

  • Healthcare organizations have faced fines ranging from $100,000 to over $1 million for failing to conduct risk assessments or address known security weaknesses.
  • OCR investigations have found that many breaches could have been prevented if organizations had performed routine security evaluations and implemented appropriate safeguards.

5. Develop and Test Incident Response and Disaster Recovery Plans

Preparedness is essential in minimizing the impact of security incidents, cyberattacks, and system failures. Under the updated HIPAA Security Rule, healthcare organizations are required to establish, document, and regularly test both Incident Response Plans (IRP) and Disaster Recovery Plans (DRP) to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI).

With ransomware attacks, insider threats, and IT system failures increasing, healthcare providers must have clear protocols for detecting, responding to, and recovering from security breaches to prevent operational disruptions and regulatory violations. Health Law Advisor

What Are Incident Response and Disaster Recovery Plans?

Incident Response Plan (IRP) – A structured approach for detecting, responding to, and mitigating security incidents such as data breaches, ransomware infections, insider threats, and unauthorized access.

Disaster Recovery Plan (DRP) – A comprehensive strategy for restoring IT operations after catastrophic events such as cyberattacks, server failures, or natural disasters, ensuring continued access to critical healthcare data and systems.

Why HIPAA Now Requires Formalized and Tested Response Plans

Many healthcare data breaches could have been contained or prevented if organizations had pre-established protocols for handling security incidents. The lack of response planning has led to:

  • Extended system downtime, delaying patient care and critical operations
  • Massive data breaches exposing sensitive ePHI
  • Regulatory penalties for non-compliance with HIPAA

The updated HIPAA Security Rule mandates that organizations:

  • Develop an incident response framework that outlines how security teams should detect, respond to, and contain threats.
  • Test disaster recovery procedures to ensure business continuity and minimize disruptions.
  • Document security incidents and responses for regulatory compliance and post-incident analysis.
  • Ensure executive leadership and IT teams participate in response planning to align security protocols with business objectives.

Key Components of an Effective Incident Response Plan

  1. Incident Identification and Classification

    • Establish clear criteria for recognizing potential security incidents.
    • Implement real-time monitoring tools to detect threats as they occur.

  2. Immediate Containment and Mitigation

    • Develop protocols for isolating compromised systems to prevent the spread of attacks.
    • Restrict unauthorized access and initiate containment procedures based on severity.

  3. Investigation and Forensic Analysis

    • Conduct detailed analysis of security logs and impacted systems to determine the source and scope of the incident.
    • Work with cybersecurity experts and regulatory authorities to assess potential compliance violations.

  4. Notification and Communication Plan

    • Establish procedures for notifying affected patients, regulatory agencies, and legal teams in accordance with HIPAA’s Breach Notification Rule.
    • Ensure internal teams receive immediate alerts to coordinate an effective response.

  5. Post-Incident Review and Security Improvements

    • Conduct lessons-learned sessions to identify gaps in security defenses.
    • Update security policies and response plans based on incident findings.

Key Components of a Disaster Recovery Plan (DRP)

  1. Data Backup and Restoration Strategy

    • Implement automated, encrypted backups for all ePHI stored both on-premises and in the cloud.
    • Ensure redundant data storage locations are available to recover lost information.

  2. System Failover and Business Continuity Procedures

    • Define alternate data access solutions in case primary systems become unavailable.
    • Establish backup power and network redundancy to prevent extended downtime.

  3. Testing and Training Protocols

    • Regularly test disaster recovery processes to confirm that teams can quickly restore operations.
    • Conduct mock cyberattack and system failure exercises to evaluate staff readiness.

  4. Regulatory and Compliance Considerations

    • Maintain detailed logs of disaster recovery exercises to demonstrate HIPAA compliance.
    • Ensure all third-party vendors handling ePHI also have documented recovery plans.

The Consequences of Failing to Plan for Security Incidents

Failure to develop and test response plans has led to:

  • Extended downtime from cyberattacks, costing healthcare organizations millions of dollars.
  • Fines for HIPAA non-compliance due to unreported or mishandled security breaches.
  • Loss of patient trust and reputational damage following publicized data breaches.

The Office for Civil Rights (OCR) has increased HIPAA enforcement efforts, issuing steeper penalties for organizations that fail to implement effective incident response and disaster recovery protocols.

A proactive approach to incident response and disaster recovery is essential for protecting patient data, maintaining HIPAA compliance, and ensuring business continuity.

By developing and testing these plans regularly, healthcare organizations can:

  • Detect and respond to security threats faster.
  • Minimize downtime and financial losses after an attack or system failure.
  • Ensure continuous access to critical medical data and services.
  • Meet HIPAA requirements and avoid regulatory penalties.

Investing in a well-structured and tested security response strategy is no longer optional—it is a necessary safeguard for protecting both patient trust and operational stability.

By adopting these practices, healthcare organizations can enhance their cybersecurity posture and ensure compliance with the evolving HIPAA Security Rule standards.

 

Upcoming Book Release: Cybersecurity: The Silent Battlefield

 

This April, Randy Hall, CEO and Founder of Securafy, a leading IT services provider for small businesses in Ohio, will release Cybersecurity: The Silent Battlefield—an essential guide for business owners navigating today’s evolving digital threats.

 

With cybercrime now a billion-dollar industry, small businesses remain among the most frequent targets of ransomware, phishing attacks, and data breaches. In this book, Randy Hall provides actionable strategies to help business owners strengthen their cybersecurity defenses, avoid costly compliance mistakes, and protect their operations from financial and reputational harm.

 

"Cybersecurity isn’t just a technical issue—it’s a business imperative. Small businesses can no longer afford to treat cybersecurity as an afterthought. This book provides the practical steps they need to stay ahead of threats and secure their future." Randy Hall

What You’ll Learn in Cybersecurity: The Silent Battlefield

✔ Understanding Cyber Threats – Learn how cybercriminals exploit vulnerabilities through ransomware, phishing, and social engineering, and what businesses can do to stop them.

✔ AI-Powered Security Solutions – Discover how artificial intelligence is transforming threat detection, real-time response, and automated risk mitigation.

✔ Building a Cyber-Aware Workforce – Implement employee training programs designed to reduce human error, the leading cause of security breaches.

✔ Small Business Cybersecurity on a Budget – Access cost-effective strategies tailored for SMBs to improve security without requiring enterprise-level resources.

Randy Hall explains:

"Every business owner deserves peace of mind, knowing their data and operations are protected. This book breaks down complex cybersecurity challenges and provides practical, easy-to-follow solutions."

Cybersecurity: The Silent Battlefield will be available for purchase this April. Stay ahead of cyber threats and secure your business—more details and pre-order information soon.
View full post