In a landmark move, the U.S. Department of Health and Human Services (HHS) has issued a new proposal to strengthen the HIPAA Security Rule, calling for stringent cybersecurity measures to protect electronic protected health information (ePHI). Why? According to the HHS’ proposal, there has been a “rampant escalation of cyberattacks using hacking and ransomware” in recent years. Since 2019, the amount of healthcare breaches caused by hacking and ransomware attacks has surged by 89% and 102%. In 2023, the healthcare information of more than 167 million people was affected by cybersecurity incidents.
Anne Neuberger, the White House’s deputy national security adviser for cyber, justified the need for new rules – which will cost $9 billion to adopt in the first year alone: “The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences... Sensitive data is being leaked with the opportunity to blackmail individuals.”
The proposed rule changes (“HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information”) don’t mince words when addressing the critical role of network segmentation in preventing breaches:
“Common network segmentation practices would have substantially reduced the risk to the security of ePHI and could have prevented such breaches.”
Let that sink in. This isn’t just a recommendation—it’s a wake-up call for every organization that handles sensitive health data. But we shouldn’t aim just for “common network segmentation”. In reality, every asset needs to be protected.
The healthcare sector continues to be a prime target for cyberattacks. Data breaches exposing ePHI not only erode public trust but also have devastating financial and reputational consequences. While endpoint detection and incident response have dominated security budgets, this proposal flips the narrative: the focus must shift to prevention.
Prevention Starts with Segmentation
Network segmentation—and by extension, microsegmentation —has been a long-underutilized strategy in cybersecurity. HHS’s proposal makes a compelling case for its role as the first line of defense. Here’s why:
From Theory to Practice: What’s Next for Healthcare Security?
The HHS proposal emphasizes scalable and tailored segmentation solutions, but the urgency is clear: start now, or risk being the next headline. Here’s a sample roadmap for organizations to adopt these measures effectively:
At this point, you might be thinking that none of the above is achievable and sustainable. I understand those feelings and thoughts going through the minds of many. It’s not uncommon for organizations to believe that microsegmentation (and even macrosegmentation at large) was and will never be an option, because their experiences or research have led them to believe that it would be impossible to deploy/implement at scale.
The Path Forward: Prevention = Cure
The HHS’s blunt assessment of past breaches is a stark reminder: waiting for a breach to act is no longer acceptable. Organizations must move from reactive security postures to proactive strategies that prioritize reducing attack exposure and overall risk, focused on treating root causes and not symptoms.
The HHS proposal reinforces that segmentation isn’t optional, it’s essential. Let’s not wait for another breach to drive the point home. The time to act is now. Let’s shake the tree and make prevention the cornerstone of cybersecurity. After all, protecting sensitive health data isn’t just a compliance issue—it’s a moral imperative.