Data breaches and ransomware attacks have become a persistent and costly challenge in the healthcare sector. As the Change Healthcare ransomware attack shows us, these threats continue to escalate in frequency and sophistication. Organizations bound by HIPAA must reevaluate their approach to cybersecurity, especially when it comes to encryption.
In December 2024, the U.S. Department of Health and Human Services (HHS) proposed a significant update to the HIPAA Security Rule, part of which suggests a mandate requiring the encryption of electronic protected health information (ePHI) both at rest and in transit. While it’s still uncertain whether HHS leadership will move forward with finalizing the rule, healthcare organizations would be wise to act as if it’s already in place. Why? Because the need for robust encryption is not a matter of regulatory compliance alone; it is a critical step in safeguarding patient data.
From Best Practice to Baseline Requirement
Historically, encryption has been considered a best practice under HIPAA—a strong recommendation rather than an enforced requirement. This created a gray area that some organizations took advantage of, justifying alternative safeguards in place of encryption. This ambiguity has resulted in leaving many systems exposed, with predictable results.
The proposed changes aim to remove that ambiguity by making encryption the standard, not an option. Today’s threat landscape requires that encryption should be part of a layered defense-in-depth strategy that is a default method for protecting sensitive health data.
Why Act Now?
While the proposed changes to HIPAA are not yet codified, the rationale behind them is sound. Cyberattacks targeting healthcare organizations continue to rise, with attackers considering ePHI high value targets – both because of the nature of the data and healthcare organizations’ historical patterns of paying ransoms. Patients are increasingly concerned about the safety of their data, and regulators are responding with heightened scrutiny.
Proactively adopting strong encryption measures demonstrates a commitment to patient privacy and operational integrity. It also puts your organization in a stronger position during audits and assessments, even if the final rule is delayed or modified.
There are several additional compelling reasons to adopt the proposed encryption standard without waiting for it to become law:
- It gives you a jumping off point to conduct a thorough audit of your data protection strategy. This audit helps you define not only if your data is encrypted at rest or in transit, but it is also an opportunity to clearly define where your data resides, who has access to it and if you have data that can be properly disposed of.
- It positions your organization ahead of the regulatory curve. Besides being a responsible choice, if HHS approves the proposed encryption mandate, your organization will have already completed the requirements.
- Encrypting your data minimizes the risks associated with breaches, not only preventing patient harm and reputational damage, but helping your organization to avoid steep financial penalties.
Simplifying Cyber Resilience
Encryption is essential, but it’s not sufficient on its own. A comprehensive data protection strategy also includes redundancy and resilience.
By taking the step to universally encrypt ePHI, your organization is one step closer to following the widely accepted best practice called the 3-2-1 Rule. This approach entails maintaining three copies of your data, stored on two different types of media, with one copy kept offsite and encrypted.
The 3-2-1 Rule provides a safety net in case of ransomware or other disruptive events, which have become all too familiar across the healthcare industry. By combining 3-2-1 with a regular cadence of confirmed clean backups, you create a process to recover critical information quickly and securely in the event your primary systems are compromised. In healthcare, where downtime can impact patient care, having access to reliable backups is not optional—it’s essential.
Adopting a Zero-Trust Security Model
Encryption helps protect data, but controlling access to that data is equally important. A zero-trust approach ensures that no user or device is automatically trusted, regardless of location or credentials. Every request for access is verified through a combination of identity checks, device health assessments, and contextual risk evaluation.
Given the mobile and distributed nature of today’s healthcare workforce, this approach is particularly relevant. From clinicians accessing records on tablets to administrators working remotely, every endpoint represents a potential vulnerability. Encrypting data and enforcing a zero-trust framework helps mitigate the risk of unauthorized access, even if a device is compromised.
Don’t Overlook Training and Awareness
Even the best encryption and access controls can be undone by human error. That’s why ongoing education and training should be part of any security strategy. Staff should understand how encryption works, when and why it’s used, and how to handle ePHI securely. Training should be practical, engaging, and tailored to the roles of different team members.
Employees are tricky — they are your first line of defense, as well as your weakest link. Regular, relevant training can significantly reduce the risk of accidental breaches, successful phishing attacks, or even insider threats.
Final Thoughts: Lead with Encryption
The threat environment in healthcare already justifies the need for encryption of ePHI. The proposed HIPAA rule change, however, gives your organization a tangible, topical reason to reconsider your position on encryption. Organizations that act now to adopt encryption as a default, not an exception, will be better positioned to protect patient data, respond to regulatory changes, and build trust with the communities they serve.
Ultimately, this isn’t just about compliance. It’s about doing the right thing. Encrypt your data. Back it up and confirm those backups are clean. Train your people on how to deal with data. Whether mandated by law or not, these are the standards we should hold ourselves to in an industry where privacy and safety go hand in hand.
About Kurt Markley
Kurt Markley is the Managing Director, Americas at Apricorn. He is a 25 year technology veteran with specialized focus in storage and cybersecurity.
