From compliance automation through audit, the Thoropass compliance delivery platform helps you get and stay compliant.
Modern audits delivered by expert auditors
Maintain compliance with real-time monitoring and alerts
Identify vulnerabilities with CREST-accredited pentest experts
Leverage AI for smarter compliance solutions
Streamline audits and improve accuracy with evidence automation
Simplify user reviews to enhance security
Automate responses to security questionnaires
Track and mitigate security risks in one place
Build trust with a professional, public-facing portal
Seamlessly connect your tools for streamlined compliance
Audits done the modern way. Leverage AI-powered compliance solutions with expert guidance for seamless, scalable audits.
From controls to audit, rapidly achieve infosec compliance with a single vendor
Manage your risk and streamline compliance
Meet your auditor on day 1 and eliminate any surprises
Discover proven compliance outcomes in the words of our customers.
Catch up on the latest industry trends and expert insights
Watch the latest webinar or meet us in person
Expert-curated resources for your compliance journey
A "true crime" styled podcast for anyone in the compliance industry
Actionable tools for your compliance journey
Implement audit-ready compliance solutions for friction-free infosec compliance outcomes.
Go beyond readiness with unmatched expertise
Stay updated with the latest Thoropass news and insights
Join the team that's reimagining compliance
Let's make compliance easier—together
We're committed to unbiased audits and superior service
The healthcare industry stands at a critical juncture in cybersecurity, facing unprecedented challenges and technological opportunities. The State of Health Security 2025 report reveals a complex landscape where data vulnerability, technological innovation, and regulatory pressures converge.
Thoropass collected research and news from the past year and identified key data points and trends that will be useful in driving healthcare security in the coming year. Here are some of the main takeaways.
The statistics are sobering. Cybersecurity breaches in healthcare have surged by 97% year-over-year, with a single breach at Change Healthcare affecting 100 million people. Perhaps most alarmingly, stolen healthcare data is now 10 times more valuable than credit card data, making the industry an increasingly attractive target for cybercriminals.
Artificial intelligence emerges as both a solution and a potential vulnerability. While 63% of organizations find keeping data safe on AI difficult, the technology is simultaneously seen as the most popular tool for managing increased risk.
Healthcare organizations are optimistic, with many planning to invest heavily in AI technologies that promise:
Manage AI-related risk and ensure compliance with new and emerging AI frameworks with AI pentesting.
As Bunny Ellerin, co-founder of Digital Health New York and member of Thoropass’ Health Advisory Board, notes in the report, the key is not to fear AI but to learn how to harness it effectively. The opportunity lies in quickly understanding how these technologies can make healthcare organizations more efficient and secure.
Our research uncovered a critical issue: by the end of 2025, 36% of the world’s data will be health-related, but a staggering 90% of this data remains unstructured. This presents both a significant challenge and an opportunity for AI-driven solutions to transform data management.
Credential access has emerged as the number one security fear for healthcare organizations. With an average of 45+ security tools used in enterprises and 68% of organizations reporting multiple supply chain attacks, the need for integrated, streamlined security systems has never been more apparent.
Katherin Kelton is an executive specializing in legal, HR, and global compliance and serves on Thoropass’ Health Advisory Board. Her advice is: “Cleanliness is next to godliness…The volume of health-related data continues to rise even as areas of the industry experience consolidation. Our challenge, then, is to ensure that this data is as useful.”
Want to dive deeper into the future of healthcare cybersecurity? The full State of Health Security 2025 report offers comprehensive insights that every healthcare leader should be aware of.
Get the Report
Understand the trends and insights that will inform your healthcare security strategy for 2025
Healthcare has undergone a digital transformation over the past decade—electronic health record (EHR) adoption is at an all-time high, telehealth has become a key channel for patient care, and innovative technologies are reshaping patient engagement and care delivery. Cyber attacks have kept pace with the change. Hackers are more advanced than ever, targeting providers of all sizes across the healthcare ecosystem, leading to significant disruption year after year.
Image source
Federal regulation has been slow to keep up, leaving the sector vulnerable as organizations fail to self-regulate and adopt evolving cybersecurity standards. The Health Infrastructure Security and Accountability Act, introduced on September 26th, seeks to close regulatory gaps by crystallizing minimum cybersecurity standards, establishing funding for resource-strapped companies, and increasing penalties for noncompliance.
In this article, we explore what the new regulation means for healthcare organizations and how they can best safeguard themselves against cyber disruption using strategic technology partners.
In 2023, the healthcare sector had a total of 725 reported data breaches that impacted over 120 million Americans, making it one of the most breached industries. These headlines continued into 2024 with two large industry players, Change Healthcare and Ascension, falling victim to attacks that could have been prevented with the adoption of standard cybersecurity practices and highlighting the impact of cyber disruptions on patient care.
In February, hackers gained entry to Change Healthcare, the largest healthcare clearinghouse in the US, through stolen credentials. They then launched a denial of service (DoS) attack, leaving Change unable to process millions of health claims over the course of a few weeks and forcing them to pay a $22 million ransom to regain access to their platform. 74% of hospitals reported direct patient care impact as a result of the breach, as eligibility verifications, pharmacy operations, and transmittals and payments were halted while the system was down.
UnitedHealth Group, the parent company of Change Healthcare, estimates the data breach cost them between $2.3 – $2.45 billion.
In April, Ascension, one of the largest US healthcare systems, fell victim to a ransomware attack after an employee downloaded a malicious file onto a company device. This caused the company to take devices across the organization offline, losing access to patient EHRs and resorting to tracking procedures and medications on paper.
Senators Ron Wyden and Mark Warner introduced the Health Infrastructure Security and Accountability Act in September to counteract rising healthcare breaches.
Per Senator Warner, “cyberattacks on our health care institutions threaten patients’ most private data and delay essential medical care, directly endangering Americans’ lives and long term health […]
The new bill seeks to expand policy established by the 1996 Health Insurance Portability and Accountability Act (HIPAA) and associated regulations like the HIPAA Privacy and Security Rules. HIPAA was designed to protect patient health information, whereas the new bill seeks to protect and strengthen digital operations. Specifically, the Health Infrastructure Security and Accountability Act requires the Department of Health and Human Services (HHS) to develop and enforce minimum cybersecurity standards for healthcare entities. Updates include potential jail time for CEOs who lie about their organization’s cyber posture, mandatory independent cybersecurity audits, the removal of caps on financial punishments previously established under HIPAA, and funding to help resource-constraint hospitals meet the new standards.
While the Health Infrastructure and Accountability Act still has a ways to go before it becomes a law, it signals an increased legislative focus on cybersecurity. Christine Sublett, a board member, cybersecurity and information risk expert, and CEO of Sublett Consulting, urges organizations to get ahead of regulation.
“I’ve worked in the healthcare technology and cybersecurity industry for over 25 years and have seen great improvements in the cybersecurity posture of the average healthcare organization. CISOs and executive teams have come to understand that investing in their cybersecurity programs, going beyond what is required by HIPAA to align with recommended frameworks like NIST CSF and HITRUST, can maximize the chances of protecting against current and emerging threats.”
Over the past 13 years I have advised more than 50 early stage and SMB companies pursuing implementation of different regulatory frameworks, certifications, audits, and industry requirements including NIST CSF, HITRUST, HIPAA, PCI, and SOC 2. Many companies are choosing to implement security frameworks to align their cybersecurity and/or privacy programs with. Boards of Directors’ and executives are becoming cognizant of the cyber risks faced by their organizations, and the cost and other consequences of inaction, including those of a significant cyber incident.
Healthcare organizations unsure of how to navigate cybersecurity and compliance regulations should identify trusted external partners to help bridge resource and expertise gaps.
Zip Security enables companies of all sizes to manage cybersecurity in-house with its all-in-one cybersecurity and IT platform built on top of industry-leading tools. Their opinionated software and white-glove customer support simplify common workflows including onboarding employees, deploying antivirus, and enforcing industry-standard practices such as MFA. They offer one-click deployment of solutions that are compliant with frameworks like HIPAA, SOC 2, PCI DSS, NIST 800-171, and more.
Thoropass helps companies navigate and pass audits efficiently, saving time and resources by integrating directly with their processes. With the OrO way–a first-of-its-kind approach that removes the friction and complexity of traditional infosec compliance processes and IT audits–Thoropass maximizes transparency and efficiency while ensuring the highest quality report and attestations. Hundreds of growing companies use Thoropass’ compliance and audit solution, expert services, in-house auditors, and partner ecosystem to get and stay compliant over the lifetime of their business. They offer solutions for SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS, and other infosec and privacy frameworks.
Together, Zip Security and Thoropass help healthcare companies streamline their cybersecurity and compliance efforts. Zip Security’s all-in-one platform simplifies the deployment of industry-leading tools and ensures HIPAA compliance through automated management workflows, while Thoropass provides expert guidance and audit support to navigate compliance frameworks with ease. Together, they enable healthcare organizations to achieve and maintain regulatory compliance efficiently and transparently.
HITRUST Guide
The future of health tech is HITRUST! Get ahead of the curve and understand the how and why of HITRUST in this in-depth guide.
Oro provides content designed to educate and help audiences on their compliance journey.
Imagine being hit with hefty fines, a damaged reputation, and potential criminal charges, all because of a missing piece in your organization’s security strategy. In the world of healthcare, encryption is a vital piece that can make all the difference in protecting sensitive patient data and avoiding the harsh consequences of noncompliance with the Health Insurance Portability and Accountability Act (HIPAA). So, are you equipped with the knowledge to ensure your organization is compliant?
Navigating the complex world of HIPAA encryption requirements can be daunting, but fear not! We’re here to help you understand the ins and outs of encryption, its role in HIPAA compliance, and how to select the right software and services to keep protected health information (PHI) safe and secure.
At its core, HIPAA is a set of rules designed to protect patient health information and ensure medical services are efficient and free from fraud. One of the key components of HIPAA is the Security Rule, which focuses on safeguarding PHI through various technical, physical, and administrative measures. Encryption is a crucial aspect of the Security Rule, serving as a powerful tool to protect PHI from unauthorized access and potential data breaches.
However, encryption in HIPAA is not a one-size-fits-all solution. The addressable implementation specifications in the Security Rule allow for flexibility in encryption methods, depending on an organization’s unique needs and risks. By understanding the various encryption standards and requirements, healthcare organizations can make informed decisions on the best way to protect their patients’ data and maintain HIPAA compliance.
The Security Rule establishes encryption as a method to prevent unauthorized access to PHI. Specifically, the Rule’s implementation specifications for data encryption requirements are outlined in 45 CFR 164.312(a)(1)(iv) and 45 CFR 164.312(e)(2)(ii) of the Technical Safeguards.
By encrypting data, organizations can significantly reduce the chances of unauthorized individuals accessing and tampering with sensitive information, thus minimizing the risk of triggering the breach notification rule.
Data classification is another important aspect of the Security Rule, as it helps organizations identify the appropriate security measures needed to protect various types of sensitive information. By following the encryption requirements outlined in the Security Rule and classifying data accordingly, healthcare organizations can ensure they are taking the necessary steps to protect their patients’ PHI and maintain compliance with HIPAA regulations.
While encryption is an addressable security measure in HIPAA, it doesn’t mean that covered entities can simply ignore encryption altogether.
Instead, if an organization chooses not to follow the HIPAA encryption requirements, it must implement an alternative security measure that provides equal or greater protection for PHI. This flexibility in encryption methods is a result of the Security Rule’s technology-neutral approach, requiring implementations that are deemed “reasonable and appropriate”.
Risk assessment and risk analysis play a pivotal role in determining the most suitable encryption solutions for an organization. By evaluating potential risks and vulnerabilities, healthcare organizations can make informed decisions on the best encryption methods to protect their PHI, whether it be through the use of encryption software or alternative security measures.
Encryption is just one element of the Security Rule. Get the full breakdown of what compliance looks like.
HIPAA data encryption requirements apply to both data at rest (stored on servers, devices, etc.) and data in transit (during transmission). Ensuring that electronic and other protected health information (PHI) is encrypted–in both scenarios–is critical to protecting sensitive patient information from unauthorized access, regardless of whether the data is stolen from a server or intercepted during transmission over an open network.
To help organizations achieve this level of protection, HIPAA recommends specific HIPAA encryption standards for both data at rest and data in transit, as well as guidelines on selecting the appropriate encryption software and services to meet these requirements since HIPAA requires encryption.
By adhering to these guidelines, healthcare organizations can significantly reduce the risk of data breaches and maintain compliance with HIPAA regulations.
Data at rest refers to any inactive data stored on a digital medium, such as server hard drives, solid-state drives (SSD), or mobile devices like tablets and phones. Encrypting data at rest is essential in preventing unauthorized access to PHI stored on these devices and systems. To achieve this level of protection, HIPAA-compliant protocols for data at rest encryption should align with NIST Special Publication 800-111, “Guide to Storage Encryption Technologies for End User Devices.”
Examples of data at rest encryption solutions include Window’s BitLocker and Mac’s FileVault, which encrypts all data on a hard drive (also known as full disk encryption (FDE)) and other file-based encryption (such as WinZip Enterprise), which encrypts data at the file level to keep it secure from unauthorized users. By implementing these encryption solutions, healthcare organizations can effectively protect PHI stored on various devices and maintain HIPAA compliance.
Data in transit involves the transmission of PHI between devices or systems, such as when patient information is shared between healthcare providers via email or uploaded to the Cloud. Encrypting data in transit is crucial in ensuring the security of PHI during transmission, preventing any interception or unauthorized access to sensitive information. HIPAA suggests taking necessary steps to ensure the secure transfer of data. As per NIST Special Publication 800-52 “Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations,” and 800-77 “Guide to IPsec VPNs,” are recommended for secure data transfer.
Transport Layer Security (TLS) is a protocol that provides an extra layer of security to data transmissions over the web. It is commonly used with HTTPS, email, and instant messaging. By implementing TLS and other recommended encryption methods, healthcare organizations can effectively safeguard PHI during transmission, reducing the risk of data breaches and maintaining HIPAA compliance.
Choosing the right encryption software and services is crucial for ensuring HIPAA compliance and protecting your organization’s sensitive patient data. With a myriad of encryption solutions available on the market, it is essential to consider the recommended encryption standards and evaluate email service providers for HIPAA compliance.
By selecting encryption software and services that align with HIPAA requirements, healthcare organizations can ensure PHI is properly protected and reduce the risk of fines, penalties, and reputation damage that can result from non-compliance. Additionally, investing in the right encryption solutions demonstrates an organization’s commitment to safeguarding patient data and maintaining compliance with HIPAA regulations.
The Department of Health and Human Services (HHS) recommends rendering PHI “unusable, unreadable, or indecipherable to unauthorized individuals”. This can be accomplished by using “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” The following encryption standards have been judged to meet these requirements:
Note: AES is a symmetric block cipher that uses a single key to encrypt and decrypt data in blocks, offering a high level of security for protecting sensitive information.
While HHS does not endorse specific encryption software, organizations must ensure their chosen solution meets these recommended standards. By adhering to the encryption guidelines put forth by HHS and NIST, organizations can effectively protect PHI and maintain compliance with industry regulations.
Email services play a significant role in the transmission of PHI between healthcare providers and other entities. To ensure HIPAA compliance, email services must support audit, integrity, and authentication controls. They also must enter into a Business Associate Agreement with the covered entity. Office 365 is an example of a HIPAA-compliant email service. It offers both encryption and a signed Business Associate Agreement with Microsoft.
When evaluating email services for HIPAA compliance, it is essential to consider the security measures in place for data at rest and in transit, the encryption standards used, and the capability to audit and track access to the data. By selecting an email service provider that meets these criteria, healthcare organizations can ensure the secure transmission of PHI and uphold their commitment to HIPAA compliance.
A comprehensive security strategy is key to protecting PHI and maintaining HIPAA compliance. An effective strategy combines technical, physical, and administrative safeguards to create a robust defense against threats. In addition, regular risk assessments and analyses are crucial in identifying vulnerabilities and implementing appropriate security measures to address them.
By developing and implementing a well-rounded security strategy, healthcare organizations can not only meet HIPAA encryption requirements but also proactively protect their patients’ sensitive data from potential breaches and unauthorized access.
This comprehensive approach to security ensures that organizations are better equipped to handle the ever-evolving landscape of cybersecurity threats and maintain compliance with industry regulations.
Implementing a combination of technical, physical, and administrative safeguards is essential in protecting PHI and ensuring HIPAA compliance. Technical safeguards include measures such as access control, audit controls, integrity, person or entity authentication, and transmission security, all of which help prevent unauthorized access to PHI. Physical safeguards involve protecting data from physical damage or destruction, while administrative safeguards focus on protecting data through administrative processes.
By incorporating a variety of encryption and security measures into their overall security strategy, healthcare organizations can create a robust defense against potential threats to PHI. This comprehensive approach to security not only helps maintain HIPAA compliance but also demonstrates an organization’s commitment to safeguarding patient data and protecting their privacy.
Regular risk assessments play a vital role in identifying potential vulnerabilities within an organization’s security strategy. These assessments involve recognizing possible risks, evaluating the likelihood and impact of those risks, and implementing measures to mitigate or eliminate them. By conducting regular risk assessments, healthcare organizations can proactively address potential threats and ensure appropriate security measures are in place to protect sensitive patient data.
The benefits of conducting risk assessments include an improved compliance record, a lower risk of data breaches, and a better security posture for the organization. By identifying and addressing potential vulnerabilities, healthcare organizations can maintain HIPAA compliance and demonstrate their commitment to protecting patient privacy.
Non-compliance with HIPAA encryption requirements can have significant consequences for healthcare organizations, including fines, penalties, and damage to their reputation. In some cases, non-compliance can even lead to criminal charges and jail time.
On the other hand, compliance with encryption requirements offers numerous benefits, such as an improved compliance history and a reduced risk of notifiable data breaches. By adhering to HIPAA encryption requirements and implementing a comprehensive security strategy, healthcare organizations can not only avoid the negative consequences of non-compliance but also demonstrate their commitment to protecting patient privacy and ensuring the security of sensitive data.
Non-compliance with HIPAA encryption requirements can result in significant financial and reputational consequences for healthcare organizations. Fines for non-compliance can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for violations of an identical provision.
In addition to the financial impact, almost half of organizations have experienced a hit to their reputation after a data breach, with nearly 90% of consumers stating they would switch to a different company if it had a data breach.
One notable example of encryption-related non-compliance is the case of Lifespan Health System Affiliated Covered Entity (Lifespan ACE), which faced a $1 million penalty after a data breach due to its failure to encrypt mobile devices, as recommended by a risk assessment.
By complying with HIPAA encryption requirements, healthcare organizations can avoid such penalties and safeguard their reputation in the industry.
Compliance with encryption requirements not only helps protect PHI but also contributes to an organization’s improved compliance history with the Department of Health and Human Services (HHS). By demonstrating a commitment to following HIPAA regulations and proactively protecting patient data, healthcare organizations can reduce the likelihood of notifiable breaches and maintain a better compliance record.
Additionally, incorporating encryption requirements from the HIPAA Security Rule as part of a recognized security framework can be viewed favorably by HHS, potentially reducing the likelihood of compliance investigations and enforcement actions.
Understanding and implementing HIPAA encryption requirements is crucial for healthcare organizations to protect patient privacy and ensure compliance with industry regulations.
By incorporating a comprehensive security strategy, including technical, physical, and administrative safeguards, organizations can effectively safeguard PHI and reduce the risk of data breaches. Regular risk assessments and analysis play a vital role in identifying potential vulnerabilities, allowing healthcare organizations to proactively address threats and maintain a strong compliance record.
Navigating the complex world of HIPAA encryption may seem daunting, but with the right knowledge and resources, organizations can effectively protect their patients’ sensitive data and avoid the costly consequences of non-compliance. By investing in the right encryption software and services, healthcare organizations demonstrate their commitment to patient privacy and ensure the security of PHI, both at rest and in transit.
Yes, HIPAA requires encryption of protected health information and electronic PHI when the data is at rest. Exceptions may apply.
Yes, HIPAA requires encryption of protected health information (PHI) and electronic PHI (ePHI), though there are certain exceptions. The National Institute of Standards and Technology (NIST) recommends protecting PHI data with FIPS 140 approved encryption.
Electronic PHI must be encrypted if no other alternative measure is implemented or if there is a justifiable reason for not implementing encryption.
HIPAA requires ePHI to be encrypted during transmission, which could include email; however, a patient may request their email be sent via email. If the patient submits the appropriate consent form to receive the email and the patient understands (and accepts) the risks of sending their protected health information through email (in an unencrypted fashion), then the email may be sent without encryption. HHS still highly recommends the use of encryption for email or to provide an alternative secure solution for a patient to obtain their PHI (such as a secure portal).
HIPAA encryption requirements help protect sensitive patient information from being viewed by unauthorized parties and can help ensure the integrity of medical services.
Failing to comply with HIPAA encryption requirements can have serious consequences, including hefty fines, jail time, and damage to reputation.
Recommended for You
When your business handles protected health information, compliance isn’t just required—it’s good business. Between SOC 2, HIPAA, and HITRUST, leverage this guide to define what compliance can look like for your organization
