Navigating the 2025 HIPAA Security Rule changes: What you need to know (and how Push can help)

If you work in healthcare, or support teams that do, you already know that regulatory change can be both necessary and disruptive. The updates bring welcome clarity and stronger security expectations, but they also ask a lot from security teams that are already stretched thin.

Here at Push, we think these changes are a step in the right direction. Better protection for patient data is always the goal. But implementing these new requirements isn’t easy, especially in complex environments with a mix of legacy systems, shadow SaaS, and a hybrid workforce.

So, let’s walk through a few of the biggest changes coming in 2025, why they matter, and how healthcare orgs can begin navigating them effectively.

MFA is no longer optional

In the past, HIPAA called multi-factor authentication an "addressable" control. That gave organizations some wiggle room to implement it where feasible. The 2025 update removes the ambiguity. If your systems handle electronic protected health information, MFA is now mandatory.

This is a good move. Passwords alone just don’t cut it anymore, especially with the rise of credential stuffing, sophisticated phishing attacks, and social engineering. But rolling out MFA across every user? That’s a big lift.

What we often see teams struggle with is coverage. Ensuring MFA is enforced on all apps in your environment is often pretty tough, but starting with a thorough review of application access across the organization is a good first step. Once you have that visibility, you can better assess where gaps in MFA enforcement might exist and then start closing them.

And those gaps are more common than many teams realize. The average employee uses 15 different work applications, yet only 28% of those apps have MFA enabled. Even more worrying, nearly half of those apps missing MFA protection are also using weak or leaked passwords, compounding the risk. 

While this shift will take planning, the good news is that there are tools that can help make it more manageable. Our browser-based agent gives you a way to monitor login activity across your workforce, surfacing when users aren't registered for MFA on apps they regularly use for work. We can even enforce MFA on those accounts, prompting users to set up MFA using a customizable in-browser banner, which helps teams get better coverage without needing to chase down every individual. This is all done where the users are actually logging into their accounts in the browser. No integrations required.

Know your assets and your data flows

One of the more technical (but important!) updates in the 2025 rule is the new requirement to maintain a detailed inventory of all systems that interact with electronic protected health information. This includes not just physical devices and on-prem systems, but cloud services and software as well. The goal is to understand exactly which systems interact with ePHI, how they do it, and where that data goes.

Importantly, this new guidance also requires orgs to remove extraneous software from any systems that handle ePHI. That could mean eliminating unused or redundant apps, retiring legacy systems that no longer meet security standards, or re-evaluating the use of consumer-grade tools for sensitive workflows.

Getting a complete view of your assets is easier said than done, especially when staff are able to self-adopt new tools to increase their productivity. Push tracks the apps your users log into with their work credentials, no matter if those apps are officially sanctioned or not. This helps you uncover your true application footprint, so you can begin reviewing which SaaS apps are essential and which ones pose unnecessary risk and should be blocked. With better visibility into real-world usage, it becomes much easier to decide which tools are worth keeping.

Risk analysis needs to get real

The new HIPAA rule puts more emphasis on risk analysis. One-off assessments are no longer sufficient. Organizations need to demonstrate an ongoing process for identifying and evaluating threats and vulnerabilities.

Again, easier said than done. Risk isn’t static, and security teams can’t catch everything with quarterly audits alone. That’s why a lot of orgs are looking for ways to layer in continuous, real-time signals that can flag risk before it becomes a full-blown incident.

Behavioral signals are one way to make that process more dynamic. These give you a better view of how users interact with systems and where potential gaps might be forming. In our own research, we found that one in four IdP accounts still lack MFA. When you combine that with weak credentials and unknown app usage, you get a clearer picture of how vulnerabilities build up over time. 

Push supports that kind of ongoing risk work by providing real-time insights into user behavior. We surface unusual activity such as unusual login methods or atypical app usage. These kinds of insights can help teams prioritize where attention is needed most. Even simple changes that follow from those insights, like tightening authentication policies or auditing admin access more regularly, can have a meaningful impact on your risk posture.

Wrapping up

The 2025 HIPAA changes are thoughtful and necessary. They reflect the way people actually work today, and they challenge us to raise the bar on how we manage access, visibility, and risk. 

Of course, none of this is easy. It takes time to build out inventories, map data flows, and rethink risk management practices. But the end result, a more secure and resilient environment for patient data, is well worth it.

At Push, our goal is to make that process more manageable. We build tools to help organizations get clarity on their SaaS usage, strengthen their identity security posture, and respond to threats quickly. But more than that, we want to be a resource to teams navigating these updates.

Whether you're just starting to assess your readiness or knee-deep in implementation plans, let us know. We’re always happy to chat.