How the 2025 HIPAA Changes Impact Cybersecurity in Healthcare

Introduction

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most widely recognized compliance regulations, affecting anyone who has ever been a healthcare patient. Its primary role is to establish federal standards that safeguard sensitive patient data from unauthorized access or disclosure. While this seems straightforward, cybersecurity remains a growing concern in healthcare.

Consider this: The HIPAA Journal reported that in 2023, 68 million patient records were breached, a staggering number that skyrocketed by 63.5% to 275 million records in 2024. In fact, last year alone, the records of 82% of the U.S. population were exposed, stolen, or impermissibly disclosed.

With cyber threats reaching unprecedented levels, HIPAA is undergoing its most significant updates in over a decade. Set to take effect in 2025, these changes are designed to strengthen cybersecurity protections for electronic Protected Health Information (ePHI) in response to the rising frequency of data breaches and compliance gaps identified by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

In this blog, we’ll break down the key HIPAA updates for 2025, explore the cybersecurity challenges facing the healthcare industry, and outline the steps organizations should take to stay compliant and secure in the years ahead.

Key 2025 HIPAA Changes Related to Cybersecurity

The proposed 2025 updates to the HIPAA Security Rule introduce several significant changes aimed at strengthening cybersecurity protections for electronic Protected Health Information (ePHI). These updates align HIPAA regulations with modern cybersecurity best practices and clarify existing requirements. A major revision is the removal of the distinction between required and addressable implementation specifications. Many regulated industries have misinterpreted "addressable" as optional, leading to inconsistent security measures. With this change, all security requirements must be fully implemented unless a business can clearly demonstrate why an alternative approach is necessary.

Here are the most critical cybersecurity-related updates:

Stricter Data Encryption Requirements

Encryption plays a vital role in securing ePHI, and the 2025 updates mandate encryption both at rest and in transit. Previously, HIPAA did not explicitly require encryption but suggested it as an “addressable” safeguard. Under the new rule, encryption is a baseline security requirement, meaning all covered entities must implement encryption protocols unless a valid justification is documented.

Organizations will need to:

• Ensure that all stored ePHI is encrypted using industry-standard encryption algorithms.
  
  
• Encrypt all ePHI transmitted over public or unsecured networks, reducing the risk of interception by cybercriminals.
  
  
• Conduct regular encryption audits to confirm compliance and effectiveness.

With ransomware attacks and data breaches on the rise, these encryption requirements significantly enhance data security and reduce the risk of unauthorized access.

New Security Guidelines for Telehealth and Remote Access

With the widespread adoption of telehealth, ensuring the security of virtual healthcare services has become a priority. The 2025 HIPAA update introduces stricter guidelines for remote access, particularly for providers using telecommunication platforms. These new requirements include:

• HIPAA-Compliant Telehealth Platforms: Any platform used for virtual care must meet HIPAA's strict privacy and security requirements. This includes secure data transmission, audit controls, and proper access authentication.
  
  
• End-to-End Encryption: Telehealth platforms must encrypt all communications to prevent unauthorized access and ensure patient confidentiality.
  
  
• Secure Patient Verification: Providers must implement strong identity verification processes to confirm patient identities before granting access to telehealth services.

These changes ensure that telehealth remains a secure and viable option for healthcare providers while minimizing the risks of data breaches.

Expanded Breach Notification Requirements

The HIPAA Breach Notification Rule is receiving an update to clarify what constitutes a breach and to tighten reporting timelines. Under the revised rules, any unauthorized acquisition, access, use, or disclosure of unsecured PHI is presumed to be a breach unless the organization can prove, through a comprehensive risk assessment, that there is a low probability of compromise.

The risk assessment must evaluate:

• The nature and sensitivity of the compromised data, including identifiers and potential for re-identification.
  
  
• Who accessed the information—whether it was an unauthorized individual or a legitimate user who mistakenly accessed it.
  
  
• Whether the data was actually acquired or viewed, as opposed to merely exposed.
  
  
• How effectively the risk has been mitigated—for instance, whether security measures were promptly enacted to prevent further exposure.

A breach may involve internal threats (such as employees accessing PHI without authorization) or external threats (such as cyberattacks and ransomware incidents). Some exceptions apply, such as inadvertent disclosures between authorized personnel.

If a breach occurs, HIPAA mandates timely notification to affected individuals, regulatory agencies, and, in some cases, the media. The 2025 updates emphasize prompt disclosure and introduce clearer guidelines.

Stronger Vendor and Third-Party Security Standards

Healthcare organizations regularly work with third-party vendors such as billing services, IT providers, and cloud storage platforms. The 2025 HIPAA updates introduce stricter requirements for these business associates, ensuring they maintain security controls when handling PHI. They must have:

• Enhanced Vetting Processes: Healthcare providers must conduct thorough risk assessments before engaging third-party vendors, ensuring they meet HIPAA compliance standards.
  
  
• Stricter Business Associate Agreements (BAAs): Contracts with vendors must explicitly outline security expectations, incident reporting procedures, and liability in the event of a data breach.
  
  
• Stronger Incident Reporting: Business associates are now required to report all security incidents, even if they do not result in a breach, within 60 days of discovery.

These changes emphasize that third-party vendors must be held to the same standards as covered entities.

Cybersecurity Challenges in Healthcare

The healthcare industry faces a constantly evolving threat landscape, making cybersecurity a top priority for anyone handling protected health information (PHI). While HIPAA compliance establishes a strong foundation for data security, it does not guarantee protection against modern cyber threats. This is why it’s crucial for healthcare organizations to go beyond compliance and proactively address emerging risks.

Cyberattacks targeting healthcare providers have surged in recent years, with cybercriminals exploiting vulnerabilities in outdated systems, weak authentication measures, and human error. Some of the most prevalent threats include:

• Ransomware: These attacks encrypt critical healthcare data, rendering it inaccessible until a ransom is paid. With hospitals relying on real-time access to patient records, ransomware can disrupt patient care, delay treatments, and compromise lives.
  
  
• Phishing: Cybercriminals use deceptive emails, messages, or websites to trick employees into revealing sensitive information, such as login credentials or financial data. In healthcare, phishing attacks often impersonate vendors, leading to unauthorized access to electronic health records (EHRs) or financial fraud.
  
  
• Insider Threats: Not all cybersecurity risks come from external attackers. Disgruntled employees, negligent staff, or third-party contractors can pose serious security threats. Whether intentional or accidental, insider threats can result in unauthorized data access, making continuous monitoring and employee training essential.

Compliance vs. Security: Why Following HIPAA Alone Isn’t Enough

Many healthcare organizations assume that adhering to HIPAA regulations is sufficient to protect patient data. However, HIPAA outlines minimum security requirements, but it does not account for emerging threats or provide detailed technical guidance on risk mitigation.

Key reasons why compliance ≠ security:

• HIPAA lacks specific cybersecurity mandates: While it requires safeguards like encryption and access controls, it does not specify which encryption standards or multi-factor authentication (MFA) protocols should be used, leaving gaps in protection.
  
  
• Threats evolve faster than regulations: HIPAA updates occur infrequently, while cybercriminals continuously develop new attack techniques. Organizations must adopt proactive security measures—such as endpoint detection and response (EDR) and security information and event management (SIEM)—to stay ahead.
  
  
• Compliance does not mean resilience: Meeting HIPAA standards may help avoid fines and legal consequences, but it does not ensure a rapid recovery from cyber incidents. A strong incident response plan, regular penetration testing, and disaster recovery strategies are necessary to minimize downtime and protect patient care.

By integrating cybersecurity best practices beyond regulatory requirements, healthcare organizations can improve their ability to prevent, detect, and respond to cyber threats.

Common Security Gaps in Healthcare Organizations

Despite increased awareness of cybersecurity risks, many healthcare providers still have critical security gaps that leave them vulnerable to attacks. Some of the most common weaknesses include:

• Outdated Systems & Legacy Software: Many hospitals and clinics still rely on unsupported operating systems and outdated medical devices, which lack modern security patches. These legacy systems become prime targets for hackers, as they contain exploitable vulnerabilities.
  
  
• Weak Access Controls & Lack of Multi-Factor Authentication (MFA): Without strict access management, unauthorized individuals can gain entry to sensitive systems. Many healthcare providers still rely on single-factor authentication (e.g., passwords alone), making it easier for cybercriminals to compromise accounts through credential stuffing or phishing.
  
  
• Lack of Employee Cybersecurity Training: Human error remains one of the biggest cybersecurity risks in healthcare. Without regular training, staff members may fall for phishing scams, mishandle sensitive data, or inadvertently expose systems to malware.
  
  
• Poor Incident Response & Disaster Recovery Planning: Many organizations lack a well-defined cybersecurity response plan, meaning that when a breach occurs, they struggle to contain the damage, notify affected individuals, and resume operations quickly. A strong incident response framework and frequent tabletop exercises are critical to minimizing the impact of cyberattacks.
  
  
• Unsecured Third-Party Vendors & Business Associates: Healthcare organizations frequently outsource services to billing companies, cloud providers, and IT vendors. If these third parties do not meet strict security standards, they can become entry points for cybercriminals, leading to data breaches that affect the entire healthcare network.

Steps Healthcare Organizations Should Take to Stay Secure

Fortunately, healthcare organizations can take proactive measures to stay ahead of cybersecurity threats and protect patient data. A key strategy is to partner with a Managed Service Provider (MSP) that specializes in healthcare IT security. An experienced MSP can help implement security measures and maintain compliance without many operational disruptions.

By working with an MSP, healthcare organizations can take the four most critical steps to strengthen their cybersecurity posture. There are:

1. Conducting Regular Risk Assessments and Penetration Testing

Risk assessments and penetration testing are essential for identifying vulnerabilities before attackers exploit them. Many healthcare providers unknowingly leave security gaps in their networks, medical devices, or software applications, making them prime targets for cybercriminals.

• Risk Assessments: These involve evaluating network infrastructure, software applications, and data security policies to uncover potential threats. Regular assessments help organizations stay ahead of emerging risks and ensure compliance with HIPAA.
  
  
• Penetration Testing: Also known as ethical hacking, penetration testing simulates real-world cyberattacks to identify weaknesses in a healthcare organization's defenses. By proactively testing systems, organizations can remediate vulnerabilities before they are exploited.
  
  
• Continuous Monitoring: Cyber threats evolve rapidly, so ongoing risk assessment rather than a one-time evaluation is crucial. Continuous monitoring of network traffic, login attempts, and access logs helps detect and mitigate potential security breaches in real time.

2. Strengthening Multi-Factor Authentication (MFA) and Access Controls

Access control weaknesses are a leading cause of healthcare data breaches. Strong authentication measures and role-based access controls are essential to prevent unauthorized access to patient data.

• Multi-Factor Authentication (MFA): Enabling MFA ensures that even if an attacker steals a password, they cannot access critical systems without an additional verification step, such as a one-time passcode or biometric authentication.
  
  
• Role-Based Access Controls (RBAC): Not all employees need access to the same level of sensitive information. Implementing RBAC ensures that staff members only have access to the data necessary for their job roles, reducing the risk of insider threats or accidental exposure.
  
  
• Zero Trust Security Model: Adopting a Zero Trust approach means that no one is automatically trusted, and all users, devices, and applications must be continuously verified before gaining access to sensitive healthcare systems.

By limiting access to only those who truly need it, healthcare organizations can drastically reduce the risk of unauthorized data breaches.

3. Implementing Advanced Threat Detection and Response Strategies

Traditional antivirus software is no longer enough to combat modern cyber threats. Healthcare organizations must invest in advanced threat detection solutions to proactively identify and mitigate security risks.

• Security Information and Event Management (SIEM): SIEM systems use real-time monitoring and analytics to detect suspicious activities, unauthorized access attempts, and potential security breaches. These tools help detect and respond to threats before they escalate.
  
  
• Endpoint Detection and Response (EDR): EDR solutions provide continuous monitoring of endpoints (workstations, servers, and medical devices) to detect malware, ransomware, and other malicious activities.
  
  
• Incident Response Planning: Having a well-documented incident response plan ensures that in the event of a cyberattack, healthcare organizations can contain the threat, recover data, and resume operations quickly.

By leveraging cybersecurity tools and response strategies, healthcare organizations can minimize downtime, prevent data loss, and protect patient privacy.

4. Training Employees on Security Best Practices

Human error is one of the biggest cybersecurity risks in healthcare. Even the most advanced security tools cannot protect against employees who unknowingly fall for phishing scams or mishandle sensitive data. Regular security training is crucial to creating a culture of cybersecurity awareness.

• Phishing Awareness Training: Employees should be trained to recognize phishing emails, social engineering tactics, and fraudulent requests for sensitive information. Simulated phishing tests can help measure staff readiness and reinforce best practices for email security.
  
  
• Device Security Policies: With the rise of remote work and telehealth, employees should be trained on how to secure personal and work devices, including best practices for password management, software updates, and encrypted communications
  
  
• Regular Security Drills: Hosting cybersecurity awareness workshops and incident response drills ensures that staff members know how to react in case of a security breach or ransomware attack.

By fostering a security-first mindset, healthcare organizations can significantly reduce the risk of human error-driven breaches.

Conclusion

The cost of non-compliance with HIPAA is simply too great for healthcare providers to ignore. In 2024, the average cost of a healthcare data breach reached a staggering $9.77 million, a financial burden that goes beyond fines and remediation expenses. The real damage lies in the loss of patient trust, reputational harm, and potential legal consequences that can take years to recover from.

By taking a proactive approach to cybersecurity, healthcare organizations can reduce risks, ensure compliance, and protect patient data from evolving threats. Strengthening security measures now not only safeguards sensitive information but also enhances operational resilience and trust within the industry.

That’s why partnering with a Managed Service Provider (MSP) like Charles IT is essential. Our team specializes in navigating HIPAA 2025 compliance updates, ensuring your organization meets all security and regulatory requirements without disrupting patient care.

Don’t wait until a breach happens — stay ahead of threats and compliance changes. Schedule a call with one of our HIPAA experts today!