The Office for Civil Right released their January 2026 OCR Cybersecurity Newsletter. We have condensed this in an effort to educate regulated entities what is necessary under the HIPAA rules. Many organizations try to manage their data security on their own or utilize IT vendors that may not be well versed in data security and the HIPAA rules.
We hope this will help you to understand how cybersecurity and the HIPAA rules intersect. In the end, this is how to protect patient data and your organization. Remember, HIPAA is not optional, and it is more involved than ever before.
System Hardening and Protection of ePHI
System hardening requires installing, enabling, and properly configuring security measures across all systems. Organizations should enable built-in security features within devices, operating systems, and applications. They should also deploy third-party security tools such as anti-malware, EDR, and SIEM solutions when appropriate.
These safeguards support HIPAA Security Rule technical requirements, including access controls, encryption, audit logging, and authentication. Risk analysis and risk management decisions should guide which security measures an organization implements. Organizations may need third-party solutions, such as multi-factor authentication, when native options are unavailable. Establishing standardized security baselines helps ensure consistent protection and reduces risk to ePHI.
Patching Known Vulnerabilities
Applying patches protects electronic protected health information by reducing known security vulnerabilities. Organizations must keep operating systems, applications, and device firmware, including network equipment, up to date. Maintaining an accurate IT asset inventory helps identify systems that require patching.
The HIPAA Security Rule requires organizations to identify and manage risks to ePHI, including unpatched software. Patching is an ongoing process because new vulnerabilities emerge over time. When patches are unavailable, organizations must implement alternative security measures to reduce risk to an appropriate level.
Removing or Disabling Unneeded Software and Services
Many systems include unused or preinstalled software that increases security risk by expanding the system’s attack surface. This software may include games, social media applications, messaging tools, duplicate utilities, or insecure system services. Organizations should regularly review installed software and disable or remove anything not required for business operations. Unneeded software may create default or service accounts with elevated privileges and weak or known passwords. Attackers can exploit these accounts if organizations do not manage them properly.
Organizations must change default credentials, remove unused accounts, and delete accounts created by uninstalled software. Removing unnecessary software strengthens system security, especially when patches are unavailable. Organizations should test and document changes to ensure continued protection of ePHI under the HIPAA Security Rule.
Enabling and Configuring Security Measures
System hardening requires organizations to install, enable, and properly configure appropriate security measures. Organizations should activate built-in security features on devices, operating systems, and software. They should also deploy third-party tools such as anti-malware, EDR, and SIEM solutions when needed.
These security measures support HIPAA Security Rule technical safeguard requirements, including access controls, encryption, audit logging, and authentication. Organizations should base safeguard decisions on their risk analysis and risk management plan. Some systems may require additional controls, such as multi-factor authentication, through third-party solutions. Standardized security baselines help ensure consistent protection and reduce risk to electronic protected health information.
Protect Your Organization Before It’s Too Late
HIPAA compliance isn’t a one-time project — it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper™ system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.
Schedule a free HIPAA checkup today at Aris Medical Solutions.
