In a landmark move, the U.S. Department of Health and Human Services (HHS) has issued a new proposal to strengthen the HIPAA Security Rule, calling for stringent cybersecurity measures to protect electronic protected health information (ePHI). Why? According to the HHS’ proposal, there has been a “rampant escalation of cyberattacks using hacking and ransomware” in recent years. Since 2019, the amount of healthcare breaches caused by hacking and ransomware attacks has surged by 89% and 102%. In 2023, the healthcare information of more than 167 million people was affected by cybersecurity incidents.
Anne Neuberger, the White House’s deputy national security adviser for cyber, justified the need for new rules – which will cost $9 billion to adopt in the first year alone: “The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences... Sensitive data is being leaked with the opportunity to blackmail individuals.”
The proposed rule changes (“HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information”) don’t mince words when addressing the critical role of network segmentation in preventing breaches:
“Common network segmentation practices would have substantially reduced the risk to the security of ePHI and could have prevented such breaches.”
Let that sink in. This isn’t just a recommendation—it’s a wake-up call for every organization that handles sensitive health data. But we shouldn’t aim just for “common network segmentation”. In reality, every asset needs to be protected.
The healthcare sector continues to be a prime target for cyberattacks. Data breaches exposing ePHI not only erode public trust but also have devastating financial and reputational consequences. While endpoint detection and incident response have dominated security budgets, this proposal flips the narrative: the focus must shift to prevention.
Prevention Starts with Segmentation
Network segmentation—and by extension, microsegmentation —has been a long-underutilized strategy in cybersecurity. HHS’s proposal makes a compelling case for its role as the first line of defense. Here’s why:
- Reduces Attack Surfaces: By isolating assets, applications/workloads, like systems that process or store ePHI, from general networks, organizations can significantly limit an attacker’s ability to pivot within the environment.
- Prevents Breach Propagation: Segmentation creates virtual roadblocks, confining attackers to a single (micro)segment, effectively mitigating the ability for attackers to move laterally and be able to access higher tier assets and subsequently gain access to and exfiltrate sensitive data.
- Limits Exposure to External Threats: Public-facing components are inevitable but connecting them to sensitive systems without segmentation is a recipe for disaster. Properly implemented, segmentation ensures that even if a public-facing system is compromised, the crown jewels—your ePHI—remain secure.
From Theory to Practice: What’s Next for Healthcare Security?
The HHS proposal emphasizes scalable and tailored segmentation solutions, but the urgency is clear: start now, or risk being the next headline. Here’s a sample roadmap for organizations to adopt these measures effectively:
- Risk Assessments: Begin by identifying critical assets and mapping their network dependencies. Evaluate the existing network architecture for weak points and high-risk connections.
- Microsegmentation: Move beyond traditional segmentation by enforcing granular, identity-based access controls against your applications or workloads, services, and even down to the asset level (IP/Hosts, Protocol, Port, Process and Account level). This ensures that only authorized users and applications can communicate within specific network zones and even on an asset-to-asset level, greatly reducing the blast radius while maximizing cyber resilience.
- Continuous Monitoring: A segmented network is only as strong as its oversight. Implement real-time monitoring tools to detect anomalies and potential breaches within segments.
- Iterative Improvement: Cybersecurity is not a one-and-done effort. Regularly evaluate and update your segmentation strategies to adapt to new threats and organizational changes and adapt and improve your processes to align and maximize the value of microsegmentation, within the principle of a Zero Trust architecture.
At this point, you might be thinking that none of the above is achievable and sustainable. I understand those feelings and thoughts going through the minds of many. It’s not uncommon for organizations to believe that microsegmentation (and even macrosegmentation at large) was and will never be an option, because their experiences or research have led them to believe that it would be impossible to deploy/implement at scale.
The Path Forward: Prevention = Cure
The HHS’s blunt assessment of past breaches is a stark reminder: waiting for a breach to act is no longer acceptable. Organizations must move from reactive security postures to proactive strategies that prioritize reducing attack exposure and overall risk, focused on treating root causes and not symptoms.
The HHS proposal reinforces that segmentation isn’t optional, it’s essential. Let’s not wait for another breach to drive the point home. The time to act is now. Let’s shake the tree and make prevention the cornerstone of cybersecurity. After all, protecting sensitive health data isn’t just a compliance issue—it’s a moral imperative.
