In late December of last year (2025), the Department of Health and Human Services (HHS) published a notice of proposed rulemaking (NPRM) to modify HIPAA. Thirty years after the establishment of the original act, both the tech and cybercrime landscapes have changed dramatically, and it appears significant regulatory changes are coming soon that you need to understand and proactively stay ahead of. 

In this article we discuss the modern cyber threats hospitals and healthcare systems face in 2026, the proposed modernization of HIPAA itself, and what you can begin doing now to develop a stronger, more mature cybersecurity posture, based on the changes we believe will be mandated soon.

Modern Threats: The Reality for Hospitals and Healthcare Systems in 2026

In 2026, cybersecurity in hospitals and healthcare isn't just an IT concern, it's patient safety. Imagine a bustling emergency department grinding to a halt because ransomware has locked out electronic health records (EHRs), radiology imaging, or pharmacy systems. Downtime doesn't merely disrupt emails or billing; it cripples clinical operations, delaying critical diagnoses, treatments, and surgeries. In extreme cases, it can be deadly, as we've seen in high-profile incidents where patient care was compromised or lives lost due to inaccessible systems. The sector is still reeling from large-scale disruptions like clearinghouse outages and vendor-targeted ransomware attacks, which exposed the fragility of interconnected healthcare ecosystems. These events underscore a harsh reality: in today's digital-dependent world, a cyber breach isn't a back-office problem, it's a frontline crisis that directly impacts lives.

This vulnerability is amplified by the 2026 threat landscape, where hospitals often feel the brunt first due to their high-value data and mission-critical operations. Ransomware has evolved beyond simple encryption to include data extortion and operational sabotage. Attackers steal protected health information (PHI), threaten leaks to pressure payments, and zero in on "can't-go-down" systems like emergency departments, radiology, pharmacies, and scheduling platforms. This demands robust resilience measures, such as segmented networks to contain breaches and rigorously tested restore times to minimize downtime.

Third-party and supply-chain risks are another Achilles' heel, turning vendor vulnerabilities into hospital liabilities. Clearinghouses, billing services, managed service providers (MSPs), EHR add-ons, and imaging ecosystems are prime targets. The key message here is that outsourcing doesn't absolve accountability. Under HIPAA, covered entities and business associates (BAs) remain on the hook for breaches in the chain.

Identity management has become the new perimeter, with credential theft and weak remote access fueling major incidents. Multifactor authentication (MFA) is now table stakes everywhere, alongside least-privilege access and rapid offboarding to prevent insider threats or ex-employee exploits.

The rise of Internet of Medical Things (IoMT) and "clinical OT" (operational technology) adds layers of complexity. Network-connected devices often run on aging operating systems, face vendor lock-in, and have limited patching windows due to patient care constraints, making them ripe for exploitation.

Cloud and SaaS sprawl exacerbates this, as electronic PHI (ePHI) flows through EHR integrations, analytics tools, patient engagement apps, call centers, and AI platforms. Without continuous asset inventories and ePHI mapping, organizations lose sight of where sensitive data resides or moves.

AI in healthcare introduces new security and privacy pitfalls. Shadow AI use by staff risks PHI leakage, while models and agents accessing systems without proper governance create blind spots. If AI touches ePHI, it's squarely in scope for compliance.

Finally, compliance pressures are shifting from vague "reasonable" safeguards to provable, measurable ones. This aligns with resources like the HHS and CISA Cybersecurity Performance Goals (CPGs), which serve as a baseline every hospital should benchmark against to gauge maturity.

The Modernization Likely Coming to HIPAA

These escalating threats and clinical pains have prompted a long-overdue modernization: the HIPAA Security Rule Notice of Proposed Rulemaking (NPRM). Issued by the HHS Office for Civil Rights (OCR) on January 6, 2025, this proposal aims to strengthen cybersecurity protections for ePHI amid surging cyberattacks. In plain English, it's an overhaul that makes many previously flexible requirements mandatory, emphasizing proactive, documented defenses over reactive fixes.

Notable changes include:

• scrapping the distinction between "addressable" and "required" implementation specifications where most become effectively mandatory, with only narrow, justified exceptions. 
• Governance and documentation get a boost: policies, procedures, plans, and risk analyses must be written and regularly updated. 
• Asset inventories and network maps are required to track systems and ePHI flows, refreshed at least annually or after significant changes. 
• Technical controls become more prescriptive: encryption for data in transit and at rest (with limited exceptions), MFA implementation (again, limited exceptions), vulnerability scanning every six months, and annual penetration testing. 
• Network segmentation is mandated to isolate breaches. 
• Incident readiness tightens with written incident response (IR) plans, regular testing, and the ability to restore critical systems and data within 72 hours are all part of the proposed modification. 
• Annual compliance audits are required, at least once every 12 months. 
• Business associates will face sharper scrutiny, with expectations for annual verifications and certifications.

While the NPRM is not yet finalized, it's in the final rule stage per the U.S. Unified Agenda, with a target final action date of May 2026. While the current Security Rule remains in effect during rulemaking, the direction is unmistakable: stronger, more explicit cybersecurity standards are coming. Healthcare organizations should plan accordingly, as delays in finalization don't halt the momentum toward these expectations.

What Changes for Executive and Clinical Leadership in Healthcare?

If passed as proposed, the practical impacts will be profound. From a CIO or CISO perspective, it means more hands-on engineering, you can't policy your way out of MFA coverage, encryption defaults, or segmentation. Evidence production ramps up: detailed inventories, maps, risk analyses, testing artifacts, and audit trails become routine. Resilience metrics like restore times turn compliance-adjacent, tying directly to IR plan efficacy.

Financially, CFOs and COOs should anticipate budget shifts from ad-hoc tools to program maturity in identity management, detection and response, backup engineering, and third-party assurance. Vendor contracts will tighten, demanding BA verifications, security attestations, and rigorous oversight.

On the people and process front, compliance and clinical leaders will enforce faster joiner/mover/leaver controls, with prompt access changes and termination notifications. Accountability sharpens as "reasonable and appropriate" evolves into checklist-driven requirements, reducing ambiguity but increasing scrutiny.

What to Do and Prioritize to Get Ahead of Pending Changes to HIPAA

First, recognize the urgency and don't wait for finalization. Acting now positions your organization ahead, avoiding mid-year scrambles for time and budget. 

Here’s the proactive checklist we are recommending to all clients:

• Implement MFA everywhere ePHI is accessed, including remote and admin paths.
• Set encryption as default for data in transit and at rest, documenting any exceptions meticulously.
• Build or refresh your asset inventory and network/ePHI flow maps.
• Conduct a detailed risk analysis, going beyond legacy HIPAA vagueness.
• Establish regular testing: vulnerability scans every six months and annual penetration tests.
• Run tabletop and technical IR exercises, validating true restore capabilities—not just backups.
• Strengthen BA oversight, requiring scheduled security evidence and attestations.
• Benchmark your program against HHS/CISA Healthcare CPGs for a reality check.

The 2026 posture for hospitals demands treating HIPAA Security as an integrated engineering and resilience program, not a dusty binder of policies. Those who proactively embrace these changes will better safeguard patients and operations while those who wait for a final ruling might find themselves behind the eight-ball, squeezed for both resources and time when mandates hit. The threats won't pause and neither should your preparations.

Koniag Cyber is ready to help you today → Let’s Talk