Healthcare organizations are among the most targeted by ransomware groups and data extortion actors in the United States. The combination of high-value PHI, aging infrastructure, and compliance programs that prioritize documentation over technical enforcement creates an attractive target profile.
#1
Most Targeted Sector
Healthcare leads all industries for ransomware
$10.9M
Avg. Healthcare Breach
2024 IBM Cost of Data Breach Report
2003
HIPAA Security Rule
Technical controls required since inception
2026
Proposed Update
HHS OCR Security Rule modernization on agenda
The HIPAA Security Rule has required healthcare organizations to implement cybersecurity controls since 2003. The proposed 2025 Security Rule update — on the HHS OCR enforcement agenda for 2026 — would make those requirements significantly more prescriptive. What has not changed is the core problem: most healthcare organizations treat HIPAA cybersecurity compliance as a documentation exercise rather than a technical security program.
This article addresses what HIPAA's Security Rule actually requires from a technical controls standpoint, where the most common gaps occur, and what a defensible cybersecurity governance program looks like.
What the HIPAA Security Rule Actually Requires
The Security Rule establishes three categories of safeguards for electronic PHI (ePHI): administrative, physical, and technical. Most compliance programs focus heavily on administrative safeguards (policies, training, risk analysis) and neglect the technical safeguard requirements that require actual implementation and ongoing management.
Technical Safeguards (45 CFR §164.312)
The technical safeguard requirements include:
*Access Controls.* Unique user identification for all users who access ePHI. Emergency access procedures. Automatic logoff. Encryption and decryption of ePHI. These are not aspirational standards — they are required specifications with documented implementation requirements.
*Audit Controls.* Hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. This requirement is not satisfied by a system that logs activity — it requires that logs are examined. Organizations with no log review process are non-compliant with this requirement regardless of what their documentation says.
📌 Important
*Integrity Controls.* Mechanisms to authenticate ePHI and ensure it has not been improperly altered or destroyed. This includes file integrity monitoring in systems containing patient records.
*Transmission Security.* Encryption of ePHI transmitted over networks. This applies to email containing PHI, API calls between systems, cloud storage synchronization, and remote access to clinical systems.
The Proposed 2025 Security Rule Update
HHS OCR's proposed update — which was on the May 2026 regulatory agenda — includes several changes that would significantly strengthen technical requirements:
Organizations that are already operating to these standards have minimal exposure to the proposed update. Organizations that are not will face a compliance gap when the rule finalizes.
Where Healthcare Organizations Are Most Exposed
Unmanaged endpoints accessing ePHI. Clinical staff accessing patient records from personal devices, unmanaged laptops, or shared workstations with no MDM (Mobile Device Management) enrollment. Each unmanaged device is a potential breach vector and an uncontrolled access point for ePHI.
Legacy systems without patch management. EHR platforms, medical devices, and clinical workstations running outdated operating systems or unpatched software. Many healthcare organizations have legacy clinical systems that cannot be updated without vendor certification — and the compensating controls for those systems (network segmentation, enhanced monitoring) are frequently absent.
Insufficient audit log review. Organizations that generate audit logs but have no process for reviewing them regularly. Security incidents detected through log review are stopped earlier, with lower breach impact, than incidents detected by patients, external parties, or ransomware deployment.
Weak privileged access controls. Shared administrative credentials for clinical systems and EHR platforms. Service accounts with excessive permissions. IT staff with standing privileged access to systems containing ePHI without just-in-time access controls.
Third-party and vendor access. EHR vendors, billing companies, medical device manufacturers, and IT support providers with ongoing access to ePHI systems. Vendor access that is not monitored, not time-limited, and not scoped to minimum necessary access is one of the most frequent breach vectors in healthcare.
No incident response testing. Organizations with written incident response plans that have never been tested. An untested IR plan is discovery documentation that shows you knew what to do but did not verify you could do it.
What Technically Enforced Cybersecurity Governance Looks Like
The gap between a documented cybersecurity program and a technically enforced cybersecurity program is the gap between what your policies say and what your systems actually do.
A technically enforced cybersecurity governance program for a HIPAA-regulated organization includes:
Managed endpoint security. Every device accessing ePHI — workstations, laptops, tablets, mobile devices — under active management with EDR (Endpoint Detection and Response), enforced disk encryption, automatic patching, and MDM enrollment. Controls are active, not aspirational.
Identity and access management. Unique credentials for every user, MFA enforced on all systems containing ePHI, privileged access managed through a PAM (Privileged Access Management) platform, quarterly access reviews. No shared credentials, no standing privilege.
Network segmentation. Clinical systems containing ePHI on isolated network segments with firewall rules preventing lateral movement. Medical devices on separate VLANs. Remote access through VPN with MFA — not open RDP.
Continuous monitoring. Security event logs from all systems containing ePHI forwarded to a SIEM (Security Information and Event Management) platform with active monitoring and alerting. Anomalous access patterns, failed authentication attempts, and unusual data transfers generate alerts reviewed by security personnel.
Vulnerability management. Regular authenticated vulnerability scanning of all systems containing ePHI, with defined remediation SLAs based on severity. Critical vulnerabilities remediated within 15 days. High severity within 30 days. Evidence maintained for audit.
Incident response with tested playbooks. A written IR plan with specific procedures for ransomware, unauthorized access to ePHI, and vendor-related incidents — tested at least annually through a tabletop exercise with documented results.
Why Governance Without Infrastructure Control Fails
Most healthcare organizations engage compliance consultants who deliver a risk analysis, update their policies, and leave. Twelve months later, the policies exist but the technical controls were never implemented, or were implemented once and never maintained.
Governance that is not built on managed infrastructure is advisory. It tells you what to do without the operational capacity to verify it is being done.
Centience builds cybersecurity governance programs on the infrastructure we manage. That means vulnerability scans run on schedule and evidence is collected automatically. Endpoint controls are active on every device we manage. Audit logs are reviewed and anomalies are escalated. When OCR requests documentation, it has already been assembled.
Is your cybersecurity governance program technically enforced or just documented?
Schedule your AI Governance Assessment. We evaluate cybersecurity controls alongside AI governance.
