Security

How Healthcare Organizations Can Navigate Security Changes Linked to HIPAA Updates

For many providers, these changes will be major hurdles even as they prioritize stronger data protections.

Matt Sickles is an executive healthcare strategist at CDW Healthcare with over 30 years of experience in leading-edge information security- and technology-related fields.

Major proposed changes to security guidance related to HIPAA compliance have been underway, with the expectation that healthcare organizations will follow through to enhance the safety of electronic protected health information.

After a grace period, there is a deadline possibly for May 2026 to commit to new compliance guidelines. For many healthcare organizations, the updated requirements could be a pain point. Last month, more than 100 healthcare organizations signed a letter led by the College of Healthcare Information Management Executives asking the U.S. Department of Health and Human Services to rethink the updates over compliance concerns.

“The proposal would dramatically expand and fundamentally alter existing federal cybersecurity requirements for hospitals and healthcare providers. While providers firmly agree that cyber safety is patient safety, signatories warn that the rule would impose significant unfunded mandates, mandate prescriptive technical controls that conflict with modern healthcare IT architectures, and substantially increase documentation, reporting and compliance burdens for already stretched IT and security teams,” the group said in a statement.

DISCOVER: Here are the four security trends to watch in 2026.

These organizations added in the release that following the updates would “drive up costs, require extensive infrastructure redesigns and divert limited resources away from patient care and frontline operations” through what they describe as the proposal’s “rigid, one-size-fits-all requirements.”

This will result in an undue burden on healthcare organizations. Complying with these requirements is costly, but that's part of healthcare's regulatory burden. While the industry waits for a response from HHS, organizations are proactively strengthening their security strategies and identifying which aspects of the updates may present specific challenges.

A Shift to Stronger Data Protections

Traditionally, healthcare organizations promote clinicians or candidates with a clinical background into IT security and compliance roles. But recently, I’ve noticed that these roles are now being filled with professionals who have backgrounds in finance, banking or other enterprise experiences where data controls work differently. This is perhaps influencing the change toward stronger data protections, especially considering that personal medical data is more valuable to malicious actors than stolen credit card information.

Healthcare is also thought of as slower to adopt technological upgrades, with most organizations juggling technical debt and legacy systems. However, over the past five years, many health systems have shown that they are capable of staying agile and scaling services in the face of a national health emergency while prioritizing improved security strategies.

There has already been a movement to tackle basic foundations of care and technology, such as addressing identity and access management. Because a single healthcare organization can have hundreds or even thousands of users requiring access to their resources, IAM controls are paramount. Who needs to access the network? Which department or vendor or agency do they work for? How long will they need access for? Some of the biggest changes for HIPAA security compliance have been around durable multifactor authentication (MFA).

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_01

x_security_q325_animated_click_mobile_01

Why Is Getting MFA Right a Challenge in Healthcare?

If we break down a hospital into four functional areas — clinical, operational, administrative and technological — those last three areas are typical to the lifecycle of any business. It’s the first one, the clinical aspect, that is unique to healthcare and requires specific workflow considerations for clinicians.

For example, first-shift nurses may have several devices that they need to log in and out of throughout the day in several locations. The amount of time it takes to reauthenticate to access critical applications, even if it’s only a minute and a half, can have a huge impact on patient care. That is the great challenge in the patient experience and within the clinical continuity of care model: Workflow is greatly impacted by MFA.

There is also the challenge of provisioning and deprovisioning user accounts within a healthcare organization. Think about pro re nata nursing: Organizations may occasionally require flex resourcing, and there are very few hospitals with mature enough onboarding processes that they can set up usable accounts that are discarded at the end of a shift. That is a fast-paced lifecycle for an account, and most providers are not equipped to do that.

The detailed compliance timelines proposed for the updated security rule, such as 1-hour access termination and 72-hour system restoration requirements, indicate a regulatory intent to impose a higher standard of operational agility and responsiveness. This reflects a recognition that traditional, less prescriptive approaches are insufficient against the speed and sophistication of modern cyberthreats. The burden shifts from merely having security controls to demonstrably operating them with specific, measurable performance metrics. This implies a significant need for highly automated processes, well-rehearsed incident response plans and continuous monitoring capabilities.

How Are Updated Auditing Expectations a Challenge for Healthcare?

Many organizations may be starting from zero because they have not been doing this level of auditing. They have to put a policy taxonomy in place for document retention. In many organizations, if you ask how long something should be kept, the answer is “forever.” This is because organizations want to ensure they have records available in case an issue arises, no matter how much time has passed since the original event. But there are elements in healthcare, such as imaging, that take up enormous storage space.

On the other hand, organizations planning to release documentation often lack a defined storage decay period and don't have the technological processes to manage storage or expenses over time.

Healthcare organizations can look to other industries to see how they approach data security. For example, the payment card industry has established data security standards and specifications that have been around for over a decade. Follow a financial organization. Patient records are even more important than financial information, so protect them at all costs.

Changes Are Not Just for Hospitals

We tend to focus on HIPAA as something that is only applicable to traditional providers. But think of a senior care organization with older adult residents: Protected health information matters there as well. While we look at this as a healthcare provider issue, HIPAA compliance and responsibility is all-encompassing within many environments, and anyone who handles healthcare data must adhere to it.

Compliance is necessary for anyone managing healthcare data, including those who may not have considered it relevant before. As the need to protect and transfer health information grows, HIPAA compliance now extends into financial and lifestyle management, not just clinical care.

This article is part of HealthTech’s MonITor blog series.