HIPAA 2025 changes: The Impact and how to address the new requirements

HIPAA is raising the bar for healthcare organizations and their service providers dealing with Personal Healthcare Information (PHI). This post highlights the changes with direct impact to your security controls. 

In January 2025, the U.S. Department of Health and Human Services (HHS) released a Notice of Proposed Rulemaking (NPRM) to bolster requirements of the HIPAA Security Rule for the first time in two decades. The proposed changes reflect the escalating cyber threats targeting healthcare and the growing need for organizations to adopt real-time, risk-based security operations.

The updates haven’t been finalized yet, but the message from regulators is crystal clear: the era of one-and-done audits and vague policy interpretations is over. Healthcare organizations are expected to modernize their security posture by embracing operationalized controls that can withstand today’s threats.

If adopted, the new HIPAA rule will require healthcare providers and business associates to implement:

• Mandatory multi-factor authentication (MFA)

• Continuously updated asset inventories

• Ongoing risk assessments

• Elimination of extraneous or unauthorized software

• Encryption of data at rest and in transit

• Automated audit logging

For healthcare providers, insurers, and business associates, these aren’t minor policy tweaks. They represent a fundamental operational shift. And for security and compliance leaders already strained by staff shortages, legacy systems, and fragmented tools, meeting these new demands can feel like a massive uphill climb.

The NPRM drew over 4,000 public comments, highlighting both concern over the operational lift and broad agreement that current practices are no longer sufficient. A final rule is expected later this year, with enforcement likely to begin in 2026 after a grace period.

That makes 2025 the time to act, not react. The organizations that begin preparing now will be in the best position to meet the requirements when they become law, and to strengthen their security posture in the process.

These proposed requirements may seem straightforward, but implementing them across complex, hybrid environments is anything but. Let’s take a closer look at what each one entails, and how Axonius makes compliance achievable.

MFA Is Now Required. Axonius Ensures It’s Enforced.

Multi-factor authentication is no longer optional. The HIPAA update formalizes what security professionals have long known: passwords alone don’t cut it. MFA must be implemented on all systems that store, transmit, or access ePHI, including EHR platforms, cloud services, medical devices, and third-party vendor portals.

The problem? Most healthcare environments are riddled with inconsistent enforcement. MFA may be turned on for some core systems but not for critical SaaS apps or internal tools. Shadow accounts and legacy integrations often fly under the radar. IT teams don’t have a reliable way to validate which users truly have MFA enabled across all applications with the right policies based on risk, and which don’t.

Axonius changes that.

By aggregating data from identity providers, authentication logs, SaaS platforms, endpoint agents, and more, Axonius builds a complete picture of every user, every device, and every system they access. We don’t stop at checking if MFA is available, we validate if it’s actually in place and being used. Whether someone bypasses SSO, reuses credentials across systems, or accesses sensitive data from a personal device, Axonius uncovers it. And because the data is always current, you don’t need to wait for your next audit to find the gaps.

Asset Inventory Requirements Now Demand Real-Time ContextMFA Is Now Required. Axonius Ensures It’s Enforced.

In the past, maintaining an asset inventory often meant maintaining a spreadsheet or relying on a static CMDB. But in today’s hybrid, fast-moving environments, where new SaaS apps are spun up without IT approval and unmanaged devices access patient data daily, those methods are dangerously outdated.

The updated HIPAA rule explicitly requires organizations to maintain an accurate and continuously updated inventory of all systems handling ePHI. That includes traditional endpoints, mobile devices, IoT devices, cloud workloads, third-party SaaS applications, and customer-facing portals.

Axonius gives you that inventory in real time, without manual effort. By connecting to the tools you already use (EDR, MDM, IdPs, vulnerability scanners, cloud platforms, and more), Axonius automatically discovers and correlates every asset in your environment. It then enriches each asset with contextual data like user ownership, security control coverage, software installed, and recent activity.

This isn’t just a list of machines. It’s a living, breathing system of record for your entire IT environment, updated continuously and actionable at every level.

Risk Assessments Must Be Continuous, Not Annual

Perhaps the most transformative change in the 2025 HIPAA update is the requirement for ongoing risk assessment. It’s no longer enough to conduct a once-a-year audit or file a compliance checklist. Organizations are now expected to continuously identify and mitigate security risks in real time.

That’s a tall order, especially when most environments are flooded with alert noise, lack integration between tools, and rely on human intervention to detect and respond to misconfigurations or policy drift.

Axonius makes risk visible by design. Traditional tools often operate in silos, separating asset data from identity data, and treating security and business context as distinct. The result? Risk assessments become just another compliance checkbox, disconnected from the reality of how users and systems operate.

Axonius takes a different approach. By correlating identity, device, software, and cloud data into a unified platform, Axonius reveals exposures that point solutions simply can’t see. Dormant accounts with elevated access. Devices missing endpoint protection. Overprovisioned identities accessing unsanctioned SaaS apps.

These aren’t just technical issues, they’re operational risks. Axonius connects the dots between who is accessing what, from where, and why it matters, so that risk assessments move beyond documentation and actually drive security decisions.

More importantly, Axonius makes this insight actionable. Automated enforcement rules and reporting allow security and GRC teams to move from reactive auditing to real-time prevention. You don’t just uncover risks, you resolve them with confidence.

Extraneous Software Must Be Removed, But First, You Have to Find It

Under the new rule, healthcare organizations are also required to identify and remove unnecessary or unused software. Why? Because unmaintained apps increase the attack surface, introduce potential vulnerabilities, and expose sensitive data.

But here’s the catch: most IT and security teams don’t have visibility into what’s running in their environment. Especially in healthcare, where clinical staff may install tools on the fly, or third-party vendors leave behind applications after projects end, software sprawl is rampant.

Axonius delivers the full picture.

The platform continuously inventories all software across all devices, servers, and virtual machines, and also uncovers SaaS apps in use, even those that were never officially onboarded or approved. Axonius connects software data to the identities using it, so you can see who’s responsible, when it was last used, and whether it meets policy requirements.

Whether you need to reduce licensing costs, shrink your attack surface, or meet HIPAA’s new software hygiene requirements, Axonius gives you the visibility, and control, to take action.

Why Axonius? Because Compliance Is a Byproduct of Control

The 2025 HIPAA update doesn’t just demand better policies. It demands better operational reality. That means organizations must move beyond manual tracking, siloed tools, and point-in-time audits. What’s required now is continuous validation, automated remediation, and the ability to see across the entire environment, identities, assets, software, and risk.

That’s what Axonius delivers.

For healthcare organizations, Axonius becomes a control plane, not just for asset management, but for compliance, identity governance, and security operations. With a single platform, you gain:

• A real-time, unified view of every asset and user in your environment

• Continuous validation that MFA, security controls, and risk policies are enforced

• Automated detection of risky combinations, policy violations, and compliance gaps

• Faster investigations, streamlined audits, and less time spent on manual reporting

Axonius already supports some of the largest health systems in the world. We’ve helped them modernize their security programs, pass rigorous audits, and prevent breaches, without adding complexity or overhead.

You Can’t Comply with What You Can’t See

The HIPAA update is not a future concern, it’s a current imperative. Healthcare has become one of the most targeted industries in cybersecurity, and regulators are responding accordingly. Compliance now demands speed, accuracy, and continuous control.

If you’re relying on spreadsheets, siloed tools, or annual audits to manage risk, you’re already behind.

Axonius gives you the visibility and automation to move forward—with confidence.

Bonus! 

HIPAA 2025 Readiness Checklist

Where Do You Stand, and What’s Still Missing?

Preparing for HIPAA’s proposed 2025 Security Rule isn’t just about future-proofing, it’s about building the right foundation now. Based on the draft requirements issued by HHS, healthcare organizations will be expected to enforce MFA across all systems, maintain a continuously updated inventory of assets and software, and perform ongoing risk assessments, not once a year, but every day.

That’s why we created this checklist.

It’s designed to help compliance, IT, and security leaders quickly assess where they stand today and identify the critical capabilities they need to operationalize before the final rule takes effect. Whether you’re already planning for the transition or just getting started, this checklist will help you prioritize what matters most, and understand how Axonius can close the gap.

Don’t Wait for the Final Rule, Start Preparing Now

Use this checklist to evaluate where you stand, and where Axonius can help.

Multi-Factor Authentication (MFA)

MFA is enforced across all systems accessing ePHI (on-prem, cloud, and SaaS)

I can identify accounts without MFA or those bypassing SSO

I have visibility into how authentication policies are enforced across users

How Axonius Helps:

Surface MFA gaps across all environments, detect SSO bypass, and validate enforcement in real time.

• MFA is enforced across all systems accessing ePHI (on-prem, cloud, and SaaS)
• I can identify accounts without MFA or those bypassing SSO
• I have visibility into how authentication policies are enforced across users

Real-Time Asset Inventory

I maintain a live inventory of all devices, cloud workloads, and applications

I can link each asset to an identity, location, and security coverage

Shadow IT and unmanaged devices are discovered automatically

How Axonius Helps:

Correlates asset data from your existing tools to deliver a continuously updated, identity-aware inventory.

• I maintain a live inventory of all devices, cloud workloads, and applications
• I can link each asset to an identity, location, and security coverage
• Shadow IT and unmanaged devices are discovered automatically

Continuous Risk Assessment

I conduct risk assessments on a continuous, not annual, basis

The right teams are alerted in real time to toxic access combinations and control gaps

Risk insights are actionable and trackable, across devices, users, and apps

How Axonius Helps:

Identifies and surfaces risk using correlated asset, identity, and software data, then enables automated response.

• I conduct risk assessments on a continuous, not annual, basis
• The right teams are alerted in real time to toxic access combinations and control gaps
• Risk insights are actionable and trackable, across devices, users, and apps

Software Hygiene

I can identify unused, unauthorized, or risky software across the environment

I can map software usage to the user and device level

I have workflows in place to remove or isolate unnecessary software

How Axonius Helps:

Provides visibility into installed and SaaS-based software and supports clean-up through policy-driven workflows.

• I can identify unused, unauthorized, or risky software across the environment
• I can map software usage to the user and device level
• I have workflows in place to remove or isolate unnecessary software

Want to see how Axonius supports your HIPAA readiness efforts? - Get started.