What is happening?
On January 6th, 2025, the Office of Civil Rights (OCR) published a new set of cybersecurity requirements as part of the Notice of Proposed Rulemaking (NPRM) in the Federal Register. The proposal mandates that healthcare organizations strengthen their cybersecurity defenses, transitioning from a reactive approach to a risk-based focus. Once finalized, it will result in an update to the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA).
What is the HIPAA Security Rule and the Proposed Update?
The HIPAA Security Rule established national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used or maintained by a covered entity. It required the implementation of appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. However, the current HIPAA Security Rule has proven insufficient and is outdated. A significant overhaul was needed to address today’s rapidly evolving threat landscape.
This is the purpose of the HIPAA Security Rule Update. The proposed update aims to achieve the following outcomes:
- Strengthen the Security Rule
- Tackle the rise in cyberattacks and breaches in healthcare
- Shift from reactive and preventative approaches to a cyber resilience mindset
Why does it matter?
This is a significant update in the healthcare sector, as the update removes the addressable implementation specifications definition (considered optional) meaning that all implementation specifications will now be mandatory.
Some examples of newly required implementation specifications include network segmentation, encryption, and multi-factor authentication (MFA). Additionally, the new rule update emphasizes a risk-based approach to security, which may require organizations to revise internal processes and adopt appropriate technologies to support this shift. This places increased pressure on IT and network security teams to adapt quickly in order to meet the new compliance requirements.
One of HIPAA’s key callouts is specifically focused on network segmentation. The security rule update describes network segmentation as a “physical or virtual division of a network into multiple segments, creating boundaries between the operational and IT networks to reduce risks, such as threats caused by phishing attacks”. The primary objective of network segmentation is to prevent and contain lateral movement by attackers within an environment.
How can Cisco Secure Workload help my organization stay compliant?
Cisco Secure Workload seamlessly delivers zero trust micro-segmentation for your application workloads across any location, any infrastructure and any form factor workload from a single console. With comprehensive visibility into every workload interaction and powerful AI/ML driven policy lifecycle automation, Secure Workload reduces the attack surface, prevents lateral movement, identifies workload behavior anomalies, helps rapidly remediate threats, and continuously monitors compliance.
Cisco Secure Workload can help your organization stay compliant with the HIPAA Security Rule Update in two key areas:
Administrative Safeguards: Refer to the policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and manage workforce conduct.
Technical Safeguards: Encompass the technology and related policies that protect ePHI and control access to it.
The illustration below highlights the relevant CFRs (Code of Federal Regulations) where Secure Workload provides capabilities that either fulfill or complement the defined standards and implementation specifications.
Secure Workload Key Capabilities and HIPAA Mapping:
1. Application Flow Observability
Cisco Secure Workload provides deep visibility into application workload network telemetry (e.g., 5-tuple network flows, SRTT), offering detailed flow insights such as TLS/SSH versions, algorithms, and ciphers. This helps identify weak or obsolete transmission protocols—critical for securing data-in-transit communications, as explicitly referenced in CFR 164.312(g). In addition, Secure Workload delivers rich process-level telemetry, enabling security teams to understand which processes and users generated specific traffic flows. This visibility empowers network and security teams to accurately map application behavior and attribute traffic to the originating services and processes.
2. Workload Runtime Observability
Cisco Secure Workload provides comprehensive visibility into the runtime state of your workload environment. It reports key runtime metrics such as process resource consumption, detection of malicious or suspicious processes, installed software packages, known vulnerabilities, and their associated risk levels.
Additionally, Secure Workload enables Security Operations teams to detect abnormal behavior by tracking process-level activity over time. These capabilities directly support compliance with CFR 164.308(a)(7), 164.312(c)(2), 164.312(d)(2), and 164.312(h)(2).
3. Application Network Map
One of the most critical updates in the proposed rule is the requirement to develop a network map that illustrates the movement of protected health information (PHI) across systems. This is explicitly referenced in CFR 164.308(a)(1)(B) under the Technology Asset Inventory.
This is a core capability of Cisco Secure Workload, which can automatically generate a network map that visualizes communication patterns between the organization’s application workloads—enabling network and network security teams to track PHI flow and identify potential exposure points.
4. Asset Inventory
The updated HIPAA Security Rule places strong emphasis on maintaining a comprehensive technology asset inventory, as outlined in CFR 164.308(a)(1)(A). This requirement is foundational for tracking systems that handle electronic protected health information (ePHI). Additionally, CFR 164.312(a)(1)(2) mandates that each asset be assigned a unique identifier as part of the implementation specifications.
Cisco Secure Workload enhances this requirement by enabling network and security teams to identify and label application workloads with up to 32 custom labels directly on the system. It also supports deep integration with external systems of record, including:
- Administrative Safeguard
- IPAMs (e.g., Infoblox)
- CMDBs (e.g., ServiceNow)
- Virtualization platforms (e.g., VMware vCenter)
- DNS servers
- Cloud providers
- Load balancers (e.g., F5, Citrix)
- User and endpoint identity systems (e.g., Cisco Secure Client, Cisco ISE, Active Directory, Entra ID)
This enables organizations to build and maintain a dynamic, real-time inventory of assets involved in the handling of ePHI.
5. Access Control
Segmentation is a key pillar in the proposed HIPAA Security Rule Update, emphasizing the need to implement network segmentation to prevent the lateral movement of malicious actors. This requirement is explicitly referenced in the implementation specification under 164.312(a)(1)(2)(vi).
Cisco Secure Workload offers flexible and adaptive segmentation capabilities, ranging from macro-segmentation and zone-based firewall segmentation to micro-segmentation at the workload level—even down to process-level segmentation, if needed. This approach enables organizations to implement access controls that align with their current architecture while meeting HIPAA’s evolving security expectations.
6. Policy Lifecycle Management
Traditionally, segmentation efforts have focused on where to enforce policies. However, the real challenge lies in determining the appropriate level of granularity and managing the entire policy lifecycle—especially in environments with a growing number of policy managers and enforcement points.
This is where Cisco Secure Workload truly excels. Designed from the ground up to automate policy lifecycle management, it leverages a dynamic, intent-based policy engine to define, validate, enforce, and continuously monitor active policies. Once a policy is no longer needed, it can be cleanly decommissioned, reducing operational overhead and minimizing risk.
7. Application Dependency Mapping
Defining policies for application workloads is not a trivial task—especially when network and security teams lack visibility into application communication patterns. That’s why the Cisco Secure Workload Policy Engine includes application dependency mapping, which automatically discovers the communication flows and dependencies each application requires to function.
This capability is foundational, serving as the backbone for other implementation specifications. It enables the creation of a living policy that can be dynamically deployed into the network to enforce effective and accurate segmentation.
8. Policy Analysis
Given the distributed nature of modern application workloads, which can be deployed at any time across on-premises or multi-cloud environments, it is critically important to understand and validate policy intent both before and after enforcement.
With Policy Analysis, Cisco Secure Workload evaluates intended policies against real network traffic flows to ensure accuracy before deployment and continuously monitors compliance after enforcement.
Additionally, Secure Workload features an AI-driven policy engine that provides deep insights into the living policy state, including:
- Policy trends
- Anomalies or conditions that require attention (e.g. policy overshadowing, overly broad rules)
This helps security teams refine policy definitions and maintain precise, risk-aligned enforcement across dynamic environments.
9. Quarantine/Blast-Radius Contention
CFR 164.308(a)(12)(B) —under the Security Incident Procedures standard—requires organizations to have the capability to respond to security incidents effectively. Cisco Secure Workload enables rapid risk mitigation in critical scenarios. For example, if a high-risk vulnerability is discovered, specific workloads can be swiftly quarantined from the network. In the case of a ransomware outbreak, Secure Workload allows teams to quickly isolate affected workloads, containing the blast radius and preventing lateral movement across the environment.
10. Compensating Controls
In every organization, there are situations where certain risks cannot be immediately mitigated, or where an alternative method of risk reduction is necessary. CFR 164.308(a)(4) specifically highlights the importance of patch management in such cases. While Cisco Secure Workload is not a patching or vulnerability management tool, it can complement this standard by leveraging vulnerability data from workloads and integrating with Cisco Secure Firewall Management Center. This integration enables the automatic deployment of appropriate IPS rules to help protect against known vulnerabilities and potential exploits—acting as an effective compensating control when patching is not immediately feasible.
Turning Compliance into Meaningful Outcomes with Cisco Secure Workload
Although the updated HIPAA Security Rule has yet to take effect, now is the time for regulated entities to proactively assess their security posture and readiness. Navigating evolving compliance requirements doesn’t have to be complex—with the right tools; it becomes a strategic advantage.
Cisco Secure Workload empowers your organization to implement intelligent, policy-driven segmentation of application workloads, helping you align with upcoming HIPAA mandates and maintain a resilient, compliant security framework.
Want to learn more? Visit the Cisco Secure Workload product page.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Share:
