Industry Continues to Push Back on HIPAA Security Rule Overhaul

pTechTarget and Informa Techs Digital Business CombineTechTarget and InformappTogether we power an unparalleled network of 220 online properties covering 10000 granular topics serving an audience of 50 million professionals with original objective content from trusted sources We help you gain critical insights and make more informed decisions across your business prioritiesppCybersecurity InDepth Feature articles on security strategy latest trends and people to knowppHealthcare cyberattacks are on the rise but industry organizations say the proposed changes to the security rules fall short of whats neededppDecember 23 2025ppOpposition is building as industry organizations weigh in on the public comment period for proposed changes to the Health Insurance Portability and Accountability Act HIPAA Security RuleppIn January 2025 the US Department of Health and Human Services HHS announced its proposed update to HIPAA intended to strengthen cybersecurity in light of intensifying damaging attacks and data breaches against the healthcare sector The HIPAA Security Rule applies to electronic protected health information and addresses a multitude of concerns patch management asset control requirements compliance audits and security controls such as multifactor MFA authentication and network segmentation ppHHS gave a March 7 deadline for submitting public comments and organizations did not hold back A lot of concerns were over the practicality of implementing the rule and noted both the time constraints and whether the expectations were realistic to begin with ppThe latest opposition comes from 100 healthcare organizations nationwide A coalition letter led by the College of Healthcare Information Management Executives CHIME cited new financial burdens and unreasonable implementation deadlines as major hurdles with the proposed updates The rule should be immediately withdrawn without further consideration ppRelatedCTO New Years Resolutions for a More Secure 2026ppLast weeks letter doesnt mean CHIME and signees which includes Yale New Haven Health System and American Medical Association dont believe cybersecurity standards for healthcare need to be revised They urged HSS to collaborate with them and other entities that the rule change would impact to create more realistic standards ppOne major area of concern is the compliance deadline says Chelsea Arnone director of federal affairs at Chime As currently proposed the deadline for compliance with the rule changes would be 60 days after publication Regulated entities must comply with the applicable new standards or implementation specifications no later than 180 days from the effective date Arnone saysppThe compliance deadline like many aspects of the proposal highlights a disconnect between what HHS expects and how cybersecurity in the healthcare sector actually works experts say For example healthcare organizations cant afford the downtime that many updates require due to the simple fact that organizations need to deliver aroundtheclock patient care    ppThe compliance deadline is a problem for a variety of reasons including that HHS estimates MFA deployment can be done in oneandahalf hours Arnone tells Dark Reading For hospitals MFA touches every clinical workflow every application every workstation and requires redesigning access patterns so clinicians still care for patients These projects take months not hours ppRelatedHow Cyber Insurance MGAs Shape Policies for Evolving CyberRisksppThe same applies to stipulated network segmentation updates As it stands HSS estimates that work could be completed in four and a half hours but CHIMEs member CISOs say segmentation requires weeks to months of architectural redesign firewall policies testing and coordination across clinical systems adds ArnoneppBusiness Associate Agreements BAAs further complicate matters Many of the old rules will not apply once the updates become official and that requires discussions between healthcare organizations and business associates For example adhering to new patching requirements for medical devicesppRevising thousands of BAAs I dont know where to begin there Arnone says It will take the most wellresourced hospitals at least a year to negotiate those contracts in order to be in compliance with what they are proposingppArnone emphasized that CHIME and its members fully support strengthening cybersecurity in healthcare but she described the proposed HIPAA Security Rule update as overly prescriptive and technically misaligned with how hospitals operate today To protect patient safety HHS should rework it in partnership with the field to ensure a modern and workable approach she recommendsppRelatedHack the Hackers 6 Laws for Staying Ahead of the AttackersppProviders are already implementing many of these protections but the rule as proposed would impose significant cost and operational burden without delivering corresponding security benefits Arnone warns ppThe last time HIPAA was updated was in 2013 And the threat landscape looked a little different well a lot different HHS is responding to a significant increase in ransomware largescale data breaches and operational disruptions across the healthcare sector according to Mind CEO Eran Barak ppThe ransomware attack against Change Healthcare is a prime example as it racked up one of the largest data breaches in US history affecting 190 million individuals Not to mention all the widespread and prolonged disruptions to patient care claims processing and pharmaceutical servicesppThe updates are wellintentioned but changes in regulatory mandates typically face opposition due to tight timelines and a lack of understanding on how to achieve compliance Barak says ppWhile the direction of the proposed updates is correct execution will be challenging he adds attributing it to how complex and interconnected healthcare environments are Plus healthcare organizations are constrained by patient safety and uptime requirements Implementation challenges continue to pile on especially around disruptions which would be inevitable More alarmingly would that affect patient care and to what extent ppTo apply prescriptive controls on tight timelines especially across legacy systems and thirdparty platforms wont be realistic for many organizations without significant disruptions Barak reveals ppIn addition to legacy systems the healthcare organizations holds highly sensitive information like patient diagnoses or treatments thats why threat actors are increasingly drawn to the sector Especially ransomware groups who threaten to expose that information on public data leak sites Key points of exposure for data security include unstructured data thirdparty data sharing and identity and access sprawl explains Barak Agentic AI proliferation and limited visibility only adds to challenges ppWhen you add ransomware and recovery gaps cybersecurity quickly becomes a patient care issue not just a data issue he adds ppCybersecurity standards must improve but so do the proposed Security Rule updates And there may be some answersppIn a separate blog post CHIME said the Health Care Cybersecurity and Resilience Act of 2025 may offer a more realistic approach The legislation includes many similar cybersecurity provisions as the Security Rule but CHIME said its more practical because it couples mandates with grants to help hospitals cancer centers and rural health clinics Financial burdens are a key critique of the Security Rule as proposed Especially since many hospitals face resource shortages    ppIf the Security Rule were revised it should be phased and truly riskbased to make it more manageable says Barak Prioritize the controls that reduce the most risk first allow flexibility where clinical systems limit technical options and provide clear implementation guidance he recommends  ppStrong security works best when it fits how healthcare actually operates he saysppArielle WaldmanppFeatures Writer Dark ReadingppArielle spent the last decade working as a reporter transitioning from human interest stories to covering all things cybersecurity related in 2020 Now as a features writer for Dark Reading she delves into the security problems enterprises face daily hoping to provide context and actionable steps She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity When shes not writing about cybersecurity she pursues personal projects that include a mystery novel and poetry collection  pp pp2025 ThreatLed Defense IndustryFirst ReportppMagic Quadrant for Hybrid Mesh FirewallppThe Total Economic Impact Of The Strata Network Security Platform From Palo Alto NetworksppMiercom Cloud NGFW NextGeneration Firewall Competitive AssessmentppGlobal Incident Response Report 2025ppDeepfake Empowering Your Users to Recognize What AI Can FakeppSecurity Automation Implementing Effective PlaybooksppFrom Doubt to Direction What AI Really Means for AppSecppThe Invisible Threat How Polymorphic Malware is Outsmarting Your Email SecurityppThe Anatomy of an Agentic AI System Understanding the Architecture Behind Faster Smarter and Predictive SecurityppFEATUREDppCheck out the Black Hat USA Conference Guide for more coverage and intel from and about the showppCISOs Face a Tighter Insurance Market in 2026ppCybersecurity Predictions for 2026 Navigating the Future of Digital ThreatsppCTO New Years Resolutions for a More Secure 2026ppWhen the Cloud Rains on Everyones IoT ParadeppCopyright 2026 TechTarget Inc dba Informa TechTarget This website is owned and operated by Informa TechTarget part of a global network that informs influences and connects the worlds technology buyers and sellers All copyright resides with them Informa PLCs registered office is 5 Howick Place London SW1P 1WG Registered in England and Wales TechTarget Incs registered office is 275 Grove St Newton MA 02466p