In 2024, the Office for Civil Rights (OCR) reported that there 720 data breaches across the healthcare sector, affecting roughly 186 million people. While that’s fewer breaches than the year before—the first decline since 2018—it still marks another year where the number of affected patient records climbed significantly.

It’s a sign of the times: the threats are growing faster than the tools we use to stop them. Attacks today cause more damage, last longer, and put patient safety at greater risk than ever before.

To respond to these changes, the U.S. Department of Health and Human Services (HHS) has proposed important updates to the HIPAA Security Rule, its biggest overhaul since 2013.

MOM_Banner_Managed_Print

Why These Changes Are Being Proposed

  1. Cyberattacks Are Getting Worse: Healthcare providers continue to face more advanced attacks, from ransomware to phishing campaigns, that target sensitive patient data. At the same time, many hospitals and clinics have moved fully into digital care and data sharing, and the old security rule just doesn’t keep up with how healthcare works today.
  2. More Devices, More Exposure: Today’s care delivery relies on connected devices, cloud platforms, and automated systems. The downside is that these technologies also introduce more ways for cybercriminals to break in. The new rule broadens how these systems are defined and regulated, so the security requirements reflect the real risks of modern equipment and services.
  3. Too Many Security Gaps: The OCR found that many healthcare providers and their vendors aren’t applying basic protections consistently. In the past, certain standards were “optional” or only encouraged. That’s changing. Nearly all of them will now be required, and the wiggle room is disappearing.
  4. Poor Response Planning: Many organizations struggle to detect or respond to a breach quickly, which makes the damage worse. The new rules push for stronger response plans, more frequent testing, and better mapping of where patient data flows throughout systems and networks.
  5. Security Needs to Be Baked In, Not Bolted On: Too often, cybersecurity is treated like an afterthought. The updates push healthcare organizations and the companies they work with to take shared responsibility for protecting data, starting early in the buying process and throughout everyday operations.
  6. Aligning with Federal Frameworks: The proposed rule changes follow the lead of national security frameworks like NIST’s Cybersecurity Framework (CSF). This helps standardize expectations across industries and rewards providers who are already working toward stronger, well-documented security practices.

doctor wearing white lab coat and stethoscope, with extended hands holding virtual blue shield and lock, patient privacy, HIPAA concept.

What It Means in Practice 

The HIPAA Security Rule hasn’t had major updates since 2003. And the last time it was meaningfully adapted (for the HITECH Act in 2013) was when we were just beginning to shift from paper to electronic records.

Fast forward to now, and care delivery looks very different. Telehealth is common. Medical devices are online. AI is being built into diagnostic tools. Patient data moves through a maze of cloud platforms, third-party services, and connected hardware.

As the tools have evolved, so have the risks, and the rules need to catch up. For an official breakdown of the proposed changes, visit the HHS Fact Sheet.

How We Can Help

At Obviam, we help healthcare organizations figure out where they stand today, and where they need to be. We start with gap assessments that use clear, widely recognized frameworks like NIST CSF and CIS Controls. From there, we help prioritize actions that not only meet federal expectations, but make sense for your size, budget, and risk exposure.

We offer vulnerability scans, penetration testing, and support for tools that improve visibility and security across your systems. Our job is to break down all the tech-speak and acronyms into simple plans that protect your data and reduce your risk.

At Optimized IT (OIT), we take the load off your internal IT teams by handling the day-to-day technology upkeep like patching devices, responding to user issues, managing endpoints so your staff can focus on improving data strategy, system resilience, and long-term security goals.

At MOM, we’ve supported print and document security in healthcare settings for years. But we’ve also seen how often vendors like us are overlooked when it comes to cybersecurity planning. The new HIPAA rules aim to fix that, and we’re ready. Our devices, software, and service processes are built to meet strict security expectations, ensuring that printers, copiers, and scanned documents don’t become hidden vulnerabilities.

Still Have Questions?

We do too. These changes will affect not only healthcare providers, but the entire ecosystem of vendors and partners supporting them. The good news? Helping organizations adjust to new rules and rising threats is what we do every day.

These changes are complex and far-reaching. If you’re wondering how they might affect your organization, we’re here to help. A short conversation today can help you plan for the challenges ahead.

About Modern Office Methods (MOM)

Modern Office Methods has helped businesses navigate their document challenges for over 60 years. They offer Production Print Solutions, Managed Print Services, Software Solutions and IT Services to help enhance their customers’ business processes while reducing expenses.

For the latest industry trends and technology insights visit MOM’s main Blog page.