The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published its 2026 quarterly cybersecurity newsletter where it prompted HIPAA-covered entities to take do something to strengthen system security and make it harder for hackers to access their systems and the sensitive data of patients and health plan members.
The HIPAA Security Law requires HIPAA-covered entities to protect the confidentiality, availability, and integrity of electronic protected health information (ePHI) that the covered entity generates, receives, keeps, or sends. Their responsibilities also include determining ePHI threats and vulnerabilities and doing something to minimize those dangers and vulnerabilities to a minimal and acceptable degree. OCR Director Paula Stannard already mentioned that OCR is going to implement the HIPAA Security Rule compliance in 2026. OCR is moving forward with its risk analysis enforcement initiative, which includes risk control to be sure that covered entities are minimizing ePHI risks and vulnerabilities determined through their risk analyses.
OCR mentioned in the newsletter its intention to reduce risks by developing a collection of standardized security controls and systems for different kinds of electronic information systems, dealing with security issues and vulnerabilities, and personalizing electronic information systems to lessen the attack surface.
OCR told medical device producers that it is their obligation to make certain that their devices have the correct labelling to enable users to keep the devices secure all through the product lifetime. It is also important to adhere to Food and Drug Administration (FDA) guidance regarding security risk control, security design, and security assessment. Healthcare companies must read the labelling on their gadgets carefully and make sure they comprehend how the devices must be set up to stay safe and useful through the whole product lifecycle.
OCR pointed out three important areas for strengthening system security that are critical for HIPAA Security Rule compliance. Threat actors look for vulnerabilities that could be taken advantage of to access a system, which include issues in operating systems, software program, and device firmware. Regardless of whether the device is new or not, it is necessary to apply patches to correct identified vulnerabilities. Patching vulnerabilities might not be possible immediately upon discovery; nonetheless, other remedial steps must be taken, as advised by vendors, to minimize the chance of exploitation until the patches are available. A thorough and appropriate IT asset inventory must be maintained, and guidelines and procedures must be created and applied to make sure a good patching cadence for all software, operating systems, and devices.
All companies need to do something to minimize the attack surface by getting rid of unnecessary software program and devices, such as those that are not used anymore, does not help the covered entity, and general and service accounts made for the installation procedure. Accounts made at the time of installation might have default passwords that should be altered. OCR mentioned that its investigations have found accounts used for popular databases, networking application, and anti-malware programs still using default passwords for privileged access.
A lot of cyberattacks happen because of misconfigurations. HIPAA-covered entities must be sure security measures are set up, activated, and correctly configured. A covered entity’s risk analysis and risk management plan can provide the appropriate decisions concerning the use of these and other security steps.
Since OCR will be inspecting risk management and has instructed covered entities about their duties to strengthen system security, all covered entities must make sure they take action on the advice. Identifying, developing, and using system hardening strategies is not a one-time action. Assessing the continuous effectiveness of security measures is necessary to make sure such measures remain beneficial as time passes, and is critical for HIPAA Security Rule compliance.
Image credits: Nilofar, AdobeStock









