Kumar Sokka, chief executive of Acre Security, explains that most healthcare facilities are not ready for changes to healthcare data protection requirements.
The proposed HIPAA Security Rule overhaul – the Health Insurance Portability and Accountability Act – expected to be finalised by the middle of the year, is the most significant update to healthcare data protection requirements in more than a decade and is a potential guide to how the UK will handle the issue.
HHS estimates the first-year compliance cost at $9 billion (£6.8 billion) with $6 billion annually for years two through five. For facilities that don’t comply, the financial exposure is steep: penalty tiers range from $141 per violation at the lowest end to over $2.1 million per violation for willful neglect, with annual caps reaching $2.19 million per provision violated. Criminal penalties for knowing disclosure of protected health information can reach $250,000 and up to ten years in prison.
But the real cost of non-compliance isn’t measured in fines alone. Healthcare workers face violence at rates roughly five times higher than in other industries. US hospitals spent $18.27 billion on violence-related costs in 2023. More than half of nurses have reported abuse or assault in recent years, and many are leaving the profession because of it.
When physical access systems can’t revoke a terminated employee’s badge in time, or when a networked camera becomes the entry point for a ransomware attack, the consequences are not financial abstractions. They are staff injuries, patient harm and operational shutdowns. Non-compliance isn’t just a regulatory risk. It is a safety risk.
Significant scope
That is also what makes this overhaul different from previous updates. The scope of what the new rule requires is significant, but it is also an opportunity that healthcare facilities have not had before: a reason to invest in infrastructure that doesn’t just satisfy a compliance checklist but makes their buildings genuinely safer.
The revised rule eliminates the distinction between “addressable” and “required” safeguards. Every control is now mandatory. That includes multifactor authentication for all access to ePHI, encryption at rest and in transit, annual penetration testing, vulnerability scans every six months, network segmentation with comprehensive asset inventories, and restoration of compromised systems within 72 hours. Access credentials must be revoked within one hour of termination.
On the IT side, most of this is an extension of what healthcare cybersecurity teams have been building toward for years. On the physical side, it is a step change. One-hour credential revocation means every badge, every door credential, every visitor pass needs to be deactivated simultaneously across every facility and every restricted area. Network segmentation means cameras, access control panels, and alarm systems that sit on the same network as medical devices and patient records now need to be inventoried, mapped, and logically separated. Physical security infrastructure that touches the network is in scope for the first time.
The infrastructure required to comply with these rules, unified systems that connect physical access control, video, visitor management, and cyber monitoring into a single operational layer, is the same infrastructure that unlocks capabilities most healthcare facilities have never had access to.
AI-powered screening that identifies concealed weapons without the bottleneck of traditional metal detectors. Intelligent video analytics that detect behavioural anomalies in real time while maintaining patient privacy by blurring sensitive information and avoiding facial recognition. Wearable duress devices that trigger coordinated, facility-wide responses in seconds. Automated watchlist screening at entry points. Credential revocation happens the moment HR processes a termination, not when someone remembers to collect a badge.
Organisational catalyst
None of this is theoretical. These capabilities exist today. What has been missing is the organisational catalyst to deploy them at scale. The HIPAA overhaul may be that catalyst, not because the rule mandates every one of these technologies, but because the compliance infrastructure they require (unified platforms, real-time monitoring, automated access management, network segmentation) is the foundation all of them run on.
HHS estimates that if the new rule reduces the number of individuals affected by breaches by just 7% to 16%, the $9 billion investment pays for itself. For facilities that use this moment to unify their physical and digital security, the return will go well beyond compliance. It will show up in staff retention, in patient outcomes, and in buildings where people feel safe enough to do their best work.
