The December 2024 NPRM ends the “addressable vs. required” loophole. Here’s what healthcare IT teams need to do in the next 90 days.
In February 2024, a single ransomware group compromised Change Healthcare and walked away with the medical records of 192.7 million Americans. That’s more than half the country. The attack vector was almost embarrassingly simple: a Citrix portal without multi-factor authentication.
The company paid a $22 million ransom. UnitedHealth Group, Change’s parent, has since reported breach-related costs north of $3 billion. And yet — until very recently — the federal baseline for protecting patient data hadn’t meaningfully changed since 2013.
That’s about to change. And a lot of healthcare organizations are nowhere near ready.
What’s actually in the proposed Security Rule
HHS published a Notice of Proposed Rulemaking on December 27, 2024. Public comments closed in early 2025. The final rule is expected sometime this year, with a compliance window of 6–12 months after publication. The changes are the most significant to the Security Rule in over a decade.
The biggest shift is the end of the “addressable” vs. “required” loophole. Under the current rule, a safeguard can be marked “addressable” — meaning you can skip it if you document a reasonable alternative. In practice, that became an excuse to skip encryption, MFA, and other things organizations didn’t want to budget for. The NPRM basically eliminates that distinction. Things that were “addressable” become required, full stop.
The requirements getting teeth:
- Encryption of ePHI at rest and in transit — not just “addressable” any more
- MFA on every system that touches ePHI — including remote access and admin accounts
- A real technology asset inventory — not a spreadsheet from 2019
- Risk analyses that produce an actual risk register — not a checkbox on a compliance form
- Patch management with defined timeframes — high-severity vulnerabilities inside 15 days
- Network segmentation between clinical, administrative, and medical-device networks
- Continuous logging and monitoring with retention requirements
- Annual penetration testing and vulnerability scans of the production environment
If you’re reading that list and feeling a bit of acid reflux, you’re not alone.
The threat landscape changed faster than the rule
The 2013 rule was written for a world of Windows XP workstations on flat networks and clinicians logging in from a single office. The attackers of 2026 are not playing by those rules.
Three patterns define the modern healthcare threat:
Third-party vendors are the new front door. The Change Healthcare breach wasn’t a hospital being hacked. It was a clearinghouse used by virtually every US provider. Ascension’s May 2024 ransomware incident started with a contractor downloading a malicious file. When a single vendor handles billing, scheduling, or credentialing for thousands of practices, that vendor’s security posture becomes your security posture.
Medical devices are a soft target. A 2022–2024 wave of FDA safety communications flagged vulnerabilities in devices from Medtronic, BD, Illumina, and others. Many run outdated embedded operating systems, have hardcoded credentials, and can’t be patched without taking the device offline. The new rule will require device inventories, SBOMs (software bills of materials), and a documented plan for addressing known vulnerabilities.
Initial access brokers are running a SaaS model. Groups like Scattered Spider, BlackCat/ALPHV, and LockBit-affiliated crews specialize in selling access rather than running ransomware themselves. Healthcare organizations with exposed RDP, unpatched VPN appliances, and help desks that don’t do callback verification are paying the price.
What to do in the next 90 days
You don’t have to wait for the final rule. The practices that get ahead of this now will be the ones that pass their next OCR audit with a handshake instead of a subpoena.
-
Inventory everything that touches ePHI. Laptops, phones, printers, fax servers, imaging systems, infusion pumps, badge readers that store biometric templates — all of it. If you can’t list it, you can’t protect it.
-
MFA everywhere, no exceptions. This is the single highest-ROI change. The Change Healthcare attackers walked in through a single Citrix account with no MFA. Don’t let that be your story.
-
Review your BAAs, then actually test the vendors. A signed Business Associate Agreement is not a security posture. Ask your clearinghouses, billing vendors, and EHR hosting providers for SOC 2 Type II reports and recent penetration test summaries.
-
Run an actual tabletop exercise. Pretend your EHR is down for 48 hours. Who calls whom? What’s the manual fallback for prescriptions and lab orders? How do you notify patients? Write it down. Then test it again in six months.
-
Patch the worst things first. CISA’s Known Exploited Vulnerabilities catalog is a free, opinionated list. Work through it. The 15-day SLA for critical flaws isn’t aspirational under the new rule.
The small practice reality
If you’re a solo practitioner or a small group, the list above is intimidating. You’re running a medical practice, not a security operations center. The good news: HHS has signaled that some new requirements will scale based on size and complexity. The bad news: “we’re small” has not been a winning defense in OCR enforcement actions for years. The 2024 settlement with Plastic Surgery Associates — $500,000, six affected patients — made that point clearly.
Consider a vCISO arrangement (a fractional security officer, typically $3–8k/month) or a managed detection and response provider that knows healthcare. The per-provider cost is a lot smaller than a breach.
The takeaway
The HIPAA Security Rule is finally catching up to the threats healthcare has been facing for a decade. The final rule will land this year, and the compliance clock will start immediately. The practices that use the next 90 days to get MFA in place, finish their asset inventory, and pressure-test their vendors will spend 2026 focused on patient care. The ones that wait will be explaining to OCR why their Citrix portal didn’t have multi-factor authentication.
