Cybersecurity threats continue to rise across the healthcare industry, and federal regulators are responding with some of the most significant proposed updates to HIPAA in years. Commonly referred to as “HIPAA 2.0,” these proposed changes to the HIPAA Security Rule are designed to strengthen cybersecurity protections, improve risk management practices, and better safeguard patient information.

While the changes are still proposed and not yet finalized, healthcare organizations should begin preparing now. The updates place a greater emphasis on cybersecurity controls, testing, documentation, and compliance readiness—all areas that have become increasingly important as cyberattacks against healthcare providers continue to grow.

Whether you operate a physician practice, specialty clinic, dental office, behavioral health organization, ambulatory surgery center, or multi-location healthcare group, understanding HIPAA 2.0 can help you reduce risk, strengthen security, and prepare for future compliance requirements.

Download the Executive Brief

Looking for a quick overview?

Download our free HIPAA 2.0 Executive Brief for a concise summary of the proposed changes, compliance considerations, and recommended next steps for healthcare organizations.

Read More

Why Is HIPAA 2.0 Being Proposed?

Healthcare remains one of the most targeted industries for cybercrime. Ransomware attacks, data breaches, and system disruptions continue to affect healthcare providers of all sizes.

To address these growing threats, the Department of Health and Human Services (HHS) has proposed updates designed to strengthen protections for electronic protected health information (ePHI) and improve cybersecurity standards across the healthcare industry.

The proposed changes aim to create clearer expectations around security practices while helping organizations better protect patient information and maintain business continuity.

Key HIPAA Security Rule Changes Healthcare Organizations Should Expect

Multi-Factor Authentication (MFA)

The proposed rule places a greater emphasis on identity and access management, including broader use of multi-factor authentication.

Many healthcare organizations already use MFA for email and remote access, but future requirements may extend to additional systems and applications that access protected health information.

MFA remains one of the most effective ways to prevent unauthorized access resulting from stolen or compromised credentials.

Stronger Encryption Requirements

Encryption has long been considered a best practice, but the proposed changes place increased emphasis on protecting sensitive healthcare data both in transit and at rest.

Organizations should review how patient information is stored, transmitted, backed up, and shared to ensure appropriate safeguards are in place.

Annual Penetration Testing and Vulnerability Assessments

The proposed updates include more formal expectations around security testing.

Healthcare organizations may need to conduct:

  • Annual penetration testing
  • Regular vulnerability scanning
  • Documented remediation efforts
  • Ongoing risk evaluations

These assessments help identify security weaknesses before they can be exploited by attackers.

Technology Asset Inventories

Many healthcare organizations have accumulated technology over time, including servers, workstations, mobile devices, cloud applications, and medical equipment connected to their networks.

The proposed changes place greater importance on maintaining accurate inventories of systems that store, process, or transmit protected health information.

Organizations should understand where patient data resides and how it moves throughout their environment.

Enhanced Backup and Disaster Recovery Planning

Healthcare providers increasingly rely on technology to deliver patient care. As a result, regulators are placing greater emphasis on backup, recovery, and business continuity planning.

The proposed changes may require organizations to demonstrate that:

  • Backups are functioning properly
  • Recovery processes are documented
  • Systems can be restored within acceptable timeframes
  • Recovery plans are regularly tested

Having backups is important, but organizations must also be confident they can successfully recover from an outage or cyberattack.

What Healthcare Organizations Should Be Doing Now

Even though the proposed rule has not been finalized, healthcare organizations should take this opportunity to evaluate their current cybersecurity posture.

Key areas to review include:

  • HIPAA risk assessments
  • Multi-factor authentication deployment
  • Backup and disaster recovery capabilities
  • Security awareness training
  • Vulnerability management processes
  • Vendor and third-party risk management
  • Network and asset documentation
  • Incident response planning

Organizations that begin preparing now will be better positioned to adapt when final requirements are released.

Is Your HIPAA Compliance Program Ready?

Many healthcare organizations think of HIPAA compliance as a one-time project. In reality, compliance requires ongoing risk assessments, cybersecurity controls, employee training, documentation, and regular reviews of policies and procedures.

The proposed HIPAA 2.0 updates reinforce the importance of maintaining a proactive approach to HIPAA compliance and protecting patient information.

How Shared IT Helps Healthcare Organizations Prepare

At Shared IT, we specialize in helping healthcare organizations strengthen security, improve compliance, and reduce operational risk.

Our healthcare-focused IT and cybersecurity services include:

  • HIPAA risk assessments
  • Compliance gap analyses
  • Cybersecurity planning
  • Vulnerability management
  • Penetration testing coordination
  • Multi-factor authentication implementation
  • Microsoft 365 security hardening
  • Backup and disaster recovery planning
  • Ongoing IT support and monitoring

Our goal is to help healthcare organizations build practical, effective security programs that support both compliance and patient care.

Schedule a Complimentary HIPAA Readiness Workshop

Not sure where your organization stands today?

Shared IT offers complimentary HIPAA readiness workshops designed to help healthcare organizations identify potential compliance gaps, evaluate cybersecurity risks, and understand the steps needed to prepare for upcoming regulatory changes.

Schedule a workshop with our team to discuss your current environment and receive practical recommendations tailored to your organization.

Schedule a Workshop

Start Preparing for HIPAA 2.0 Today

HIPAA 2.0 represents one of the most significant proposed updates to healthcare cybersecurity and compliance requirements in years. While the final requirements may evolve before implementation, the direction is clear: healthcare organizations will be expected to take a more proactive approach to protecting patient information and managing cybersecurity risks.

Now is the time to evaluate your current HIPAA compliance program, identify potential gaps, and develop a plan for addressing future requirements. Organizations that prepare early will be better positioned to strengthen security, reduce risk, and adapt to new compliance expectations.