The HIPAA Security Rule Is Changing. Your Threat Landscape Already Did.

Hospitals are being breached at a pace that would have been unthinkable a decade ago. Ransomware events that shut down emergency departments. Ambulance diversions because patient records can’t be accessed. Recovery timelines that stretch into months. Most of these incidents don’t make national news anymore. They’ve become routine.

Against that backdrop, the U.S. Department of Health and Human Services is finalizing the first major overhaul of the HIPAA Security Rule since 2013. A final rule is expected in May 2026. For hospitals, business associates, and the vendors that serve them, the regulation is the forcing function. The actual problem is that healthcare security programs, as a category, have not evolved as quickly as the people attacking them.

This piece is a practical look at what’s changing across the full HIPAA safeguard framework, and where most hospital security programs are likely to fall short.

What’s actually changing

The single biggest shift in the proposed rule is the elimination of the long-standing distinction between “required” and “addressable” implementation specifications. For years, hospitals could document a reasoned justification for not fully implementing a particular safeguard. MFA on legacy systems, encryption at rest, formal incident response testing, certain elements of facility security planning. Under the proposed rule, that flexibility largely goes away.

That change cuts across all three categories of safeguards the Security Rule has always covered:

• Administrative safeguards include risk analysis, workforce training, security management, and the policies that govern how a hospital runs its program. The proposed rule tightens documentation standards and adds new requirements like maintaining a network map of all systems that touch electronic protected health information.

• Physical safeguards under the rule cover facility access controls, workstation security, visitor management, and the handling of media and devices. The rule treats this as one category, but in practice it has both a human side (officers, patrols, who responds when an alarm goes off) and a systems side (access control, video, visitor management technology). Several of these specifications have been “addressable” under the current rule, which is what’s changing. Informal sign-in sheets, weak badge programs, and unmonitored entrances become harder to defend.

• Technical safeguards include the controls most people associate with cybersecurity: MFA, encryption, access controls, audit logs. The proposed rule makes MFA mandatory across systems that touch patient data, requires encryption at rest as well as in transit, and adds explicit expectations for vulnerability scanning every six months, penetration testing annually, network segmentation, and incident response plan testing.

The penalty exposure is real. The regulator’s framing in recent OCR guidance has been blunt: policies and procedures alone are not sufficient evidence of security measure implementation. Auditors will be asking whether identified risks drove real decisions, whether configurations actually changed, whether controls were validated. Penalties for willful neglect can reach $73,011 per day, per violation.

It’s also worth noting that the proposed rule aligns closely with the NIST Cybersecurity Framework. Hospitals that have already organized their security program around NIST CSF will find the new requirements more familiar than disruptive.

Why the rule, on its own, is the wrong reason to act

Compliance is a useful deadline. It is not a useful strategy. Hospitals that build their security posture around passing audits tend to end up with checklists that satisfy regulators and still fail in the moments that matter.

The reason to take this seriously isn’t the rule. It’s the threat environment the rule is responding to. Healthcare has become one of the most consistently targeted sectors because attackers have learned that the operational pressure to restore service is enormous, the attack surface is sprawling, and the security maturity across the industry is uneven.

If a hospital reads the new rule and asks, “What’s the minimum we need to do to be compliant?”, that hospital is probably already behind. The better question is, “If we were breached tomorrow, where would we lose?”

Where most hospitals will struggle

A handful of patterns show up repeatedly in hospital security environments:

Facility access that doesn’t match the policy on paper. Tailgating at staff entrances. Visitor sign-in processes that lapse on weekends or after-hours. Badges that aren’t revoked when contractors finish a project. Service entrances and loading docks with minimal monitoring. Officers stationed where they’re visible but not where the real risk is. The Security Rule has always asked hospitals to control who gets where, but the addressable language gave a lot of room to slip. That room is closing.

Identity sprawl on the digital side. Clinicians, contractors, traveling nurses, third-party vendors, and connected medical devices all need some level of access. MFA gets enforced in some places and not others. Service accounts pile up over time. Privileged access often isn’t separated from day-to-day accounts. The new rule effectively says MFA needs to be in place everywhere patient data is touched, with documented exceptions only.

Flat networks. Hospitals grew their networks the way most legacy environments did, organically and over many years. A modern segmentation strategy that isolates clinical systems from administrative networks, separates medical devices, and contains lateral movement is the single highest-leverage control against ransomware. It’s also one of the most disruptive to retrofit, which is why so many programs put it off.

Testing as a paper exercise. Annual penetration tests scoped narrowly enough to produce clean reports. Vulnerability scans run on a subset of assets. Tabletop incident response exercises that don’t reflect what an actual ransomware event looks like. The new rule’s testing cadences are not unreasonable. They’re the minimum a serious program should already be doing.

Incident response plans that haven’t been pressure-tested. A response plan that’s never been exercised under realistic conditions is not a plan. It’s a hope. Hospitals that have lived through a real incident know how different the actual experience is from the written procedure. The new rule’s expectation that contingency plans be tested and updated is, in practice, an expectation that hospitals stop treating incident response as a documentation exercise.

How USI fits in

Most hospital security programs are stitched together from a long list of vendors. One company for the uniformed officers. Another for the access control system. Another for video. A different one for visitor management. A handful of vendors for the cyber stack. A consultant for compliance documentation. By the time you map it all out, the hospital’s own team is spending more time managing vendors than actually being secure.

USI is structured to simplify that. We work as the integrated security partner across three connected practice areas, each of which maps to the safeguards the new HIPAA rule expects.

• Physical security — our officer programs cover the human layer hospitals depend on every day. Trained, supervised officers stationed where the real risk is, supporting facility access policies, responding when something happens, and integrating with the rest of the security program rather than working in isolation.

• Integrated technology — through our authorized product partner relationships, we sell, install, and support the systems that support facility access and monitoring: access control, video management, visitor management, and intercom and emergency call systems. These are the systems where addressable specifications are becoming mandatory under the rule.

• Cybersecurity — delivered through our strategic partnership with Citanex, a firm whose practice is built around the NIST Cybersecurity Framework and whose leadership includes a former U.S. Secret Service Electronic Crimes Agent. Through that partnership, hospitals get risk and gap assessments mapped to NIST CSF (which the new HIPAA rule largely mirrors), Virtual C-Suite advisory for senior security leadership without a full-time hire, incident response and digital forensics support, and the technical execution work — MFA, segmentation, vulnerability management, penetration testing, managed detection — that the new rule expects.

The point of the model is that hospitals get a single accountable relationship across all three areas. One conversation, not seven. One partner who understands the building, the systems, and the threat model together. That’s increasingly rare in this industry, and it fits a regulation telling hospitals to think about all three safeguard categories as one program.

What we’d suggest doing now

Whether or not the final rule lands exactly as proposed, the direction is clear. A few practical steps that hold up regardless:

1. Run a real gap assessment against the proposed controls across the full safeguard framework. Not a checklist exercise, but an honest look at where your environment would actually fail an auditor whose first question is “show me.” Map it to NIST CSF if you haven’t already.

2. Walk your physical environment with fresh eyes. Where does facility access actually break down? Where do visitor procedures lapse? When was the last time someone tested whether a stranger could walk into a clinical area unchallenged?

3. Pressure-test your incident response plan with a realistic scenario. If your team has never walked through a ransomware event with the actual people who’d be in the room, do that before you need to do it for real.

4. Look hard at your security leadership coverage. Hospitals without a dedicated CISO, or whose CISO is stretched across too many priorities, will struggle to drive the program changes the new rule expects. A Virtual C-Suite or fractional CISO arrangement is often a good bridge.

The regulatory timeline matters. The threat timeline matters more. Hospitals that get ahead of both tend to look back on this period as the moment their program matured. The ones that don’t tend to look back on it from inside an incident. 

If you’d like to talk through where your program stands against the proposed rule, or what an integrated security partnership across officers, technology, and cyber could look like for your hospital, contact us.