Try it free

2025 HIPAA Update: HHS Fighting for our Healthcare Cybersecurity

2025 HIPAA Update: Cybersecurity in the healthcare industry
The HHS finally responds to cybercriminals with security updates to help healthcare entities protect data and patients lives from ransomware threats. Here's what you need to know.
Share This Post

Imagine rushing to the emergency room with severe chest pain, only to be told you need to be redirected to another hospital because their systems are down. Or picture a surgical team unable to access your medical history, unsure about your allergies to certain medications. These aren’t hypothetical scenarios – they’re real consequences of cybersecurity breaches in healthcare, and they’re happening with alarming frequency.

A Perfect Storm in Healthcare Security

The statistics are sobering: over 90% of healthcare organizations have experienced a cyber attack just in 2024! But unlike other industries where cyber attacks might mean temporary inconvenience or financial loss, in healthcare, these breaches can literally be a matter of life and death.

“We shouldn’t view this as data crime or financial crime – we should view it as a threat to life crime,” says security expert John Riggy, who has been vocal about the escalating risks in healthcare cybersecurity. His words ring especially true when we consider the tragic case in Germany, where patients lost their lives due to hospital system failures that forced emergency redirections.

Why Hackers Target Healthcare

The healthcare sector has become a prime target for cybercriminals for several reasons:

  1. Medical data is more valuable than credit card information on the dark web. Unlike a credit card that can be canceled, your medical history is permanent and can be used for sophisticated insurance fraud schemes.
  2. Healthcare organizations are often desperate to restore their systems quickly, making them more likely to pay ransoms.
  3. The high-stakes nature of healthcare operations guarantees media attention, which many cyber actors seek.

Recent Wake-Up Calls

Two recent attacks highlight the industry’s vulnerability. Change Healthcare, a critical billing company that serves as the backbone for healthcare payment processing, suffered the largest healthcare cyber attack in history. The breach exposed over 100 million people’s data – and shockingly, it was partly due to not having basic security measures like multi-factor authentication in place.

In another incident, Octapharma, the world’s largest plasma donation center operating in 118 countries, faced an attack that disrupted donations and delayed vital organ transplants and surgeries.

The 2025 HIPAA Update: A Long-Overdue Response

HIPAA has four primary rules – The privacy rule, security rule, breach notification rule and omnibus rule.

After 12 years without any major updates to the security rule, the Department of Health and Human Services is finally (!) responding to escalating threats with comprehensive HIPAA changes. The update, announced in December 2024, represents the most significant overhaul of healthcare cybersecurity regulations in over a decade.

Key changes include:

  • Mandatory data encryption
  • Required multi-factor authentication
  • Verifiable backup procedures
  • Regular security auditing
  • Proven disaster recovery capabilities

These changes will affect the entire healthcare ecosystem: hospitals, pharmacies, doctor’s offices, software platforms handling health information, and even companies involved in clinical trials.

A Nationwide and Global Shift in Cybersecurity Approach

The HHS is taking on more than HIPAA. They have proprosed a (for now, voluntary) Cybersecurity Performance Goals guideline in 2024 for hospitals that would help them lay out their game plan and boost cybersecurity. These guidelines come in two flavors: there’s the basic there’s the basic essentials that every healthcare organization should have (think of it as cybersecurity 101), and then there’s the advanced guidelines for those ready to take their security to the next level. HHS didn’t just make this up from scratch – they built on existing security frameworks, including CISA’s cross-sector guidelines from March 2023, to create something specifically tailored for healthcare.

Globally, we’re seeing a fundamental shift in how governments approach healthcare cybersecurity. The European Union, Australia, and Singapore are all proposing legislation that would ban ransom payments entirely, forcing healthcare organizations to invest in proper backup and zero-trust security procedures instead of relying on the false hope of recovering data through ransom payments.

The Challenge Ahead

Healthcare organizations face unique challenges in implementing these security measures. They must maintain extremely long-term data retention (up to 15 years or more for clinical trials), manage rapidly scaling data volumes, and do it all on typically constrained IT budgets, as most funding prioritizes medical staff and equipment.

Moving Forward

As we approach the enforcement deadline for these new HIPAA regulations, healthcare organizations must act quickly to upgrade their security infrastructure. The stakes couldn’t be higher – it’s not just about protecting data or avoiding fines (which can reach up to 4% of annual revenue), it’s about protecting human lives.

The healthcare industry stands at a crucial turning point. These new regulations represent not just a compliance requirement, but an opportunity to fundamentally rethink how we protect some of our most vulnerable systems and the precious human lives that depend on them.

N2W Helps Organizations Achieve Effortless HIPAA Compliance

Becoming HIPAA compliant doesn’t have to be complicated. Ensuring your organization has a plan and making sure PHI data is secure, isolated and protected from any deletion or corruption can be done not only efficiently, but in cost effectively.

N2W helps not only healthcare entities but thier vendors and business associates achieve and maintain HIPAA compliance by implementing ridiculously easy and highly secure backup and recovery procedures.

N2W security and compliance features include:

  • Flexible backup scheduling
  • Instant restore (from separate regions/accounts)
  • Cross-cloud air gapping
  • Automatic recovery drills
  • Comprehensive reporting
  • Cross-account & cross-region Disaster Recovery
  • Ability to switch out encryption keys
  • Automatic and cost effective Data Lifecycle Management for Long-term retention
    • AWS S3, Glacier archiving
    • Azure Blob storage repository
    • Wasabi Storage repository (cross-cloud, cheap long-term storage!)

Contact our team for a free compliance health check and demo. And be sure to try it out for free.

Next step

The easier way to recover cloud workloads

Allowed us to save over $1 million in the management of AWS EBS snapshots...

verified customer
Get a demo
Get ridiculously easy, seriously fast, and highly secure cloud backup & recovery

Try N2W free for 30 days —and get your first policy up and running in ~14 minutes.

  • No commitments. Cancel any time.
ISO compliant badge
AWS Partner Network badge showing our competencies: public sector, outposts ready, marketplace seller, government competency, and storage competency
Product
Solutions
Resources
Company
Support
Legal

© N2W Software, Inc. All rights reserved.

Linkedin-in X-twitter Youtube
Why N2WS?

N2WS vs AWS Backup

Why chose N2WS over AWS Backup? Find out the critical differences here.

Compare key features
N2WS in comparison to AWS Backup, offers a single console to manage backups across accounts or clouds. Here is a stylized screenshot of the N2WS dashboard.