Imagine designing a healthcare facility’s cybersecurity framework according to age-old HIPAA standards only to be hit with a massive fine, anyway. This threat is real, thanks to the pending arrival of new HIPAA requirements.
In December 2024, the Department of Health and Human Services (HHS) proposed changes that would vastly expand HIPAA’s cybersecurity rules. These alterations are so drastic that experts are calling the revamped set of regulations “HIPAA 2.0.” While there’s no way to know exactly when these rules will take effect, they could be imminent.
Even if the new rules aren’t implemented, the current environment should have healthcare organizations redoubling their commitments to cybersecurity. The Office of Civil Rights (OCR), which oversees HIPAA, is said to be stepping up enforcement, and annual fines for violations can reach $2,190,294.
Meanwhile, the rise of AI presents new security challenges. In our last post, we explored how AI is transforming patient care and hospital operations. But all that innovation comes with a catch: expanded attack surfaces and heightened regulatory scrutiny.
Below, we break down the cyber threats and regulatory challenges prevalent in the AI era and we explain how technology advisors can help healthcare organizations close compliance gaps.
What Could Change with HIPAA Security Rule Modernization
The proposed changes to HIPAA, a framework first established in 1996, would modernize the regulations to account for today’s cybersecurity needs.
Organizations that handle electronic protected health information (ePHI) would be legally required to assess risks, create incident response plans, and adopt the latest cybersecurity tools and guidelines. In essence, what were once “best practices” would become legal requirements.
Here’s a breakdown of the proposed HIPAA rule changes.
“Addressable” Standards Become “Required”
Currently, HIPAA distinguishes between “required” actions, which must be taken, and “addressable” actions, which organizations can decide not to take, as long as they explain their reasoning. The new rules would erase that distinction and, with a few exceptions, transform the “addressable” standards into requirements.
New Risk Analysis Requirements
HIPAA 2.0 would require organizations to create and regularly update a complete inventory of their IT assets, as well as a network map. Organizations would then be required to use these resources to identify key threats and vulnerabilities and produce a written assessment establishing the risk level for each threat.
Enhanced Planning and Response Requirements
Revamped HIPAA regulations would require organizations to create a detailed incident response plan. This plan would have to include:
- Procedures for restoring systems within 72 hours of an incident
- An analysis establishing which parts of a system should be prioritized for restoration
- Procedures for testing incident response plans
Additionally, organizations would be required to produce written cybersecurity rules and policies.
Demand for Increased Cybersecurity Measures
The new HIPAA regulations would require organizations handling ePHI to adopt a series of cybersecurity measures, including:
- ePHI encryption (in transit and at rest)
- “Technical controls” for physical workstations, including anti-malware protection, disablement of risky network ports, and removal of extraneous software
- Multi-factor authentication (MFA)
- Network segmentation
- Vulnerability scanning (every six months) and penetration testing (every twelve months)
- Separate technical controls for ePHI backup and recovery
With these rules, the federal government is acknowledging the holistic approach required to ensure data security. Simply protecting ePHI will no longer be enough. Once these rules are in place, organizations will be required to secure their entire IT infrastructure since a breach anywhere in the system could ultimately endanger ePHI.
The updated regulations would also stipulate how much time businesses have to meet these requirements.
New Documentation and Reporting Standards
With the adoption of HIPAA 2.0, businesses will be required to provide “written documentation of all Security Rule policies, procedures, plans, and analyses.” This means ad-hoc security frameworks, which were never ideal on an operational level, could soon be illegal as well.
The new rules will also update notification requirements in the case of a breach. If a “business associate” or subcontractor is forced to activate their cybersecurity contingency plan, they’ll be required to notify the “covered entity” – i.e., the healthcare organization, within 24 hours. This promotes resiliency in the case of “third-party” breaches, which are becoming increasingly common.
Why AI Expansion Raises the Compliance Stakes
The proposed HIPAA rule changes are arriving at the same time as another major shock to the cybersecurity status quo: The rise of artificial intelligence. AI is a wonderful tool for medical facilities, unlocking new efficiencies and enabling unprecedented levels of personalized care, but it also provides greater surface area for threat actors to attack.
Plus, those threat actors are using AI, too – often with devastating effect.
For healthcare organizations to protect their patients and remain HIPAA-compliant in the AI era, extra precautions are required.
AI Increases Attack Surface Area
The healthcare industry is adopting AI especially quickly. An estimated 66% of doctors now use AI while treating their patients, and 46% of hospitals employ AI agents as part of their revenue cycle management process. Meanwhile, remote medical monitors with AI capabilities are tracking patients from their homes.
This AI explosion is improving patient outcomes and boosting administrative efficiency, but it creates profound security and compliance risks. To function properly, AI systems require access to large quantities of patient data. Imagine a predictive AI solution that draws from a patient’s genomics, financial risk scores, and behavioral health information to conduct risk analyses and suggest preventive care. All that highly sensitive data is now present within the AI system, meaning access points must be properly secured.
PolyAI, a leading provider of AI agents and a top supplier for medical facilities, describes the situation like this: “As healthcare adopts more advanced AI and automation, evolving regulatory conversations are pushing organizations to rethink how patient data is accessed, shared, and protected.”
The right security framework is essential for securing data flowing into AI systems.
Threat Actors Leverage AI
Phishing attacks have always represented a danger to healthcare organizations, with threat actors targeting staff members with supposedly legitimate messaging. Unfortunately, AI has allowed cybercriminals to make their phishing campaigns significantly more sophisticated.
AI tools can scan a target’s online presence, then craft messages that are shockingly specific and personalized. Worse, attackers can now produce these types of personalized messages at scale. In one study, an astonishing 60% of participants “fell” for an AI-generated phishing email. That level of “success” for threat actors could be devastating for businesses that handle large amounts of ePHI.
In response to the threat, healthcare organizations need to double down on educating staff, while also ensuring the proper cybersecurity protocols are in place. Fortunately, many security service providers include employee training as one of their standard offerings.
The Most Common Compliance Gaps (and How to Fix Them)
In working with healthcare organizations, Intelisys engineers repeatedly encounter some common cybersecurity shortfalls which will become outright violations when the HIPAA 2.0 requirements take effect. By addressing these gaps now, organizations can avoid costly fines and reputational damage down the road.
Incomplete or Outdated Risk Assessments
The new HIPAA rules state that organizations must conduct regular risk assessments, based on detailed inventories of IT assets and a complete network map. Organizations can conduct these assessments in-house or seek assistance from outside experts and software solutions. Intelisys sales partners can also help develop a risk assessment strategy, while simultaneously working with a Managed Security Service Provider (MSSP) to enable 24/7 monitoring.
Unsegmented Medical IoT Devices
Under HIPAA 2.0, network segmentation, which entails isolating vulnerable components to ensure breaches won’t impact the entire network, isn’t just a smart policy – it’s a legal requirement. Medical IoT devices are especially worthy of segmentation, because they’re often deployed remotely, and they’re particularly vulnerable to attack. Implementing Secure Access Service Edge (SASE) infrastructure is a popular way to segment these devices.
Lack of MFA for Remote Access
Multi-factor authentication (MFA), which requires end-users to verify their identities in two or more ways when accessing a network, has become a standard cybersecurity feature. It’s especially crucial in healthcare, where, thanks to remote work and telehealth, staff are increasingly likely to access digital tools from beyond an organization’s physical facilities. Furthermore, the new HIPAA rules would make MFA a legal requirement. Fortunately, adopting zero-trust network access (ZTNA) solutions is a relatively straightforward fix.
No Formal Incident Response Plan
The updated HIPAA regulations will demand written incident response planning from healthcare organizations. Stakeholders will also be expected to test their plans with tabletop exercises and Business Continuity Plan (BCP) testing. Intelisys sales partners, with the guidance of Intelisys engineers, can help customers develop an incident response framework that meets HIPAA standards.
Beyond HIPAA — The Broader Regulatory Landscape
While HIPAA is undoubtedly the largest regulatory framework that healthcare organizations face, it is not the only one. Facilities must contend with a variety of cybersecurity rules and standards, many of which are in constant flux.
Non-HIPAA regulations include:
- The HITECH Act. The main purpose of the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act was to incentivize the use of electronic health records (EHRs) – but it also strengthened core HIPAA regulations and increased penalties for noncompliance.
- The FTC’s Health Breach Notification Rule. The Federal Trade Commission (FTC) requires vendors that are not subject to HIPAA to report any data breaches that could affect personal health records.
- State-level privacy laws. Many states – just over half – have instituted their own consumer privacy laws on top of existing federal regulations. Healthcare organizations operating in a particular state are subject to that state’s legal standards.
With multiple regulatory frameworks in play, compliance involves more than a single checklist.
What “Baseline Readiness” Looks Like in Practice
When it comes to regulatory compliance in the healthcare industry, the requirements are manifold, and the stakes are high. But there is a clear way forward. Committing to a robust cybersecurity framework with HIPAA-compliant components will protect patient data while keeping the regulators at bay.
Compliance starts at the infrastructure level. “The next generation of healthcare tech will rely on systems that can securely interact across platforms while maintaining strict privacy controls,” writes our supplier PolyAI. “For end users (clinicians, administrators, and care coordinators) this means tools that enable faster responses to patient needs but do not compromise compliance.”
Healthcare Cybersecurity Playbook:
- Continuous (not annual) risk assessment
- Full device/asset inventory (including IoT and medical devices)
- ZTA and MFA in place for all remote access
- A segmented network that limits lateral movement
- Tested incident response and business continuity plans
- Third-party vendor risk governance in place
The above playbook can be implemented alongside widespread AI deployment. As PolyAI says, “The key challenge will be balancing AI’s need for data access with the safeguards required to maintain patient privacy and trust in an increasingly interconnected healthcare ecosystem.”
This playbook, while comprehensive, is entirely achievable, especially with the right technology advisor on board.
Learn More
Ready to assess your organization’s compliance readiness? Want to dive deeper into the technologies mentioned above? Explore IoT, Cyber and more in our Technology Guide in MyIntelisys. Reach out to our Solutions Engineers for any specific questions you have on opportunities around healthcare.