The HIPAA Security Rule 2026: What Hospital CISOs Must Do in 240 Days

I’ve been reading the HIPAA Security Rule NPRM line by line for the last six weeks, cross-referencing every proposed control against the post-incident reports from Change Healthcare and Ascension. Here’s what struck me. This is not a compliance refresh. OCR has essentially published a forensic document, where each mandated control maps to a named failure mode from a 2024 breach. Read the rule straight through and you can almost reconstruct the attack chain it was written to prevent.

That framing matters because the HIPAA Security Rule 2026 update is not abstract policy. The Federal Register published the NPRM on January 6, 2025 (90 FR 898), and OCR’s Spring 2025 Unified Agenda targets finalization in May 2026. From publication, you have 60 days until the final rule takes effect and 180 days after that until compliance is mandatory. 240 days. The budget cycle for these controls starts now, not after the final rule drops.

Why the HIPAA Security Rule 2026 Reads Like a Forensic Document

When I map the proposed controls against the two anchor breaches of 2024, every major mandate traces back to a specific failure mode. OCR isn’t speculating. They’re closing off the exact vectors that produced the largest healthcare breach in US history and the most operationally destructive hospital ransomware event to date.

Start with Change Healthcare. What I saw in the post-incident reports was a textbook Citrix remote access portal used as the initial foothold. The portal didn’t require MFA. An ALPHV/BlackCat affiliate logged in on February 12, 2024 with stolen credentials, dwelled for roughly nine days before deploying ransomware on February 21, and exfiltrated about six terabytes in the process. UnitedHealth Group paid a $22 million ransom. Per Senate Finance Committee testimony on May 1, 2024, CEO Andrew Witty confirmed roughly one-third of Americans had their health information compromised. Senator Ron Wyden said the hack “could have been stopped with cybersecurity 101.”

Then the Ascension report. In early 2024, an employee at an Ascension facility clicked a link and downloaded a malicious file. Black Basta moved laterally across an inadequately segmented environment spanning 142 hospitals in 19 states, eventually deploying ransomware on roughly 12,000 endpoints. Leaked chat logs later showed operators had held stolen credentials for 14 Ascension employees since November 2023. Ambulance diversions at Ascension Saint Thomas, nearly four weeks of EHR outage, paper charting. FY2024 operating loss: $1.8 billion.

Now read the NPRM. The MFA mandate is the Change Healthcare answer. The network segmentation mandate is the Ascension answer. The one-hour access termination is the Montefiore answer ($4.75 million settlement after an insider accessed records without authorization for six months). The 24-hour cross-entity notification is the MOVEit answer (41 million PHI records exposed across 42 healthcare breaches per HIPAA Journal tracking). This is why I called it a forensic document.

What the HIPAA Security Rule Requires in 2026

Let me walk through the controls that matter most. I’m not going to bullet-dump 40 controls. For the full regulatory catalog, my colleagues published earlier coverage of the Security Rule update.

MFA becomes universal. Under proposed 45 CFR 164.312, MFA is required for all access to relevant electronic information systems. Narrow exceptions for legacy technology under documented migration plans, emergencies, and pre-March 2023 FDA-approved medical devices. If you have a Citrix portal, admin console, VPN, or any remote access path without MFA, that’s a Change Healthcare-shaped hole.

Encryption elevates to a standalone standard. At proposed 45 CFR 164.312(a)(2)(iv), encryption of ePHI at rest and in transit becomes its own standard, not a spec buried inside access control. TLS 1.2 minimum, full-disk encryption on every workstation, no more cleartext HL7 feeds.

Network segmentation becomes mandatory. The NPRM writes segmentation into technical controls at 45 CFR 164.312. Not “addressable.” Required. The language specifies policies and procedures to segment ePHI “to limit access and prevent lateral movement by intruders.” That phrase, “prevent lateral movement by intruders,” is the Ascension sentence. The rule wants a control that would have stopped a single phishing victim from reaching 12,000 endpoints.

Written asset inventory and network map become enforceable artifacts. New at 45 CFR 164.308(a)(1), you owe OCR a written inventory of all assets touching ePHI (with version, accountable person, location) and a written network map, both reviewed annually. Change Healthcare couldn’t confirm scope to regulators for months. OCR doesn’t want to see that again.

Enhanced risk analysis with threat-vulnerability pairs. Under 45 CFR 164.308(a)(1)(ii)(A), the written risk analysis has to include the asset inventory and network map and assign likelihood, impact, and risk level per threat-vulnerability pair. Per Ogletree’s 2025 enforcement analysis, risk analysis failures appeared in every major enforcement action in the first five months of 2025. Every Risk Analysis Initiative action since October 2024 includes a finding under 164.308(a)(1)(ii)(A). This is the single most weaponized provision in HIPAA enforcement.

Scanning, pen testing, and patching get explicit cadence. Vulnerability scanning every six months minimum, penetration testing at least every 12 months, critical patches within 15 calendar days, high-severity within 30, compensating controls documented when patches aren’t available. For FDA-cleared devices certified to specific firmware, that “compensating controls” language is where microsegmentation becomes the practical answer. If you can’t patch, you have to isolate.

Time-bound SLAs and BAA updates. Workforce access termination within one hour, cross-entity access change notification within 24 hours, BA contingency activation within 24 hours, critical RTO within 72 hours, RPO within 48 hours, every BAA renegotiated within 12 months. For a health system with hundreds of BAs, that alone is a procurement and legal workstream.

”Addressable” vs “Required”: Why the 12-Year Loophole Is Closing

Here’s the structural change that rewrites two decades of HIPAA implementation: the NPRM removes the distinction between “required” and “addressable” specifications at 45 CFR 164.306(d). Every implementation specification becomes required, with narrowly enumerated exceptions.

For 12 years, “addressable” was the phrase that let hospitals not encrypt, not segment, not implement MFA, as long as they documented why not. The documented-why-not file became the compliance artifact. Walk into almost any hospital and find something like this.

They have VLANs. They have firewall rules nobody has audited in three years. They have a PowerPoint slide that says microsegmentation on it.

They have a BitLocker policy that covers managed laptops but not the contractor-imaged workstations in radiology. They have MFA on email but not the legacy Citrix portal installed during Epic go-live. They have an encryption exception for the PACS-to-modality HL7 feed granted in 2017 that has never been revisited.

All technically defensible under “addressable.” None defensible when addressable goes away.

HIPAA Compliance Deadline 2026: What You Can Actually Do in 240 Days

Let me be honest. 240 days is 60 effective plus 180 compliance. When I talk to CISOs, the first thing I say is: some controls in this rule cannot be greenfield-deployed in eight months, and you need to accept that now.

Days 1 to 60: You are not implementing anything new. You are assembling evidence of current state. Commission a NIST SP 800-30-aligned risk analysis. Inventory every asset touching ePHI. Draft the network map from an NDR or segmentation platform, not Visio. Audit every MFA access point. Identify the BAA renegotiation list.

Days 61 to 120: Close the MFA gaps, prioritizing remote access, VPN, Citrix, RDP, admin consoles. Finalize written policies. Start BAA amendment conversations. Make your segmentation platform decision. This is where most programs stall, because the segmentation decision drives 12 to 24 months of downstream work with legacy approaches.

Days 121 to 180: Initial segmentation in highest-risk clinical areas: ICU, imaging, ED, EHR workstations. EDR across endpoints. First annual penetration test scoped. Tabletop simulating a 72-hour EHR outage.

Days 181 to 240: Segmentation enforcement outside simulation mode. Contingency plan tested end-to-end for 72-hour RTO. First annual compliance audit. BA verification program kicked off. All evidence packaged for OCR.

The uncomfortable truth: legacy NAC projects (Cisco ISE, Aruba ClearPass) typically run 12 to 24 months, require new hardware, 802.1X supplicants, and VLAN redesign. They don’t fit in 240 days. Anyone selling a legacy NAC deployment that “meets HIPAA by 2026” is selling you a future audit finding. This is the 12-to-24-month NAC project problem, and it’s real.

Where This Gets Hard: Medical Devices and Legacy Systems

Let me be direct about the parts of this that are genuinely difficult. Every honest compliance roadmap has a limitations section.

Medical devices are the hardest category. The HIMSS Medical Device Security Survey from December 2025 found that 62 percent of healthcare organizations cannot adequately protect unpatchable medical devices with their current tools. Between 50 and 70 percent cannot host agents. They run Windows XP, 7, CE, and embedded Linux variants long past end-of-life, certified to specific firmware under FDA regulation, where pushing a patch without manufacturer qualification can void the clearance. The NPRM recognizes this with the pre-March 2023 FDA-approved device exception, but only when paired with a documented migration plan. That isn’t a workaround; it’s a commitment.

Legacy server estates. Every large hospital system has servers running operating systems that cannot support modern MFA, run modern EDR, or be patched on a 15-day cadence. Expect OCR to scrutinize those migration plans in audit.

BAA renegotiation and one-hour access termination. One year to update every BAA. If you have 200, that’s a dedicated procurement and legal program. The one-hour access termination is operationally infeasible without 24/7 IAM during off-hours, weekends, or holidays. Alston & Bird’s analysis suggested core mandates will survive, but operational specifics may ease. Whether OCR keeps the one-hour window is what I’m watching most closely.

How I’d Think About This Architecturally

If I were building a compliance roadmap for a 10-hospital system right now, here’s how I’d think about which NPRM controls map to what kind of technology.

Some controls are solved by things you probably already own. MFA: identity provider plus conditional access plus phishing-resistant tokens. Encryption at rest: BitLocker, FileVault, KMS. Vulnerability scanning: Tenable, Qualys, Rapid7. SIEM and audit logs: Splunk, Sentinel, Chronicle with a 24/7 MDR. Backup and 72-hour RTO: Veeam, Rubrik, Cohesity, Commvault with immutability.

But seven controls are different. They don’t fit cleanly into existing enterprise IT tooling, they span IT, IoMT, OT, and IoT simultaneously, and they need to deploy inside the 240-day window: the network map as a living artifact, comprehensive asset inventory across IT and IoMT, segmentation itself, lateral movement prevention, vulnerability-based isolation for unpatchable devices, one-hour access termination integrated with network enforcement, and the continuous compliance audit trail.

This is where identity-based microsegmentation starts to matter. Identity-based microsegmentation for healthcare collapses those seven controls into one architectural layer. Policy follows the identity of the user and the device, not the IP address or VLAN. That means segmentation survives device moves, DHCP renewals, and clinical workflows where staff roam between units. It also means a single policy engine can enforce east-west controls, quarantine vulnerable devices, and generate the compliance evidence trail OCR wants to see. And this is where I get to talk about Elisity, because a number of our customers are the CISOs who’ve already solved this.

Free one-page briefing

HIPAA Security Rule 2026: the CISO one-pager

The 240-day prescription, the “forensic document” framing, and all 40 NPRM controls color-coded by Elisity coverage. Built for board decks, internal briefings, and procurement review.

Download PDF → Download 2-slide PPTX →

Elisity delivers 14 of the 40-plus proposed NPRM controls from one platform: asset inventory and network map as living IdentityGraph artifacts, segmentation with identity-based policy (user plus device plus context, not IP), default-deny east-west enforcement, encryption-enforcing and MFA-aware policy, vulnerability-based automatic isolation (when a CVE lights up in Claroty xDome or Armis, the device reclassifies into quarantine), click-to-quarantine incident response, audit logs exported to Splunk and Sentinel, compliance reporting mapped to HIPAA and HICP, agentless medical device protection, BA segmentation, workforce access tied to Active Directory, and contingency policy sets. The deployment profile makes it 240-day compatible. Runs on the switches you already own (Cisco Catalyst, Juniper EX, Arista, Aruba). Agentless, which is the only practical way to protect the 50 to 70 percent of medical devices that can’t host software. Enforcement at the switch port, so east-west traffic between two devices on the same VLAN stops before it crosses a single uplink. No re-IPing, no VLAN redesign, no 802.1X. Discovery in hours, sites online in days.

The customer list is healthcare-heavy for a reason: Providence, Sanford Health, CHOP, Main Line Health, Orlando Health, MultiCare, WellStar, Memorial Sloan Kettering. Main Line Health is the reference story at 5 hospitals, 40-plus offices, 2,100 physicians, over 100,000 IT/IoT/OT/IoMT devices. Their CISO, Aaron Weismann: “Elisity provides technical distancing between devices to stop the spread and progression of a cyberattack. For impacted toxic assets, it also lets us excise them with surgical precision.” Mean time to contain dropped from 4 to 6 hours to under 10 minutes. Full detail in the Main Line Health case study. For the full NPRM control mapping, our network segmentation implementation guide and the HHS 405(d) HICP guidance brief walk through each. For the medical device category specifically, the HIMSS Medical Device Security survey analysis has the data.

What I’ll Be Watching

The reason I’ve spent six weeks reading this NPRM is that the operational details matter more than the headline mandates. Everyone expects MFA, encryption, and segmentation to survive the final rule. The core mandates are politically durable, because Change Healthcare and Ascension are still fresh. Where the real uncertainty sits is two provisions I’ll be tracking.

The first is the one-hour workforce access termination. If OCR keeps it at one hour, that’s a signal they’re willing to push hard on operational rigor. If they ease it to 24 hours, the final rule softens around operational feasibility. The second is the 24-hour cross-entity notification when workforce access changes. New obligation, real process implications for systems sharing workforce with affiliated practices, academic medical centers, and locum services. Whether OCR keeps the 24-hour clock will tell us how aggressive the enforcement posture is going to be.

Not every hospital will be ready in 240 days. Some segmentation work, some BAA renegotiation, some medical device migration plans will stretch past the deadline for organizations that start late. The question is whether you’ve documented a defensible trajectory when OCR audits you, not whether you’ve ticked every box. The budget cycle for this starts now, not after the final rule publishes.

Frequently Asked Questions About the HIPAA Security Rule 2026

What are the new HIPAA Security Rule requirements for 2026?

Around 40 new or enhanced controls. The most consequential: mandatory MFA on all access to relevant electronic information systems, encryption at rest and in transit as a standalone standard, mandatory network segmentation, written asset inventory and network map reviewed annually, enhanced risk analysis with threat-vulnerability pairs, vulnerability scanning every six months, annual penetration testing, 15-day critical patch and 30-day high-severity patch cycles, one-hour workforce access termination, 24-hour cross-entity notification, 72-hour RTO, 48-hour RPO, annual compliance audit. The structural change is the elimination of “addressable” versus “required” at 45 CFR 164.306(d). Everything becomes required, with narrow exceptions.

When does the HIPAA Security Rule NPRM take effect?

OCR’s Spring 2025 Unified Agenda targets a final rule in May 2026. OCR Director Paula Stannard confirmed at HIMSS 2026 that review of the 4,700-plus comments was continuing. Once the final rule publishes, it becomes effective 60 days later, compliance is required 180 days after that (240 days total), and BAAs must be updated within one year of the effective date.

Does HIPAA require network segmentation?

The current Security Rule, in effect since 2013, doesn’t explicitly require network segmentation. It’s been treated as a component of “reasonable and appropriate” security measures under 164.306(d). The 2026 NPRM changes that by writing segmentation into technical safeguards at 45 CFR 164.312 with specific language requiring policies and procedures to segment ePHI “to limit access and prevent lateral movement by intruders.” If the final rule keeps this language, segmentation moves from de facto best practice to explicit mandate.

What happens if my hospital is not HIPAA compliant by the 2026 deadline?

OCR civil monetary penalties after the January 28, 2026 inflation adjustment range from $145 per violation at the lowest tier to $2,190,294 at the willful-neglect-uncorrected tier. The per-violation schedule is a small component of total exposure. A single significant breach triggers parallel tracks: OCR enforcement, state AG action (NY’s SHIELD Act treats a HIPAA violation as a SHIELD Act violation), class action litigation (the Change Healthcare MDL includes more than 70 consolidated actions), SEC 8-K exposure, and Delaware Caremark-doctrine board liability. For a mid-sized health system, realistic total exposure from one ransomware incident ranges from $25 million to over $2 billion at Ascension scale.

What is the difference between “addressable” and “required” in HIPAA?

Under 45 CFR 164.306(d), specifications are classified as “required” (must be implemented as stated) or “addressable” (the covered entity may implement an equivalent alternative or document why they didn’t). Addressable is the framework that has let hospitals not encrypt, not segment, and not implement MFA for 12 years, as long as they kept documentation of why. The 2026 NPRM eliminates the distinction. Every specification becomes required, with narrow exceptions for legacy technology under documented migration plans, emergencies, and certain pre-March 2023 FDA-approved medical devices.