Global Edition
Cybersecurity In Focus

What the HIPAA rulemaking notice means for you

Tech CISO Scott Mattila discusses proactive measures critical to reducing cyber risks and describes the steps hospitals and health systems can take to prepare now to comply with crucial mandates.
By Bill Siwicki
March 11, 2025
12:33 PM

Mabel (left) and Benson (center) and their best friend Scott Mattila, CISO and COO of Intraprise Health

Photo: Scott Mattila

Over the past decade, cybersecurity breaches have skyrocketed, particularly in healthcare. The attack on Change Healthcare was a major wake-up call – prompting, among other reforms, the notice of proposed rulemaking from HHS in December 2024, designed to strengthen cybersecurity requirements.

This follows the HHS Cyber Performance Goals introduced in 2023, signaling a push for stricter security measures across the industry.

Despite the HITECH Act being signed more than 15 years ago, HIPAA hasn't kept pace with modern cyber threats, experts say. The NPRM aims to eliminate ambiguity in the original security rule and reinforce essential safeguards.

Key proposed changes include:

  • Making all security requirements mandatory by eliminating "addressable" standards.

  • Requiring comprehensive asset and technology management programs, including documented network diagrams, data transmission maps for ePHI, annual penetration testing and bi-annual vulnerability scans.

  • Formalizing security and risk management programs with structured policies, accurate self-assessments and documented risk registers.

  • Enhancing incident response and disaster recovery with a 72-hour restoration requirement for critical services.

  • Strengthening access governance controls to ensure timely workforce updates.

  • Mandating encryption, multi-factor authentication and anti-malware protections to safeguard sensitive data.

For organizations still struggling with asset management and budget constraints, these updates could be a heavy lift. The NPRM is anticipated to move through Congress by mid-2025. However, with ongoing leadership changes and an executive order pausing new regulations, it's uncertain whether these updates will take effect in 2025 or be pushed to 2026.

Either way, the message is clear: Healthcare organizations need to strengthen their cybersecurity posture before they become the next breach headline.

Scott Mattila is CISO and COO of Intraprise Health, a Health Catalyst Company, a healthcare compliance and cybersecurity organization. We sat down with him to get his expert views on proactive measures critical to reducing cyber risks, steps hospitals and health systems can take to prepare now, keys to complying with crucial mandates, and the impact of direct liability on business associates.

Q. Why are prescriptive, proactive measures critical to reducing cyber risks in healthcare?

A. Prescriptive, proactive measures are essential to reducing cyber risks in healthcare because they eliminate ambiguity and ensure organizations implement the necessary controls to protect electronic protected health information. Historically, the open-ended nature of HIPAA regulations has led some organizations to interpret requirements subjectively rather than adopting the technical safeguards needed for robust security.

By leveraging frameworks such as HITRUST and NIST, organizations gain clear expectations for achieving security maturity and resilience, minimizing the likelihood of cyber threats. As a colleague often says, "It's akin to maintaining good health – exercising, eating vegetables and taking vitamins; in cybersecurity, we must plan and act for the future."

The healthcare community has long recognized the persistent cyber threats in the industry, with the Cybersecurity Practice Guidelines (CPGs) signaling the inevitability of future legislation – even if some were initially hesitant to acknowledge it. While the threat landscape continues to evolve, implementing basic prescriptive technical controls remains critical.

The NPRM has outlined these measures to help organizations anticipate challenges and mitigate the risk of major cybersecurity incidents.

Q. What are some steps for hospitals and health systems to prepare now?

A. With proposed security regulations on the horizon, hospitals and health systems should start preparing by identifying vulnerabilities and prioritizing mitigation efforts. The first step is engaging leadership and key stakeholders to ensure everyone is aligned on upcoming changes and compliance strategies.

A gap analysis is also essential – whether conducted internally or with a specialized security vendor – to assess risks and determine where the most significant improvements are needed. Quick wins, like strengthening access controls and improving governance, should be tackled first, while larger initiatives like network segmentation and asset management should be planned with clear milestones.

It's also important to be realistic – not everything can be done at once. A phased approach that balances immediate improvements with long-term security goals will be the most effective. Organizations should also evaluate their current security tools and technology stack to identify opportunities for consolidation or more integrated solutions.

Finally, strong vendor partnerships are key. Working with trusted vendors that understand the evolving regulatory landscape can make compliance and security efforts more effective.

Q. What are keys to complying with crucial mandates, such as encryption, multi-factor authentication and vulnerability management?

A. Compliance with critical mandates should begin with identifying your organization's most vulnerable areas, prioritizing risks and assembling a cross-functional team to address them. Whether it's updating policies, introducing new procedures or deploying security tools, the focus should be on both meeting requirements and strengthening overall resilience.

The NPRM isn't just about checking compliance boxes – it emphasizes prescriptive measures designed to protect against an increasingly complex and evolving threat landscape.

A proactive, well-structured approach ensures that encryption, multi-factor authentication and vulnerability management aren't just regulatory obligations but essential safeguards for long-term security.

Q. What is the impact of direct liability on business associates and what does this mean for compliance partnerships?

A. The proposed rule significantly increases accountability for business associates, removing the distinction between mandatory and addressable requirements. Essentially, they're now considered direct extensions of covered entities, which means greater responsibility – and liability – when it comes to protecting patient information.

One major change is the expanded definition of a business associate, now including more subcontractors handling PHI. This means covered entities will step up oversight, introducing stricter third-party risk management and conducting more frequent security reviews.

Business associates must also notify covered entities of any PHI breaches within 24 hours and will now face direct enforcement actions if they fail to comply with the HIPAA Security Rule.

For business associates, this shift makes compliance more critical than ever. They need to align with covered entities on security expectations, strengthen internal controls and take a proactive role in ensuring HIPAA compliance to avoid regulatory penalties.

Follow Bill's HIT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

WATCH NOW: Mount Sinai's new CDIO offers an inside look at her very full plate

Topics: 
Government & Policy, Privacy & Security

More regional news

home healthcare worker with a patient

The future of care: Nurses in 2030

By
Aline Noizet
March 11, 2025
Doctor showing tablet to patient

Building digital infrastructure to scale AI-powered screening solutions

March 11, 2025
A doctor interacting with a patient in bed

Saving up to $6M by predicting hospital discharge

By
Adam Ang
March 10, 2025
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Scott Mattila of Intraprise Health on HIPAA
Cybersecurity In Focus
What the HIPAA rulemaking notice means for you

Most Read

HHS publishes AI Strategic Plan, with guidance for healthcare, public health, human services
ASTP appoints 3 new health IT leaders: CTO, CDO and CAIO
DEA plans to create a special telehealth registration for prescribers
Asan Medical Center reaches Stage 7 of INFRAM24
VA prescribers exempt from DEA's special telehealth registration
NZ gov't reshuffle prioritises health in 2025

Research

White Papers

More Whitepapers

Artificial Intelligence
Artificial Intelligence
Patient Engagement

Webinars

More Webinars

Privacy & Security
Privacy & Security
Privacy & Security

Video

Dr. Jonah Feldman at NYU Langone Health System_Las Vegas skyline Photo by halbergman/E+/Getty Images
RPA is helping clinicians deliver quality care more efficiently
Natasha Ramontal at HIMSS_Las Vegas skyline Photo by halbergman/E+/Getty Images
Patient outcomes can get a boost from robust analytics supporting AI
Ed Mitchell, Advocate Health, and Aaron Sheedy, Xealth, at HIMSS25
Healthcare more personal with customized digital messaging
Daymond John at Shark Group_Las Vegas skyline Photo by halbergman/E+/Getty Images
The inside story behind the 'Health Shark'

More Stories

hand on keyboard
Cobalt Strike abuse in the wild drops 80%, says Fortra
Dan Cohen of Adhere+ on telemedicine
DEA role must be clearly defined in controlled substance Rx via telemedicine, expert cautions
Healthcare worker taking off mask
HIMSS leaders outline 2025 public policy priorities
Cherry Drulis, director of Samsung's healthcare mobile B2B
Q&A: Samsung on its digital healthcare tech and HIMSS25 announcement
Aaron Miri CDIO at Baptist Health on MDM technology
Baptist Health scores collaboration wins with master data management system
Daymond John at Shark Group_Las Vegas skyline Photo by halbergman/E+/Getty Images
The inside story behind the 'Health Shark'
Stethoscope resting on tablet
HIMSSCast: Fundamentals of data governance - lessons from UNC Health, part 3
VA signage on building
VA's Oracle Health EHR experiences new widespread outage