As the healthcare sector faces an unprecedented surge in cyberattacks, the U.S. Department of Health and Human Services (HHS) has proposed a long-overdue security rule update to strengthen healthcare cybersecurity efforts. The proposed update to the Health Insurance Portability and Accountability Act (HIPAA) security rule addresses vulnerabilities exposed by ransomware and large-scale breaches that have plagued hospitals and healthcare systems in recent years.
The updated HIPAA Security Rule emphasizes encryption, multifactor authentication (MFA), network segmentation, and stronger access controls as part of a broader Zero Trust approach. At its core, however, the proposal reflects a growing recognition that uncontrolled privileged access is one of the most significant risks in healthcare today.
Why Privileged Access Is the Real Healthcare Risk
Healthcare environments depend on privileged access more than almost any other industry. Administrators, clinicians, IT staff, vendors, service accounts, and automated systems all require elevated access to electronic health records (EHRs), clinical applications, databases, and infrastructure.
When attackers breach healthcare systems, they rarely start with patient records directly. Instead, they target:
- Compromised admin credentials
- Exposed service accounts
- Over-privileged vendor access
- Long-lived passwords shared across systems
Once privileged access is obtained, attackers can disable security controls, exfiltrate PHI, deploy ransomware, or disrupt clinical operations. This is why Privileged Access Management (PAM) is increasingly viewed as foundational to HIPAA compliance and patient safety.
A Closer Look at the HIPAA Security Rule Updates
The proposed rule by HHS represents the first major update to HIPAA’s security rule since 2013. Key provisions include:
- Encryption of Protected Health Information (PHI): Ensuring that sensitive data cannot be easily accessed if stolen.
- Multifactor Authentication (MFA): Adding a layer of security to prevent unauthorized access through compromised credentials.
- Network Segmentation: Limiting lateral movement of attackers within a network.
Additional updates address patch management, access controls, privileged access management, asset inventory, network mapping, backup and recovery, incident reporting, risk assessments, compliance audits, and more.
According to the Office for Civil Rights (OCR) Director, these updates aim to help the healthcare industry address current and future cybersecurity threats by modernizing safeguards to reflect advances in technology and cybersecurity.
Zero Trust and PAM Are Core Requirements for HIPAA
The proposed HIPAA updates incorporate many cybersecurity best practices already required in highly regulated industries. Together, these recommendations form the foundation of a Zero Trust architecture built on the principle of “never trust, always verify.”
To comply with the updated HIPAA Security Rule, healthcare organizations must, healthcare organizations must strengthen Zero Trust strategies that prioritize identity and access controls, including multifactor authentication (MFA), privileged access management (PAM), single sign-on (SSO), and identity and access management (IAM). These controls ensure that access to sensitive systems and protected health information (PHI) is continuously verified, tightly scoped, and fully auditable. Network segmentation is required as a complementary control, but it does not replace the need to secure privileged access.
Modern Zero Trust strategies place Privileged Access Management (PAM) at the center of risk reduction by enforcing least privilege, eliminating standing access, brokering sessions without exposing credentials, and monitoring privileged activity in real time. Even if credentials are compromised, PAM prevents attackers from moving freely, escalating privileges, or operating undetected. When paired with supporting controls such as network segmentation, PAM helps limit the blast radius of an incident—but it is PAM that ultimately determines who can access critical systems, when access is granted, and what actions are permitted, delivering measurable security and compliance benefits for healthcare organizations.
By centering Zero Trust strategies on privileged access, healthcare organizations gain measurable benefits:
- Improved Security: PAM reduces the attack surface by restricting privileged access to EHRs, clinical applications, databases, and infrastructure. Access is granted only when needed and automatically revoked, significantly limiting opportunities for misuse.
- Stronger Data Protection: By controlling and auditing all privileged activity involving PHI, PAM helps prevent unauthorized access, modification, or exfiltration of sensitive patient data—even when other defenses fail.
- Threat Containment: Real-time session monitoring and control allow security teams to detect suspicious behavior and terminate sessions immediately, containing threats before they impact patient care or operations.
- HIPAA Compliance: PAM supports HIPAA requirements for access controls, audit logging, risk management, and accountability. Detailed records of privileged sessions and credential use simplify compliance audits, incident investigations, and regulatory reporting.
Getting Started with PAM
Getting started with Privileged Access Management doesn’t have to be complex or disruptive. 12Port delivers agentless PAM purpose-built for regulated environments like healthcare, helping organizations secure privileged access across users, vendors, service accounts, and automated systems—without standing credentials or operational friction. With rapid deployment, real-time session intelligence, and audit-ready visibility, 12Port makes it easier to support Zero Trust and HIPAA requirements while protecting patient care.
Try 12Port today with a free trial or schedule a personalized demo to see how modern PAM can reduce risk and simplify compliance.