The December 2024 NPRM ends the “addressable vs. required” loophole. Here’s what healthcare IT teams need to do in the next 90 days.
In February 2024, a single ransomware group compromised Change Healthcare and walked away with the medical records of 192.7 million Americans. That’s more than half the country. The attack vector was almost embarrassingly simple: a Citrix portal without multi-factor authentication.
The company paid a $22 million ransom. UnitedHealth Group, Change’s parent, has since reported breach-related costs north of $3 billion. And yet — until very recently — the federal baseline for protecting patient data hadn’t meaningfully changed since 2013.
That’s about to change. And a lot of healthcare organizations are nowhere near ready.
HHS published a Notice of Proposed Rulemaking on December 27, 2024. Public comments closed in early 2025. The final rule is expected sometime this year, with a compliance window of 6–12 months after publication. The changes are the most significant to the Security Rule in over a decade.
The biggest shift is the end of the “addressable” vs. “required” loophole. Under the current rule, a safeguard can be marked “addressable” — meaning you can skip it if you document a reasonable alternative. In practice, that became an excuse to skip encryption, MFA, and other things organizations didn’t want to budget for. The NPRM basically eliminates that distinction. Things that were “addressable” become required, full stop.
The requirements getting teeth:
If you’re reading that list and feeling a bit of acid reflux, you’re not alone.
The 2013 rule was written for a world of Windows XP workstations on flat networks and clinicians logging in from a single office. The attackers of 2026 are not playing by those rules.
Three patterns define the modern healthcare threat:
Third-party vendors are the new front door. The Change Healthcare breach wasn’t a hospital being hacked. It was a clearinghouse used by virtually every US provider. Ascension’s May 2024 ransomware incident started with a contractor downloading a malicious file. When a single vendor handles billing, scheduling, or credentialing for thousands of practices, that vendor’s security posture becomes your security posture.
Medical devices are a soft target. A 2022–2024 wave of FDA safety communications flagged vulnerabilities in devices from Medtronic, BD, Illumina, and others. Many run outdated embedded operating systems, have hardcoded credentials, and can’t be patched without taking the device offline. The new rule will require device inventories, SBOMs (software bills of materials), and a documented plan for addressing known vulnerabilities.
Initial access brokers are running a SaaS model. Groups like Scattered Spider, BlackCat/ALPHV, and LockBit-affiliated crews specialize in selling access rather than running ransomware themselves. Healthcare organizations with exposed RDP, unpatched VPN appliances, and help desks that don’t do callback verification are paying the price.

You don’t have to wait for the final rule. The practices that get ahead of this now will be the ones that pass their next OCR audit with a handshake instead of a subpoena.
Inventory everything that touches ePHI. Laptops, phones, printers, fax servers, imaging systems, infusion pumps, badge readers that store biometric templates — all of it. If you can’t list it, you can’t protect it.
MFA everywhere, no exceptions. This is the single highest-ROI change. The Change Healthcare attackers walked in through a single Citrix account with no MFA. Don’t let that be your story.
Review your BAAs, then actually test the vendors. A signed Business Associate Agreement is not a security posture. Ask your clearinghouses, billing vendors, and EHR hosting providers for SOC 2 Type II reports and recent penetration test summaries.
Run an actual tabletop exercise. Pretend your EHR is down for 48 hours. Who calls whom? What’s the manual fallback for prescriptions and lab orders? How do you notify patients? Write it down. Then test it again in six months.
Patch the worst things first. CISA’s Known Exploited Vulnerabilities catalog is a free, opinionated list. Work through it. The 15-day SLA for critical flaws isn’t aspirational under the new rule.
If you’re a solo practitioner or a small group, the list above is intimidating. You’re running a medical practice, not a security operations center. The good news: HHS has signaled that some new requirements will scale based on size and complexity. The bad news: “we’re small” has not been a winning defense in OCR enforcement actions for years. The 2024 settlement with Plastic Surgery Associates — $500,000, six affected patients — made that point clearly.
Consider a vCISO arrangement (a fractional security officer, typically $3–8k/month) or a managed detection and response provider that knows healthcare. The per-provider cost is a lot smaller than a breach.
The HIPAA Security Rule is finally catching up to the threats healthcare has been facing for a decade. The final rule will land this year, and the compliance clock will start immediately. The practices that use the next 90 days to get MFA in place, finish their asset inventory, and pressure-test their vendors will spend 2026 focused on patient care. The ones that wait will be explaining to OCR why their Citrix portal didn’t have multi-factor authentication.

In today’s digital landscape, cyber threats are evolving at an unprecedented rate. For businesses and individuals alike, maintaining robust network security is essential. However, even the best defenses can become outdated or develop vulnerabilities over time. That’s where a security audit comes in—a comprehensive health check for your network that helps identify weaknesses and ensures your defenses are up to date. In this blog post, we’ll explore what a security audit entails, why it’s crucial, and how to conduct one effectively.
A security audit is a systematic evaluation of your network’s security posture. It involves reviewing your security policies, procedures, and controls to ensure they are effective and comply with industry standards and regulations. The audit aims to identify vulnerabilities, assess risk levels, and provide recommendations for improving security.
Security audits play a critical role in maintaining a secure network environment. Here’s why they are essential:
Security audits can be categorized into different types, each focusing on specific aspects of your network:

Conducting a security audit involves several steps. Here’s a step-by-step guide to help you get started:
Security audits can be complex, and organizations often face challenges in conducting them effectively. Here are some common obstacles and how to overcome them:

A security audit is essential for maintaining the health of your network. By identifying vulnerabilities, ensuring compliance, and improving your security posture, audits help protect your organization from cyber threats. While conducting a security audit can be challenging, the benefits far outweigh the costs.
Regular security audits should be a cornerstone of your network security strategy, no matter how large or small. By staying proactive and continuously improving your defenses, you can safeguard your organization’s assets and build a robust security foundation that withstands the test of time.
Your router is the heart of your network, pumping data to and from all your devices. But have you ever stopped to think about its security? In this post, we’ll dive into the essentials of router security, from firmware updates to secure configuration, ensuring your network’s heart beats strong.
Firmware is the software that runs your router, and like any software, it can have bugs and vulnerabilities. Manufacturers regularly release firmware updates to patch security holes, fix bugs, and improve performance. If you’re not regularly updating your router’s firmware, you could be leaving your network exposed to attacks.
When you first set up your router, it comes with default settings that are designed for ease of use, not security. The default SSID (Service Set Identifier) and password are often common across all units of the same model, making them easy targets for hackers.
The admin interface is where you manage your router’s settings, and it’s crucial to keep this secure. Leaving this interface exposed can give attackers the keys to your entire network.
VLANs (Virtual Local Area Networks) allow you to segment your network into different parts, which can improve security by isolating certain devices from others. For example, you can have one VLAN for your IoT devices and another for your personal devices, reducing the risk of an attack spreading across your entire network.

Even with all these security measures in place, it’s important to know the signs of a compromised router. Unusual network activity, frequent disconnects, and unknown devices on your network are all red flags.
Your router is a critical component of your network’s security, and taking the time to secure it can protect you from a range of cyber threats. By updating firmware, changing default settings, securing the admin interface, using VLANs, and staying vigilant for signs of compromise, you can keep your network’s heart beating strong.