The Notice of Proposed Rulemaking (NPRM) issued by the U.S. Department of Health and Human Services (HHS) represents one of the most important shifts in healthcare cybersecurity since the original Health Insurance Portability and Accountability Act (HIPAA) was introduced.
Although many healthcare organizations initially viewed the proposed changes as regulatory updates, the deeper message is clear. Cybersecurity protections must evolve to match the reality of modern cyberthreats, ransomware, and increasingly complex electronic information systems.
Covered entities and business associates are now operating across hybrid infrastructure, cloud services, connected medical devices, and AI-driven systems. Electronic protected health information (ePHI) moves across more technology assets, identities, and applications than ever before. This has fundamentally changed the risk level across the healthcare sector.
Compliance alone cannot contain modern cyberattacks. Controlling the blast radius can.
Why the HHS is raising the cybersecurity baseline
The HHS and the Office for Civil Rights (OCR) issued the NPRM to strengthen the HIPAA security rule and address the rising volume of ransomware, data breaches, and cybersecurity threats that are targeting healthcare providers and regulated entities.
The healthcare industry has become one of the most targeted sectors for cyberattacks. These attacks disrupt patient safety, delay care, and compromise the availability of ePHI. The proposed changes introduce stronger security measures, expanded technical safeguards, and more explicit implementation specifications designed to improve cyber resilience.
These mandates include requirements for risk analysis, risk management, vulnerability scanning, pen testing, and asset inventory management. Regulated entities must:
Identify technology assets
Perform risk assessments
Maintain network maps
Implement technical controls such as multi-factor authentication (MFA), anti-malware protection, and encryption
Although these are critical steps, the real objective is containment, not documentation.
Risk analysis alone does not reduce risk
Most healthcare organizations already perform risk assessments, compliance audits, and risk analysis to meet HIPAA security rule requirements. They maintain asset inventory records, define technical safeguards, and implement security standards designed to protect ePHI.
Yet ransomware continues to spread across healthcare organizations with devastating impact. This is because risk analysis identifies vulnerabilities but does not control how threats move among technology assets.
Attackers rarely target a single system. They exploit trust relationships between electronic information systems, workforce members, providers, and business associates to expand access. They also exploit reachability, connectivity, and blast radius.
Without network segmentation, and more precisely, microsegmentation, attackers can move laterally across systems that store or access ePHI. This allows ransomware to disrupt operations, compromise patient safety, and trigger reportable security incidents.
Risk analysis identifies the problem. Containment solves it.
Why network segmentation has become essential to cybersecurity resilience
Network segmentation is no longer optional; it’s becoming foundational to healthcare cybersecurity protections and risk management.
The HIPAA NPRM security rule emphasizes stronger technical safeguards and technical controls, including network segmentation, to limit lateral movement and reduce exposure of ePHI.
Effective network segmentation and microsegmentation creates communication boundaries among technology assets. It ensures that electronic information systems only communicate with authorized systems, reduces exposure pathways, and limits the spread of ransomware.
Without microsegmentation, ransomware can traverse healthcare infrastructure unchecked.
With microsegmentation, threats are contained to a limited scope. This enables faster remediation, more effective incident response plans, and faster recovery timelines.
Why healthcare cybersecurity must become continuous, not periodic
Traditional cybersecurity protections rely heavily on periodic activities such as vulnerability scanning, pen testing, and compliance audits. These activities are essential for identifying vulnerabilities and validating technical safeguards.
But healthcare environments are constantly changing: New providers connect to systems, business associate agreements introduce new integrations, workforce members access new applications, and electronic information systems expand across hybrid environments.
Static security measures cannot keep pace with dynamic environments. Healthcare organizations must continuously identify technology assets, maintain accurate network maps, and validate cybersecurity protections across their infrastructure by:
Maintaining real-time asset inventory visibility, including Internet of Medical Things (IoMT) devices
Continuously monitoring network segmentation effectiveness
Performing ongoing risk analysis and remediation
Protecting the availability of ePHI across all electronic information systems
Continuous cybersecurity protections reduce exposure, improve resilience, and support compliance with HIPAA security rule requirements.
Ransomware impact is defined by containment, not prevention
Many healthcare cybersecurity strategies focus primarily on prevention. Anti-malware, multi-factor authentication, and encryption are critical cybersecurity protections that reduce the likelihood of compromise.
But no security measures can eliminate cyberthreats entirely. The most important factor in determining the impact of ransomware is containment.
If ransomware spreads across electronic information systems, healthcare organizations face operational disruption, regulatory investigation, and potential patient safety consequences.
If ransomware is contained to a limited set of technology assets, recovery is faster, remediation is simpler, and the availability of ePHI is preserved.
This is why the NPRM emphasizes contingency plans, incident response plans, and risk management.
The size of the blast radius determines recovery.
Why the HIPAA NPRM security rule represents a fundamental shift
The notice of proposed rulemaking published in the Federal Register reflects a broader shift in how the HHS approaches cybersecurity protections.
The focus is moving beyond addressable implementation specifications and administrative safeguards toward measurable cybersecurity resilience.
Healthcare organizations must demonstrate that their technical controls actively reduce risk, protect ePHI, and prevent widespread compromise. This requires stronger technical safeguards, more rigorous risk assessments, and improved visibility into electronic information systems.
It also requires containment.
Healthcare organizations must know:
Which technology assets store ePHI
Which systems can access protected data
Which connections create exposure risk
Which controls actively reduce blast radius
Organizations that can answer these questions confidently will be positioned to meet both regulatory and operational requirements.
Reducing the blast radius is becoming the defining cybersecurity metric
Cybersecurity is now defined by resilience rather than by prevention only. Resilient healthcare organizations:
Assume compromise is possible
Design infrastructures to limit impact
Implement network segmentation to restrict lateral movement
Maintain accurate asset inventory and network maps
Protect ePHI through technical safeguards and technical controls
Continuously monitor infrastructure, perform risk analysis, and execute remediation when exposure is identified
Align with evolving security rule requirements to reflect the intent of HHS, OCR, and broader cybersecurity mandates
Blast radius reduction protects more than systems — it protects patient safety, operational continuity, and trust.
Healthcare leaders must act before the final rule takes effect
The comment period for the NPRM allows stakeholders, healthcare providers, and regulated entities to provide public comments before the final rule is issued and the effective date is established.
But waiting creates risk. Cyberthreats are evolving rapidly — and ransomware, cyberattacks, and data breaches are increasing in frequency and sophistication. Healthcare organizations that delay strengthening cybersecurity protections remain exposed.
The healthcare organizations that act now will reduce risk, improve resilience, and strengthen their ability to protect ePHI. They will be prepared for compliance audits, cyberthreats, and the future.
The future of healthcare cybersecurity will be defined by containment
The HIPAA NPRM security rule is not simply a compliance update. It is a call to action.
Healthcare organizations must evolve from static compliance models to dynamic cybersecurity resilience. They must implement technical safeguards, technical controls, and cybersecurity protections that actively reduce the blast radius. And they must protect ePHI across hybrid infrastructures and modern electronic information systems.
Compliance may satisfy regulatory requirements. Containment determines survival.
Now is the time to act
Healthcare leaders must rethink cybersecurity strategies in light of the HIPAA NPRM security rule and evolving cybersecurity threats.
If your organization is evaluating how to strengthen network segmentation, reduce the blast radius, protect ePHI, and align with HHS cybersecurity mandates, now is the time to act.
The most important question is not whether ransomware will occur — it is whether your organization is prepared to contain it.
Tags
