April 03, 2025 3 Minute Read

• Understand the Upcoming HIPAA Changes: Get a clear breakdown of the 2025 HIPAA Security Rule updates and what they mean for healthcare providers and business associates.
• Strengthen Cybersecurity Resilience: Learn how the new regulations emphasize cyber resilience, requiring proactive measures like incident response planning and regular system updates.
• Ensure Compliance and Minimize Risk: Discover actionable steps to meet the revised security standards, conduct risk assessments, and secure electronic protected health information (ePHI).

The Department of Health and Human Services (HHS) will be implementing sweeping and crucial updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to enhance the protection of electronic protected health information (ePHI).

These changes aim to address modern cybersecurity threats and ensure resilience in healthcare data management. In this blog, we will explore the key updates and their implications for healthcare providers and their business associates.

HIPAA was signed into law by President Bill Clinton in 1996 to protect patients' health information and access to healthcare. HIPAA's purpose is to protect patients' personal information, improve the healthcare system, ensure patients have access to their health information, and set federal standards for protecting patient health information.

The process to update began in 2020 with a Notice of Proposed Rulemaking for the HIPAA Security Rule being introduced in December 2024 and added to the Federal Register on January 6, 2025. Then, a 60-day window for public comments on the proposed change began. It was completed on March 7, 2025, and HHS is now processing the comments, will publish the final rule, and will set a date for implementation.

The goal of HIPAA 2.0 is to improve care coordination while maintaining strong protections for sensitive substance use disorder information and to reduce administrative burdens on providers and enhance patient rights.

To accomplish these measures, HIPAA 2.0 includes several sections that address patient rights and consent, but we will focus on the proposed cybersecurity changes.

Threat Actors Targeting Healthcare

Trustwave SpiderLabs is deeply involved in researching the cyber threats arrayed against the healthcare sector. The team’s report, Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape, detailed the techniques, tactics, and procedures threat actors use to conduct attacks and how valuable these groups consider patient information.

Let’s take a look at the key changes contained in HIPAA 2.0 and what they mean.

• Clearer Security Rules:
  • The new rules make it clear that all electronic health information needs to be protected. Whether you’re a healthcare provider or a business partner, you’re responsible for keeping this information safe.
  • This clears up any confusion from before and makes sure all security measures protect the information’s confidentiality, integrity, and availability.
• Stronger Security Measures:
  • The updates stress the need for "reasonable and appropriate" security measures based on the latest technology and threats. The goal is to make sure these measures help you bounce back quickly from cyber incidents.
  • This fixes past misunderstandings where some thought they didn’t have to implement certain controls.
• No More 'Optional' vs. 'Required':
  • The distinction between "optional" and "required" security measures is being removed. All standards will need to be met, ensuring a basic level of protection for everyone.
• Focus on Resilience:
  • A new rule will require entities to consider how well their security measures help them recover from bad events. This encourages planning for recovery and continuity in the face of cyber threats. This could and should include conducting tabletop exercises and having a Digital Forensics and Incident Response plan on file.
• Ongoing Maintenance and Updates:
  • The updates emphasize the importance of regularly reviewing, testing, and updating security measures to keep up with changing environments and technologies. Trustwave can assist with a HIPAA-based Security Maturity Assessment.

Drilling down a bit further, HIPAA 2.0 will require that Healthcare providers keep a detailed list of all their tech gadgets and create a map showing how electronic health information (ePHI) moves through their systems. This helps in spotting risks and keeping information safe.

Providers must do a more thorough job of checking for risks. This means looking at all their tech, identifying potential threats, figuring out how serious those threats are, and updating their records every year or after big changes. Trustwave’s Consulting and Professional Services team can lend a hand here with a risk assessment and business impact analysis.

A new rule requires providers to quickly apply updates and patches to their systems to protect against cybersecurity risks, and the proposal emphasizes that only authorized personnel should have access to ePHI, reducing the risk of internal threats. A Trustwave HIPAA Assessment can help identify any issues.

Providers must regularly review and document activities within their electronic systems to detect and respond to security incidents. Additionally, to minimize the supply chain risk, healthcare providers must ensure their business partners also have strong security measures in place to prevent data breaches and compliance issues.

What HIPAA 2.0 Will Mean for Healthcare Providers

Once implemented, the likely outcome is that providers will be handed more responsibility. Essentially, every healthcare provider and partner must ensure all electronic health information is secured, removing any previous misunderstandings about selective implementation.

The removal of the optional/required distinction means entities must meet all specified security standards, which could increase compliance efforts, especially for smaller providers. There will also be a focus on cyber resilience. Organizations will need to invest in security measures that not only prevent breaches but also ensure quick recovery and continuity of operations.

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from Trustwave.