A comprehensive update to the 23-year-old HIPAA Security Rule is pending and could be finalized this month, though it may be modified or delayed. Regardless of whether updates are mandatory and when, new cybersecurity challenges require new tactics. Many of the proposed changes are worth adopting now to stay ahead of cybercriminals.

The Final Rule containing the updates was proposed during the prior administration and has since undergone public comment and internal review at the Department of Health and Human Services (HHS). Some experts predict that even if the Final Rule is adopted, it may not include all elements of the proposal. Significant elements have been unpopular among some healthcare organizations that submitted comments.

On the other hand, some of the proposed changes are so obviously necessary in today’s security environment that they’re already considered best practices, and should be implemented to strengthen cybersecurity.

From the beginning, the HIPAA Security Rule was celebrated – and sometimes criticized – for its flexibility. By categorizing safeguards as either “Required” (mandatory measures that must be implemented) or “Addressable” (measures that organizations can tailor or, if not implemented, must justify and adopt an equivalent solution), the Department of Health and Human Services (HHS) gave healthcare organizations some latitude. If a safeguard was deemed “addressable,” an organization could choose not to implement it, provided it documented that it wasn’t “reasonable and appropriate” and implemented an equivalent alternative.

In 2026, flexibility may be coming to an end. Regardless of when the Final Rule is signed, the Office for Civil Rights (OCR) and the legal environment have already signaled a shift. Whatever happens, many experts agree that enhanced security risk analysis requirements represent best practices and will remain the centerpiece of any Final Rule.

The Shift From “Addressable” to “Required” Standards

Standards that were once set aside because they were labeled “addressable” need a second look.

The most significant administrative task for 2026 is a review of your Risk Analysis – a process for identifying and evaluating potential security risks to protected health information (PHI) – and the related policies to manage the risks. The proposed Security Rule updates are expected to clarify, as audits already have, that safeguards such as encryption (converting data into a code to prevent unauthorized access) and Multi-Factor Authentication (MFA, requiring users to provide multiple forms of identification when logging in) are mandatory, not optional.

Risk Management Follows Risk Analysis

Compliance managers should use the annual Risk Analysis as a dynamic guide to year-round Risk Management. Since 2024, the Office for Civil Rights (OCR) at HHS has enforced HIPAA compliance through its Risk Analysis Initiative. A once-over review is not enough; you need a comprehensive follow-up risk management plan.

Review all the “addressable” requirements and identify ways to implement them. Listing multi-factor authorization or encryption as ‘addressable – not implemented’ may indicate negligence. Update policies to require these controls and collaborate with IT to set a clear implementation deadline.

The Reality Check: Why Flexibility is a Liability

While the regulatory shift from “addressable” to “required” safeguards may feel like an administrative burden, the 2026 Verizon Data Breach Investigations Report (DBIR) makes it clear that this pivot is a matter of survival, not just compliance.

The 2026 findings show that “system intrusion remains the top pattern for the Healthcare industry and is largely driven by Ransomware.”

• Vulnerability Exploitation: For the first time in 19 years, exploitation of vulnerabilities – not stolen credentials – has become the leading entry point for breaches across all sectors, accounting for 31% of all breaches. In healthcare, vulnerability exploitation accounts for 20% of breaches, with “financially motivated external attackers exploiting vulnerabilities, Phishing, and using stolen credentials.”
• The Patching Gap: Attackers are using AI to identify and weaponize flaws faster than ever. Meanwhile, the median time for organizations to patch critical vulnerabilities has risen from 32 to 43 days. In an environment where attackers can weaponize these flaws in mere hours, a “flexible” approach to security controls is essentially leaving the front door wide open.
• Third-Party Risks: Nearly one-third (32%) of healthcare breaches now involve a third party. When third-party cloud accounts lack properly configured Multi-Factor Authentication (MFA), attackers can easily bypass internal defenses. The DBIR noted the Oracle E-Business Suite vulnerability, which hit many industries last year, including healthcare.

Business associates have long been a vulnerability for healthcare organizations, with some of the largest breaches in recent years. Some examples include: Change Healthcare (192.7 million affected); MOVEit (93 million affected); Conduent (more than 25 million affected); and Welltok (14.7 million affected).

In short, the luxury of labeling security measures as “not implemented” because of complexity is gone. The 2026 threat landscape confirms that if you aren’t mandating foundational controls such as MFA and rigorous patch management, you are not just out of compliance – you are statistically likely to be the next target.

The Extortion-Only Threat

The BakerHostetler 2026 Data Security Incident Response Report highlights a troubling trend: the rise of “extortion-only” attacks. In these attacks, threat actors do not encrypt your files with ransomware; instead, they quietly exfiltrate sensitive data and threaten to leak it unless a ransom is paid.

This creates a massive administrative blind spot. Many healthcare organizations have focused their disaster recovery plans entirely on availability, meaning, “If our systems go down, can we restore from backups?” Extortion-only attacks render those backups irrelevant because the systems never went down. The data is simply gone.

Your 2026 Risk Management plan can help defend against extortion by minimizing data and monitoring its transfer out of the system.

Human-in-the-Loop: Navigating AI and SB 1120

As artificial intelligence (AI) becomes deeply embedded in clinical and administrative workflows, legal requirements are tightening. California’s SB 1120 has set a national precedent for HIPAA compliance managers. The law requires that any AI-generated “medical necessity” or “utilization review” decision (i.e., determining whether a medical service is necessary or appropriate) be reviewed by a human.

From a HIPAA perspective, this touches on the Right of Access and the Accuracy of PHI. If an AI tool “hallucinates” a medical fact about a patient that results in a denial of coverage or a change in treatment, and that “hallucination” becomes part of the patient’s permanent record, you may have a compliance failure.

The Path Forward in 2026

While the final update to the HIPAA Security Rule remains pending, the need to strengthen cybersecurity is clear. For enforcement purposes, we are transitioning from a regime defined by good-faith effort toward one centered on technical and administrative certainty.

By treating addressable safeguards as required, defending against data exfiltration, and keeping a human hand on the AI tiller, you aren’t just preparing for a new law; you are building a resilient organization that is harder to breach. In 2026, the best administrative defense is a robust, proactive offense.