Healthcare providers across the country are dealing with two big challenges this year. First, new HIPAA rules could be coming that would change how you protect patient data. Second, cyberattacks on healthcare are at an all-time high.
The good news? You can get ahead of both problems with the right steps.
What’s Changing with HIPAA in 2025?
The Department of Health and Human Services proposed major updates to HIPAA’s Security Rule in January 2025. These changes aim to strengthen cybersecurity protections for electronic protected health information and address the changing healthcare environment and increased frequency of breaches and cyberattacks.
The biggest change removes the difference between “required” and “addressable” security measures. All implementation specifications will now be required with limited exceptions. This means practices can no longer skip certain security steps they thought were optional.
Other key updates include:
- Multi-factor authentication for all systems that handle patient data
- Written plans for restoring systems within 72 hours after problems
- Regular security reviews and updated policies
- Better tracking of who can access patient information
The comment period for these proposed rules closed on March 7, 2025, with HHS receiving over 4,000 comments from healthcare stakeholders. While the final rules haven’t been published yet, experts expect significant changes to move forward given the bipartisan support for stronger healthcare cybersecurity.
That means healthcare providers should start preparing now. HIPAA consultants in Richmond and across the country are already helping practices understand what these changes mean for their daily work.
Cyberattacks Are Getting Worse
There’s no sense in sugarcoating it. 1,929 ransomware attacks hit businesses in a study between October 2024 and March 2025. Eight key verticals saw 71% of the ransomware attacks in this period – and healthcare was one of them.
Healthcare remains a top target because patient data is valuable to criminals. The industry tops the list with the most expensive breach recoveries, coming in at USD 9.77 million on average. When attackers shut down systems, patient care stops. This puts pressure on providers to pay quickly to get back online.
Where Healthcare Providers Are Vulnerable
According to findings from Sophos, the most common attack vectors in healthcare ransomware attacks last year were exploited vulnerabilities and compromised credentials. More than two-thirds of attacks essentially happen because software isn’t updated or passwords aren’t strong enough.
The attacks are also taking longer to fix. 37% of healthcare organizations said it took more than a month to recover from an attack. This extended downtime hurts both patient care and practice finances.
The silver lining is that many of these attacks can be prevented. The most common attack methods happen because basic security measures aren’t in place – which is exactly why conducting a thorough security risk assessment is so important.
How to Carry Out a Security Risk Assessment
Every healthcare provider must do a security risk assessment (SRA) each year. Think of it as a health checkup for your data security.
We recommend taking it one step at a time to stop you from getting overwhelmed:
Step 1: Find Your Patient Data
Look everywhere patient information lives in your practice. This includes:
- Computer systems and servers
- Mobile devices like tablets and phones
- Email systems
- Cloud storage services
- Paper files that get scanned
Don’t forget about business partners who handle your data, like billing companies or IT support.
Step 2: Spot the Threats
Consider any past incidents you’ve experienced, as well as potential threats targeting the healthcare industry (we discussed 2025’s biggest here).
Common dangers include:
- Hackers trying to break into your systems
- Employees accidentally sending data to the wrong people
- Lost or stolen devices with patient information
- Software that doesn’t get security updates
Step 3: Check Your Current Protection
Review what security measures you already have:
- Password requirements and user accounts
- Firewalls and antivirus software
- Staff training on data protection (check out our video on this)
- Backup systems for important files
Step 4: Rate the Risks
For each threat you find, ask, How likely is this to happen? How bad would the damage be?
Focus your attention on high-risk areas first.
Step 5: Make a Plan
Write down specific steps to fix the problems you found. Set deadlines and assign who’s responsible for each task.
Remember to document everything. HIPAA compliance requires written records of your assessment and the actions you take.
HIPAA Compliance Guidance: Getting the Right Help
Many small and midsized practices don’t have IT security experts on staff. That’s where compliance support for healthcare providers becomes essential. As HIPAA consultants in Richmond and other areas, we can guide you through complex requirements without the technical jargon.
Our healthcare IT services help providers stay compliant while focusing on patient care. We offer customizable solutions that align with industry best practices, ensuring your patient files remain safe and secure while meeting new regulatory demands.
Our team can help you navigate the 2025 HIPAA updates and strengthen your defenses against cyber threats. This includes conducting thorough security assessments, implementing technical safeguards, and providing ongoing compliance support for healthcare providers.
Take Action Today
The healthcare industry faces serious security challenges, but taking proactive steps now can protect your practice and patients.
Start by:
- Reviewing your current security practices
- Training staff on data protection basics
- Creating or updating your incident response plan
- Working with experienced HIPAA compliance guidance professionals
Remember, protecting patient data isn’t just about following rules. It’s about maintaining the trust your patients place in you every day.
Don’t wait for new rules to become final (or for an attack to happen). Talk to us about HIPAA compliance support today.
