HIPAA Security Rule Overhaul Makes MFA, Encryption, and Pen Testing Mandatory for All ePHI

New HIPAA Security Rule Eliminates Optional Controls

The pending overhaul of the HIPAA Security Rule, expected to finalize by mid-2025, removes the distinction between "addressable" and "required" safeguards. Every control becomes mandatory. For healthcare enterprises, this means multifactor authentication for all ePHI access, encryption at rest and in transit, annual penetration testing, and vulnerability scans every six months are no longer best practices—they are compliance baselines.

The rule also mandates network segmentation with comprehensive asset inventories, 72-hour system restoration capability after compromise, and one-hour access credential revocation after staff termination. These are prescriptive, testable requirements that replace decades of qualitative "reasonable and appropriate" language.

The timing matters. Fortified Health Security's 2026 Horizon Report documents healthcare breach frequency increasing more than 100% year-over-year in 2025. In 2023–2024, more than 60 large healthcare data breaches were reported monthly on average. Change Healthcare's 2024 incident alone affected approximately 190 million individuals. The regulatory response is to harden compliance into security controls with clear pass/fail criteria.

Budget Impact: Mandatory Spend Categories Replace Discretionary Projects

MFA and encryption shift from discretionary to required line items. Every covered entity must now budget for enterprise-wide MFA deployment—not just for privileged users or VPN access, but for all ePHI touchpoints. Vendors like Okta, Microsoft Entra ID, and Duo benefit directly; their core capabilities become non-negotiable in every healthcare IT stack.

Encryption enforcement will force configuration audits across EHR platforms (Epic, Oracle Health/Cerner) and cloud environments (AWS, Azure, Google Cloud). Proof of compliance matters more than the technology itself. Buyers will ask vendors for control attestations, automated logs, and audit-ready reports—"HIPAA-ready" claims without evidence will fail in procurement.

Penetration testing and vulnerability scanning become recurring operating expenses. Annual pen tests and biannual scans create steady demand for Rapid7, Tenable, Qualys, and consulting firms like CrowdStrike, Mandiant, Palo Alto Unit 42, and Bishop Fox. Healthcare systems that previously skipped or delayed these engagements must now budget them as compliance requirements, not optional risk assessments.

Network segmentation and asset inventory requirements favor specialized vendors. Armis, Forescout, Claroty, and Medigate by Claroty compete to discover medical devices, IoT endpoints, and OT systems that most IT teams cannot inventory manually. The rule does not specify technology, but it does specify outcomes—complete asset visibility and documented segmentation. Buyers will evaluate vendors on their ability to identify shadow IT and unsanctioned devices, not just manage known assets.

RFP Language Shifts to Measurable Compliance Outcomes

Expect RFPs to include explicit questions about control evidence. Can your MFA system log every authentication attempt and produce tamper-proof audit trails? Does your encryption implementation meet FIPS 140-2 or 140-3 standards, and can you prove it? Can your identity platform revoke credentials within one hour of termination across all connected systems, including legacy applications?

The 72-hour restoration requirement will drive disaster recovery and backup purchasing decisions. Rubrik, Veeam, Cohesity, and Zerto will position their products around recovery time objectives (RTO) and automated failover. Buyers will ask for documented evidence of sub-72-hour restoration in test scenarios, not vendor promises.

Identity lifecycle management becomes a compliance gate. SailPoint, Saviynt, and Microsoft Entra ID Governance compete on automated de-provisioning speed and audit trails. The one-hour credential revocation mandate exposes healthcare organizations with manual termination processes or disconnected systems. Vendors that can integrate with EHR platforms, VPNs, email, and building access in a single workflow gain an advantage.

AI Governance Emerges as a Parallel Risk Stream

Fortified Health Security's report highlights emerging AI governance risks alongside the breach frequency spike. As healthcare organizations deploy generative AI for clinical decision support, documentation, and patient engagement, regulators and auditors will ask how ePHI is protected in AI workflows. This is not yet codified in the HIPAA Security Rule overhaul, but the direction is clear.

Buyers will evaluate AI-aware security controls from Netskope, Palo Alto Networks, and Microsoft Defender, as well as GRC platforms like ServiceNow GRC, MetricStream, and OneTrust that now offer AI-risk modules. RFPs will ask vendors to demonstrate model access restrictions, PHI use limitations, and audit trails for data passed to large language models.

What to Watch

The rule's finalization timeline matters for budget cycles. If the rule finalizes by mid-2025 as expected, compliance deadlines will likely fall in 2026, creating compressed procurement timelines for healthcare systems that have delayed MFA, encryption, or pen testing projects.

Watch for vendor consolidation in identity and access management. The mandatory MFA and one-hour revocation requirements favor platforms that integrate authentication, provisioning, and de-provisioning in a single control plane. Point products that require manual workflows to meet the one-hour standard will lose ground.

Board-level conversations about cyber-insurance premiums and third-party risk will intensify. The combination of >100% breach frequency growth and new prescriptive controls means insurers will tighten underwriting. Healthcare systems that cannot demonstrate MFA deployment, encryption compliance, and regular pen testing may face coverage denials or premium increases. Budget for third-party risk assessments and insurance-driven security audits as separate line items.