Major cybersecurity breaches continue to plague the US healthcare industry, and on December 27, 2024, the U.S. Department of Health and Human Services (HHS), via its Office for Civil Rights (OCR), issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule, titled “The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information”. Comments were requested and over 4000 were received before the comment period ended on March 7 2025. Let’s dissect the comments received, discusses what could come next, and offers recommendations on how to prepare for the regulatory road ahead. 

What’s Driving the Update

The updated HIPAA Security Rule  presents a proposed upgrade of the Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”) which was initially issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and updated again with the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

The declared intent of the HHS is to update the Security Rule in response to the evolving healthcare technology landscape, and to address new emerging threats. The purpose of the NPRM is specifically to strengthen cybersecurity protections for electronic protected health information (ePHI). 

The proposed Security Rule update can be seen as an evolution of previous work: 

• The Healthcare Sector Cybersecurity Strategy document published in December 2023 proposed a framework to help the healthcare sector address cybersecurity threats. This set voluntary cybersecurity goals for the healthcare sector, and set out an HHS-wide strategy to support greater enforcement and accountability. 
• In  January 2024, OCR published its HPH Sector Cybersecurity Performance Goals (CPGs) in collaboration with CISA ( U.S. Cybersecurity and Infrastructure Security Agency) These align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework functions and recommend cybersecurity practices aimed at improving security at HIPAA-regulated entities to combat cyberattacks, improve incident response, and minimize risk.

The newly updated security rule enforces some of the voluntary “best practices” laid out in  the CPGs, such as use of encryption and multifactor authentication (MFA).  Clearly OCR does not believe voluntary goals will be sufficient to drive the behavioral change needed to improve cybersecurity to the level required. 

What Has Been Proposed

The proposed amendments aim to address the growing cybersecurity threats and vulnerabilities facing the U.S. healthcare system. The updated HIPAA Security Rule recommends that healthcare organizations implement advanced controls like mandatory encryption for all ePHI (both at rest and in transit), multi-factor authentication (MFA), network segmentation, regular vulnerability scanning and penetration testing, robust anti-malware protection, patch management, and configuration controls, while also conducting thorough risk assessments and maintaining strong access controls to limit unauthorized access to sensitive patient data. 

Who Said What

Comments were received from 4749 individuals, healthcare providers, professional organizations and cybersecurity vendors, a broad show of support for strengthening cybersecurity protections for ePHI. These reflected significant concerns about the practicality, burden, and clarity of some of the proposed changes. 

Healthcare Providers focused on implementation challenges and the feasibility and cost of the measures and the practicalities of implementing certain requirements, particularly for smaller organizations and those with technical limitations. Many focused on the significant the financial impacts of implementing the proposed measures, and concerns about underestimating the costs involved in penetration testing, especially for smaller entities. Some also worried about potential disruptions to healthcare operations if compliance becomes overly burdensome.

Industry organizations: HIMSS recommended closer alignment with  frameworks like NIST Cybersecurity Framework 2.0 and the HHS CPGs. The Consumer Technology Association (CTA) noted the burden of preparing detailed plans and procedures. The American Council of Life Insurers (ACLI) urged that  HHS reconsider the specific time periods provided in the Proposed Security Rule, and try to implement the rule in a way that wouldn’t require re-negotiating Existing Business Associate Agreements (BAAs). 

Cybersecurity experts noted that the NPRM significantly underestimates the time and effort required for thorough penetration testing and other security assessments and processes,  referencing industry standards like PTES. 

Technology vendors stressed the need for greater clarity both in terms of scope (e.g. are EHR vendors “Business Associates?”), and clearer technical implementation details (e.g. around cloud environments, MFA, encryption, etc.).

Pushback on Frequency of Checks and Reporting Timelines

Several commenters expressed significant pushback on the various timeframes proposed in the updated HIPAA Security Rule, arguing that they are often too short, inflexible, and do not account for the operational realities and resource constraints of regulated entities, particularly smaller and rural providers 

Incident Reporting: There is a requirement for regulated entities to establish written procedures for restoring certain relevant electronic information systems and data within 72 hours, perform a criticality analysis, and create documented security incident response plans. 

There is significant pushback that this rule is too prescriptive and would create undue burdens.

Patches and fixes: The proposed rule suggests patching critical vulnerabilities within 15 days and high-risk vulnerabilities within 30 days. Many argued these timelines are aggressive and difficult to meet due to system downtime requirements, vendor delays in releasing patches, the need for thorough testing, and the challenges associated with legacy systems at or nearing end of life support. 

Recommendations included revising the deadlines to 30 days for critical risks, and 45 days for high-risk vulnerabilities with flexibility for documented exceptions aligning with industry norms like NIST SP 800-53. Some suggested timelines based on the CVSS severity rating scale or allowing patching to occur on a “reasonable and appropriate” timeline based on risk assessment.

Workforce Access Termination Notification:

The proposal to notify other regulated entities of a workforce member’s access termination to ePHI in less than 24 hours was challenged, citing variability in termination processes and reliance on HR system updates. Allowing entities to adjust the timeline based on their risk analysis was recommended by commenters, with immediate termination for high-risk separations and a 24-hour window for standard cases

Data Backup and System Restoration: The proposed requirement — to restore loss of critical relevant electronic information systems and data in 72 hours or less — received substantial pushback, given that restoration can depend on factors outside the regulated entity’s control, such as law enforcement investigations, supply chain delays, and coordination with vendors – especially medical device providers.  

Many also operate with limited personnel, making such rapid restoration infeasible. Moreover, premature restoration before fully addressing the root disruption cause could lead to repeated breaches. 

Commentors recommended replacing the strict 72-hour deadline with a flexible timeframe that requires timely restoration without further jeopardising data security “within a reasonable and appropriate period, not to exceed 7 days,” based on a criticality analysis

Reviews and Testing: Several proposals included a requirement for reviews and tests to occur at least once every 12 months for various administrative, physical, and technical safeguards. This includes policies procedures, technical controls, and security incident response plans. The proposed annual compliance audit to be conducted at least once every 12 months was also questioned. Contributors argued that the additional employment costs would be particularly burdensome for organisations already subject to multiple compliance audits, and in smaller organisations, would risk diverting resources from patient care. It was suggested that the frequency of testing and reviews should be risk-based, with some recommending compliance audits every few years instead of annually

Data Backup Testing Frequency: The proposed requirement to test the effectiveness of backups and document the results at least monthly was cited as unnecessarily frequent. Monthly testing could require substantial IT resources and workforce time, diverting attention from other critical security activities or patient care. Commenters instead suggested a risk-based approach for determining testing frequencies

Vulnerability Scanning Frequency: The proposal for automated vulnerability scans no less frequently than once every six months was questioned: one commenter suggested monthly scans for highly dynamic IT environments and six-month scans for stable environments

In summary, the dominant theme in the pushback regarding proposed timeframes and frequencies is that they are often perceived as unrealistic, overly prescriptive, and potentially detrimental to patient care due to the significant resource burdens they would impose, especially on smaller and rural healthcare entities. Many commenters advocated for a more flexible, risk-based approach to these requirements.

---

About George McGregor 
George McGregor is VP of Marketing for Approov. He is passionate about healthcare sector cybersecurity and previously held executive roles at Imperva, Citrix, Juniper Networks and HP. Approov API Threat Protection provides a multi-factor, end-to-end mobile API security solution that complements identity management, endpoint, and device protection to lock-down proper API usage. Only safe and approved apps can successfully use APIs. Bots and fake or tampered apps are all easily turned away and PHI is protected.