If your organization is in healthcare, or is healthcare adjacent, the proposed HIPAA Security Rule updates from the U.S. government expected in 2026 are something you should already be planning for, not waiting on.
Even though the final language is still evolving, the overall direction is becoming very clear. Regulators are preparing to hold healthcare organizations to a much higher standard when it comes to cybersecurity enforcement, operational readiness, and accountability.
And for many organizations, getting there is not going to happen overnight.
For years, a lot of healthcare providers treated HIPAA security compliance as primarily a documentation exercise. Policies were written, annual assessments were completed, and boxes were checked. But regulators are increasingly signaling that documentation alone is no longer enough.
The focus is shifting toward whether organizations can actually prove that security controls are implemented, enforced, monitored, and tested on an ongoing basis.
That’s a major operational change for many healthcare environments.
Several areas are expected to receive increased scrutiny under the proposed updates, including:
None of these are new topics. What’s changing is the level of expectation around them.
Take MFA as an example. There are still healthcare organizations that haven’t fully deployed MFA across critical systems because of workflow concerns, legacy applications, or budget limitations. But the reality is that MFA is quickly becoming a baseline requirement, not an optional best practice.
The same goes for vulnerability management. Regulators are unlikely to accept a once-a-year risk assessment as sufficient moving forward.
Organizations will likely need to demonstrate continuous monitoring, regular vulnerability testing, remediation timelines, and evidence that security gaps are actively being addressed.
That requires tools, staffing, time, and process maturity. It also requires investment and the work of IT professionals or IT providers skilled in ensuring compliance rules are met. In other words, if your IT team or provider doesn’t have a plan for any of the above, they’re probably not up to the challenge.
Vendor oversight is another area where many organizations are going to feel pressure.
Healthcare organizations depend heavily on third-party vendors, cloud providers, software platforms, and managed IT services. But as supply chain attacks and vendor-related breaches continue to rise, simply collecting signed business associate agreements probably won’t satisfy future expectations.
This all means that many organizations will likely need stronger vendor review processes, better documentation, more frequent security evaluations, and clearer accountability around third-party risk management.
And it points to something healthcare leadership teams need to start recognizing now, which is that preparing for these changes is going to require budget shifts. Not just one-time investments, either.
Organizations will need ongoing funding for security platforms, endpoint monitoring, vulnerability scanning, penetration testing, compliance support, staff training, incident response planning, backup validation, and regular security reviews.
For many healthcare organizations and companies already operating under tight margins, that can be a difficult conversation. But delaying those investments could become significantly more expensive later.
The cost of implementing stronger cybersecurity controls is almost always lower than the cost of responding to a ransomware attack, operational outage, regulatory investigation, or major breach.
And unfortunately, many organizations are still operating with a dangerous gap between what their policies say and what’s actually happening technically.
That gap is exactly where regulators—and attackers—are paying attention.
Asset visibility is a perfect example. A surprising number of healthcare organizations still don’t have complete visibility into all devices, systems, applications, and users connected to their environment. Without accurate inventories, it becomes incredibly difficult to secure systems effectively or respond quickly during an incident.
This is why IT audits are absolutely critical. As is having a rock-solid plan for dealing with incidents, because having a response plan saved somewhere on a shared drive is no longer enough.
Organizations need tested processes. They need defined roles. They need recovery plans that actually work under pressure. If ransomware impacts operations tomorrow, leadership teams need confidence that the organization can respond quickly and continue supporting patient care.
At the end of the day, cybersecurity in healthcare is no longer just a compliance conversation. It’s an operational risk conversation.
Downtime affects patient care. Breaches damage trust. Recovery costs impact the business. And regulators increasingly understand that cybersecurity failures can create real-world consequences far beyond IT departments.
The organizations that start preparing now will be in a much stronger position over the next several years. The ones that wait until regulations are finalized may find themselves trying to catch up under pressure—both operationally and financially.
This is the time for healthcare organizations to assess where they stand, identify gaps, prioritize investments, and start building a long-term cybersecurity strategy that goes beyond basic compliance.