Health care organizations may soon be subject to new cybersecurity rules. The US Department of Health and Human Services (HHS) is proposing an update to the HIPAA Security Rule that would require covered health care entities to bolster their cybersecurity posture.The proposed change comes as breaches continue to wreak havoc in the health care industry. From 2009 to 2023, health care organizations reported 5,887 data breaches involving 500 or more records to the Office for Civil Rights (OCR), according to The HIPAA Journal. A total of 667 health care data breaches occurred in 2024.Melanie Fontes Rainer, OCR director, pointed to the ransomware attack on Change Healthcare as an example of how these breaches are growing and impacting more people.This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals protected health information across the nation, Fontes Rainer said in the HHS press release.Proposed RuleThe HIPAA Security Rule, published in 2003, has not been updated since 2013, according to HHS. Covered entities handling electronic protected health information (ePHI) -- including health care providers, health plans, health care clearinghouses, and business associates -- would need to adhere to the updates in the proposed rule.Related:The unpublished version of the rule outlines proposed amendments to the Security Rule. The proposed changes are designed to align with best practices in cybersecurity, such as multifactor authentication, encryption of ePHI, network segmentation, and vulnerability scanning. Under the proposed rule, covered entities would be required to regularly review, test, and update cybersecurity policies and procedures, according to HHS.This rule represents a clear mandate for health care organizations, heightened accountability and an even greater emphasis on robust security protocols, Shawn Hodges, CEO of Revelation Pharma, a national network of compounding pharmacies, tells InformationWeek via email. Compliance will demand an ongoing commitment to quality control, frequent system audits, and advanced data protection measures.From Proposal to PracticeThe proposed rule is scheduled to be published in the Federal Register on Jan. 6. Stakeholders will be able to share feedback during a 60-day public comment period. New regulations always come with the potential for pushback.Related:One of the things that people will push back on is it really is going to take resources, costs and people to implement a lot of these changes, Brian Arnold, director of legal affairs at managed cybersecurity platform Huntress, tells InformationWeek.Resource constraint is a common concern in the health care industry, particularly for rural health care organizations and smaller providers.Anne Neuberger, the US deputy national security advisor for cyber and emerging technology, estimates that the proposed rule would cost $9 billion in its first year and then $6 billion over the following four years, Reuters reports.We faced similar apprehensions when HIPAA was first introduced over two decades ago, says Hodges. At the end of the day, these regulations exist to serve one purpose: protecting patients and their information. Every stakeholder in health care must recognize that this isnt just a regulatory obligation -- its a moral one.The public comment period will cross over into the incoming Trump administration, raising questions about the fate of the proposed rule.Arnold points out that issues like cybersecurity, data privacy, and national security are typically considered more bipartisan than others. On the other hand, the Trump administration has signaled a desire to slash regulations. What that means for HHS and this rule remains to be seen.Related:There is the chance that there won't be a lot of tabling of this rule and maybe embracing it, but I do think it presents the opportunity where there could be some tweaks to it [that] you might not normally have gotten if it was proposed and then adopted under the same administration, says Arnold. I don't expect these to be the final versions of the rules.Critical Infrastructure Under SiegeCritical infrastructure continues to be a target of threat actors, both nation state-backed groups and financially motivated criminal actors. Health care is just one of those targeted sectors that could be subject to new cybersecurity rules.The combination of increasing awareness of the overall vulnerability of critical infrastructure cybersecurity and the increased targeting of [critical infrastructure] by both cybercriminals and nation state threat actors like Volt Typhoon lead me to believe that well see more rule updates like this one in the coming year, says Trey Ford, CISO for the Americas atBugcrowd, a crowdsourced cybersecurity company, in an email interview.While the final version of the proposed changes to HIPAA and a timeline for adoption are uncertain, the threats the new rule aims to address remain a reality in health care.All in all, cybersecurity should be treated as a cornerstone of patient care. Protecting health information is not just an IT task -- its everyones responsibility in health care, says Hodges.