Security

Providers Evaluate Security as Updated HIPAA Compliance Looms

Some healthcare providers already meet potential new HIPAA security requirements, but others may face significant challenges.

Wylie Wong

Twitter

Wylie Wong is a freelance journalist who specializes in business, technology and sports. He is a regular contributor to the CDW family of technology magazines.

As federal regulators consider more stringent HIPAA security requirements, Kern Medical Chief Technology Officer Craig Witmer believes his 222-bed hospital in Bakersfield, Calif., is already ahead of the curve.

Kern County spun off the hospital as an independent entity in 2016, but the county IT department continued to handle some operations, including security, during the transition. When Witmer took over in 2018, he rebuilt the IT infrastructure from scratch, investing in security and deploying a new data backup and recovery solution.

Today, Witmer continuously strengthens Kern Medical’s cybersecurity posture because of market forces. Healthcare is a major cyberattack target, so cyber insurance companies often mandate stronger security measures.

“We’re in good shape from what I’ve seen of the proposed HIPAA requirements,” he says.

DISCOVER: Here are four security tech trends to watch in 2026.

A Response to Stronger Data Protections: Is This the Right Approach?

At the start of 2025, the U.S. Department of Health and Human Services proposed updated HIPAA security requirements that include mandatory data backup and recovery, encryption, multifactor authentication, network segmentation, real-time monitoring, regular security testing and anti-malware software.

Providers with the budgetary and staff resources to proactively invest in advanced cybersecurity measures say they’re well positioned for any new compliance requirements. However, while many healthcare IT leaders and organizations agree that stronger security guidance is necessary, some, such as the College of Healthcare Information Management Executives, say that an updated HIPAA Security Rule is not the right solution.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_01

x_security_q325_animated_click_mobile_01

A number of the conditions would overtax already-burdened IT staffs, including a mandatory compliance deadline that would be a “shock to our system,” says CHIME Director of Federal Affairs Chelsea Arnone.

“We strongly support improving cybersecurity across healthcare, but this proposal is overly prescriptive, requires a lot of documentation and is technically misaligned with how healthcare systems operate,” Arnone adds.

Before the end of 2025, CHIME organized a joint letter with more than 100 hospital systems, healthcare organizations and associations asking HHS to withdraw its proposed update and to collaborate with providers to develop a more practical, risk-based cybersecurity framework.

It’s unclear what HHS will do. According to the agency’s latest unified agenda, it anticipates releasing a final rule in May 2026, but that date is not binding, Arnone says.

How Kern Medical Strengthened Its Cybersecurity From Scratch

When Witmer joined Kern Medical, his immediate priorities were to upgrade outdated data center and networking equipment, and to replace an inadequate tape backup system and an insufficient network-attached storage replication system. As part of a broad modernization effort, the changes included a new electronic health records system and financial applications.

That year, Witmer deployed new Cisco servers and networking equipment, storage from Pure Storage and a new data backup and recovery solution from Rubrik, which enables immutable backups that cannot be changed or rewritten, a critical capability that protects against ransomware attacks.

To strengthen security further, Witmer addressed excessive user permissions that could allow attackers to spread ransomware throughout the network if credentials are compromised. He implemented role-based access control by adopting Active Directory on-premises, Entra ID on Microsoft Azure and a network access control solution.

He has also segmented the network to reduce the attack surface and adopted Microsoft’s Entra MFA, Microsoft Defender endpoint security and BitLocker encryption. Increased security staffing means support from a virtual CISO and an in-house security analyst team for daily operations.

Moving forward, Witmer has put together an artificial intelligence governance committee to develop security, privacy and usage policies on generative AI tools. He also plans to outsource 24/7 security monitoring because the hospital’s cyber insurance company has signaled that it will be a requirement in the future.

Overall, much of the proposed HIPAA security guidance that includes MFA, data backups and network segmentation mirrors requirements by Kern Medical’s insurance company, Witmer says.

“What I see on the list of proposed requirements for the HIPAA Security Rule, we already have in place,” he says. “We’re already exceeding their minimum requirements.”

29%

The percentage of healthcare providers that cite regulatory pressures and changes as the top factor in influencing their organization’s cybersecurity approach

Source: KLAS Research and EY, “US Healthcare Cyber Resilience Survey: Why elevating cybersecurity to a strategic priority can drive transformation,” November 2025

San Juan Regional Medical Center’s Rapid Security Transformation

In Farmington, N.M., San Juan Regional Medical Center has beefed up its cyberdefenses so much in the past year that CIO John Gaede believes the hospital could implement most if not all of the proposed HIPAA technical controls within the required six months.

“We’re hardening this place. We’re on the road to every one of these items already,” Gaede says.

When he joined the hospital in early 2024, Gaede inherited a technology environment that was “broken at every level,” from infrastructure to security. He decided to bring outsourced IT operations back in house and prioritize security.

This security-first approach was shaped by his previous experience as CIO of Sky Lakes Medical Center in Oregon, where a 2020 ransomware attack caused a 23-day outage that took the hospital seven months to fully recover from.

Gaede recruited CISO Micheal Perryman, his former security manager who guided Sky Lakes’ recovery process, and together, they developed a comprehensive security strategy for San Juan Regional Medical Center. With strong leadership support, they invested in a five-year, $6.5 million Cisco Enterprise Agreement in 2025 to modernize and secure network infrastructure.

The hospital replaced all end-of-life network switches and firewalls and turned to Cisco’s security portfolio for MFA, monitoring, network access and endpoint device protection. There’s also an extended detection and response service that works as the hospital’s 24/7 security operations center (SOC), monitoring threats across the entire IT environment.

“We’re a rural, not-for-profit hospital, and now we have this level of tools to help us be successful,” Gaede says.

The investment proved its worth in October 2025, when a targeted distributed denial of service attack hit the medical center. Its new internal security team coordinated with the Cisco Talos Intelligence team, implementing DDoS mitigation tools within two hours. Core systems continued operating, and patient care wasn’t interrupted. “We were able to prevent the organization from going offline,” he says.

Next up, in 2026, Gaede says the hospital will roll out Cohesity’s immutable data backup solution to further bolster security and resiliency.

We’re in good shape from what I’ve seen of the proposed HIPAA requirements.”

Craig Witmer Chief Technology Officer, Kern Medical

NIST Cybersecurity Framework Enables HIPAA Readiness

As a major academic health system, the University of Oklahoma’s OU Health may have more resources than a community hospital, but it’s an even bigger target for cyberthreats.

With more than 1,300 physicians and 11,000 employees, OU Health continuously bolsters its security to counter the increased risk. CISO Monte Coulter has more than quadrupled the IT security staff, from six to 26 people, since joining three years ago.

The larger staff can split into four focus areas: identity and access management; governance, risk and compliance; cybersecurity operations; and engineering, which implements security tools such as the security information and event management software used in the SOC.

The health system has long adopted security tools required by the proposed HIPAA guidance, including Rubrik's backup and recovery solution as well as MFA, identity governance and access management solutions. Automating accounts provisioning with appropriate access rights has eased workflows. “Before, everything was manual, which was error-prone,” Coulter says.

Next, Coulter wants to improve authentication by requiring MFA for every login or authentication event, using new context-aware capabilities. If users work consistently from trusted devices and locations, they may not be prompted repeatedly to authenticate. But login attempts from new locations or devices will require authentication, he says: “It’s smart, behavioral, contextual MFA.”

In light of the proposed HIPAA security measures, OU Health is ready. “There are a couple of things we need to address, but I feel like we’re fairly well set up for any changes,” he says.

The organization relies on the National Institute of Standards and Technology Cybersecurity Framework, which provides a solid foundation, Coulter says. “If you follow a good cybersecurity framework and develop a program around general security, any regulation that comes out, you’re going to be OK with,” he says.

Stronger HIPAA Security Requirements: Necessary or a Burden?

Though cybersecurity driven purely by compliance requirements isn’t ideal, Coulter says the proposed security updates are overdue because HIPAA is 30 years old. The proposed updates will likely pose greater challenges for smaller health systems, he adds, but at a minimum, organizations should already be addressing them.

“Technology has changed so much in 30 years,” Coulter says. “Healthcare is the No. 1 attacked sector right now, and if we continue to put off security, that’s not good.”

Gaede agrees that the proposed changes are good measures but worries about the burden on smaller health systems because many don’t have the IT staff to implement it.

“It needs to be done. It’s best practice, absolutely. But to ask a 25-bed or 200-bed hospital that has a 3% margin in good years, it’s just going to require a significant investment,” Gaede says. “If this goes through, and they have to do it in 180 days, there’s absolutely no way.”

More realistic is a requirement to come up with an implementation plan in six months, then give hospitals three years to implement it, he adds.

CHIME argues that the proposal’s approach is flawed. Although many members are already adopting the required security measures, some of them are impractical, says Arnone.

In addition to the 180-day compliance deadline, the U.S. Health and Human Services Department has estimated incorrectly that some technology can be deployed in hours when it actually takes months or years. The proposal also requires extensive documentation and a 72-hour ransomware recovery mandate.

“Recovery can’t be a process that’s forced within 72 hours,” Arnone says. “As some of our members have pointed out, this would possibly push them to pay ransomware and not fix what’s actually broken.”

HHS should work with healthcare organizations and build on existing efforts such as the NIST Cybersecurity Framework, and the HHS Cybersecurity Performance Goals and 405(d) program, Arnone adds. “Start over. Work with us,” she says.

JuSun/Getty Images