2026 HIPAA Security Rule Update

tptacek

As is the case with SOC2, the "vulnerability scan" requirement here is likely to be meaningless; any automated process that can plausibly be described as instrumental in finding some kind of vulnerability is a "vulnerability scan", so all you have to do is run nmap.

time0ut

Interesting. I haven’t fully read through the rule change, but seems like HHS is directly adopting the controls required by HITRUST? I have been out of the industry for a while. Always interesting how the industry shapes regulation and vice versa.

201984

Is this why every healthcare website has 2FA now? It's so annoying.

mjevans

How kind of them to require 2FA without requiring the governments to issue real 2FA tokens for use in signing / interacting. No doubt this will require some rootkit 'authenticator' app on the consumer's purchased mobile device that they are then not allowed to truly own.

btown

It's worth noting that cybersecurity requirements can be a mechanism of control. As a government regime, do you want to build an effective surveillance system where health data on large numbers of suspects can be pulled into a data fusion system at the push of a button, once a judicial framework for rubber-stamping is in place? And do you want to be able to pressure vendors into not supporting certain types of research/analysis and even direct patient care that could be construed/presented as counter to the regime's goals? Both of these are easier when smaller vendors are forced out and larger vendors are the only ones left standing. As such, regulatory capture becomes a mutually beneficial tool to dominant vendors and regulators alike. There are few coincidences when lobbying is involved. Which is not to say that cybersecurity improvements aren't a good thing! But speed and mechanisms of required rollout need to be balanced. And with the numerous signatories of [0] opposing the rule and describing "unreasonable implementation timelines," it's hard to say that this is entirely done in the interest of patients. [0] https://assets.ctfassets.net/opszt4tga0mx/4QrJlGP2EkCiZjgvGx... (2025)

bob1029

The institutional moats grow ever wider. PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks. The notion that your system might become "in-scope" is one of the scariest things you have to deal with. Avoiding this designation is almost always easier than satisfying all the controls they prescribe. Stripe & friends have it really good. I don't know who their equivalents are in the health care industry but I am certain they exist.

bonsai_spool

It's so grating to read obviously LLM-generated text, even more so from a company that is asking us to hire them for a security audit. AI writing makes somewhat more sense on tech blogs. Where a business' value proposition is "We are knowledgeable and reliable about computer security", it seems unwise.

dwa3592

It really depends on who is testing and enforcing these standards. I have worked in this area, built scalable systems for medicare. The annual pen testing used to be a joke. Any consultant who would come had no clue what was being built, how the process worked - and they wouldn't even care to understand. After a meeting, we'd get the notification that the pen testing was successful. So, on paper you can change any rule - if the consultants you are hiring don't give a shit (which they usually don't)- nothing gets enforced. We would go out of our 'job responsibilities' to do internal testing of all sorts (the external agency would not even do 2% of that).

marsbars241

Wait a second. If encryption is required for all ephi, that means faxes will finally die, right? Right??? Please!

mooreds

Here's the full proposed rule: https://www.federalregister.gov/documents/2025/01/06/2024-30...

mapt

I don't understand why there shouldn't be a strict-liability play here on top of penalties for knowing violations. You lose all your customer's data to a darknet leak? We should be taking a huge chunk out of your balance sheet. My insurer has disclosed names, social security numbers, and ENTIRE MEDICAL CASEFILES for their entire client base more than once at this point in overlapping data breaches. Why exactly don't they owe me $10k for my trouble, or N% shares of the company? If that's too much, why do these penalties exist for knowing disclosure, if incompetence is so tolerated that knowing disclosure does no damage?

caycep

eh how are they going to make the usual small practice do "penetration testing"?

ck2

you can be certain the DOGE kids downloaded as much as they could grab from federal systems about everyone's medical history including the federal e-prescription system rules for thee but not for me

saltcured

Of course they have to double down on yet another compliance regime. Why not converge on an existng NIST 800-53 baseline, or some HHS "tailored" variant? Or CMMC, if they want to push for more strict certification processes instead? It's getting absurd with how many different compliance regimes a modern research university will have to follow simultaneously, if they do a broad set of defense, energy, basic sciences, and health research as well as having an attached medical school and teaching hospital.

Cider9986

As explained here[1], HIPPA makes our medical privacy worse, not better. [1] https://www.youtube.com/watch?v=4sfIBRTcRpU https://odysee.com/@NaomiBrockwell:4/HIPAA:7

Jeremy1026

Mandatory annual security assessments are going to be brutal for small businesses.

iloveoof

Universal encryption of PHI at rest is going to be INCREDIBLY painful. Hospitals mostly have onprem, locked down mainframe IRIS systems that host data. If the IRIS data is encrypted at rest then it can’t be compressed which means hospitals will have to buy a bunch more hardware which is super expensive, especially these days. This doesn’t get you much in terms of security. The IRIS system itself is an OLTP so it’s going to need to constantly pass around the encryption key and use it constantly, and if an attacker gets disk access they also will have access to the keys. So this is a big waste of everyone’s time and money.

joncp

I'm not sure why there's so much negativity in this thread. The listed requirements were already basic table-stakes security standards. IMO, anyone not encrypting all user data at rest, requiring MFA, etc. is bush league.

mchusma

highly irritating. HIPAA was originally designed to be a "portability" standard (meaning easier to share). It has done the opposite. Health data is important to developing a cure, and privacy is unimportant to many people. The world would be better if there we were zero regulation here at all.

threecheese

This was a pleasant surprise; I fully expected a gutting of the rules, based on what’s been on the front page these past few months. I’m glad to see that someone in the federal govt is paying attention to the risk landscape.