Data breaches and ransomware attacks have become a persistent and costly challenge in the healthcare sector. As the Change Healthcare ransomware attack shows us, these threats continue to escalate in frequency and sophistication. Organizations bound by HIPAA must reevaluate their approach to cybersecurity, especially when it comes to encryption.

In December 2024, the U.S. Department of Health and Human Services (HHS) proposed a significant update to the HIPAA Security Rule, part of which suggests a mandate requiring the encryption of electronic protected health information (ePHI) both at rest and in transit. While it's still uncertain whether HHS leadership will move forward with finalizing the rule, healthcare organizations would be wise to act as if it's already in place. Why? Because the need for robust encryption is not a matter of regulatory compliance alone; it is a critical step in safeguarding patient data.

Historically, encryption has been considered a best practice under HIPAA—a strong recommendation rather than an enforced requirement. This created a gray area that some organizations took advantage of, justifying alternative safeguards in place of encryption. This ambiguity has resulted in leaving many systems exposed, with predictable results.

The proposed changes aim to remove that ambiguity by making encryption the standard, not an option: Remove the distinction between “required” and “addressable” (encryption) implementation specifications and make all implementation specifications required with specific, limited exceptions.
    Today’s threat landscape requires that encryption should be part of a layered defense-in-depth strategy that is a default method for protecting sensitive health data.

IWhile the proposed changes to HIPAA are not yet codified, the rationale behind them is sound. Cyberattacks targeting healthcare organizations continue to rise, with attackers considering ePHI high value targets – both because of the nature of the data and healthcare organizations’ historical patterns of paying ransoms. Patients are increasingly concerned about the safety of their data, and regulators are responding with heightened scrutiny.
Proactively adopting strong encryption measures demonstrates a commitment to patient privacy and operational integrity. It also puts your organization in a stronger position during audits and assessments, even if the final rule is delayed or modified.
There are several additional compelling reasons to adopt the proposed encryption standard without waiting for it to become law:

• It provides a jumping off point to conduct a thorough audit of your data protection strategy. This audit helps define not only if your data is encrypted at rest or in transit, but it is also an opportunity to clearly define where your data resides, who has access to it and if you have data that can be properly disposed of.
• It positions your organization ahead of the regulatory curve. Besides being a responsible choice, if HHS approves the proposed encryption mandate, your organization will have already completed the requirements.
• Encrypting your data minimizes the risks associated with breaches, not only preventing patient harm and reputational damage, but helping your organization to avoid steep financial penalties.

Encryption is essential, but it’s not sufficient on its own. A comprehensive data protection strategy also includes redundancy and resilience.

By taking the step to universally encrypt ePHI, your organization is one step closer to following the widely accepted best practice called the 3-2-1 Rule. This approach entails maintaining three copies of your data, stored on two different types of media, with one copy kept offsite and encrypted.

The 3-2-1 Rule provides a safety net in case of ransomware or other disruptive events, which have become all too familiar across the healthcare industry. By combining 3-2-1 with a regular cadence of confirmed clean backups, you create a process to recover critical information quickly and securely in the event your primary systems are compromised. In healthcare, where downtime can impact patient care, having access to reliable backups is not optional—it’s essential.

Encryption helps protect data, but controlling access to that data is equally important. A zero-trust approach ensures that no user or device is automatically trusted, regardless of location or credentials. Every request for access is verified through a combination of identity checks, device health assessments, and contextual risk evaluation.

Given the mobile and distributed nature of today’s healthcare workforce, this approach is particularly relevant. From clinicians accessing records on tablets to administrators working remotely, every endpoint represents a potential vulnerability. Encrypting data and enforcing a zero-trust framework helps mitigate the risk of unauthorized access, even if a device is compromised.

Even the best encryption and access controls can be undone by human error. That’s why ongoing education and training should be part of any security strategy. Staff should understand how encryption works, when and why it’s used, and how to handle ePHI securely. Training should be practical, engaging, and tailored to the roles of different team members.

Employees are tricky — they are your first line of defense, as well as your weakest link. Regular, relevant training can significantly reduce the risk of accidental breaches, successful phishing attacks, or even insider threats.

Apricorn’s Aegis Secure Drives and Secure Keys offer software‑free, hardware‑encrypted storage designed to safeguard data wherever it lives. Every encryption process occurs entirely within the device, keeping keys and credentials off the host system.

• Enables plug‑and‑play across Windows, macOS, Linux, and industrial platforms—no software or drivers.
• Delivers FIPS 140 2 / 140-3 Level 3 (pending) protection
•  Supports TAA‑compliant procurement for regulated buying programs.
• Withstands dust, water, and extreme field conditions with rugged construction.
• Streamlines local provisioning with Aegis Configurator; enforces PIN/policy settings and retains setup logs—no cloud or centralized management. Provisioning can also be performed directly on the device (Admin mode).