1. Ransomware Is Not Slowing Down

Healthcare remains the #1 ransomware target. When it hits, the question isn't whether you have a plan — it's whether your plan actually works.

RESCOR provides incident response planning and forensic support built into every StrongCOR engagement. We help you build a response plan that accounts for clinical operations, breach notification timelines, law enforcement coordination, and recovery — before you need it.

StrongCOR subscribers receive incident response support as part of their subscription. Contact us to learn more: +1 863 SECURE1.

2. Sophisticated Email Attacks Are Increasing

Phishing and spoofing activity continues to escalate. Invoice spoofing, executive impersonation, and targeted attacks against administrative and clinical leadership are becoming more sophisticated and harder to detect with traditional email filtering.

Effective defense requires AI-based email protections combined with security awareness training that addresses current attack techniques — not the generic phishing awareness of five years ago. RESCOR's security testing services include social engineering assessments that reveal how your organization actually responds to these attacks.

3. Technical Safeguards Are Still the Weak Spot

Most HIPAA enforcement actions cite the same problems: missing access controls, no encryption where it matters, no audit logging, weak authentication. These aren't exotic threats — they're basic controls that organizations know they need but haven't implemented.

RESCOR's RAPID methodology builds your technical safeguard program in iterative cycles — starting with the highest-risk gaps and working down. Combined with StrongCOR subscription support, you get continuous improvement without the overhead of a massive one-time implementation project.

4. OCR Is Getting Aggressive on Risk Analysis

The Office for Civil Rights is no longer accepting checkbox risk assessments. Recent enforcement actions make it clear: if your risk analysis doesn't identify specific threats to specific assets with specific risk values, OCR considers it deficient.

RESCOR's STORM quantitative risk management produces the kind of risk analysis OCR expects — specific, measurable, repeatable, and comparable from one assessment to the next. STORM exceeds the HIPAA requirement for an "accurate and thorough assessment of potential risks and vulnerabilities" (45 CFR 164.308(a)(1)(ii)(A)) while costing no more than the qualitative approaches that keep getting organizations in trouble.

5. The Proposed Mandatory Encryption Rule

The proposed update to the HIPAA Security Rule would make encryption a required specification rather than addressable. This fundamentally misunderstands how encryption works in practice.

Encryption at rest and in storage protects against exactly one threat: physical theft of media. Any application or user with legitimate access gets cleartext data — encryption doesn't help. An unencrypted database on a properly segmented network with no ingress is arguably more secure than an encrypted database accessible from the internet. Making encryption mandatory in all cases doesn't improve security — it eliminates the risk analysis that determines where encryption actually matters, replacing professional judgment with a checkbox.

The whole point of the addressable/required distinction was to let organizations make risk-based decisions. Mandatory controls obviate risk analysis. That's not security — it's compliance theater.

Whether or not this rule becomes final, encryption belongs where risk analysis says it belongs. RESCOR helps you make that assessment using STORM quantitative risk measurement — so you can demonstrate to OCR exactly why your controls are appropriate for your environment.

6. Incident Reporting Requirements

The proposed rule changes would require reporting security incidents to HHS within 72 hours — a significant tightening from the current 60-day breach notification window. This means your incident response process needs to identify, assess, and classify incidents fast enough to meet that timeline.

RESCOR builds incident response programs as part of every RAPID engagement. We help you define what constitutes a reportable incident, establish classification criteria, build notification workflows, and test the whole process — so when something happens, your team knows exactly what to do and when.

7. Online Tracking and Privacy

HHS has made it clear: tracking technologies on patient-facing websites and patient portals can violate HIPAA when they transmit identifiable health information to third parties. Google Analytics, Meta Pixel, and similar tools on healthcare websites are now a compliance liability.

RESCOR helps you identify where tracking technologies are exposing patient data, assess the risk using STORM, and implement controls that maintain your web analytics capability without violating patient privacy.

8. AI, LLMs, and Shadow IT

Your clinicians and staff are using AI tools whether you've approved them or not. ChatGPT, Copilot, and dozens of other LLMs are being used to draft clinical notes, summarize patient records, and answer medical questions — often with patient data pasted directly into the prompt.

This is a shadow IT problem that requires governance, not prohibition. You need a policy that addresses which tools are permitted, how confidential data is handled, and what happens when someone makes a mistake. RESCOR has developed and deployed AI governance policies for healthcare organizations that address:

• Permit All Not Denied (PAND) vs. Deny All Not Permitted (DANP) — two models for controlling AI tool use
• Data protection rules — what can and cannot be submitted to AI tools, including PHI handling
• Attribution and transparency — when and how to disclose AI use in clinical work products
• AI-assisted code and automation — controls for AI-generated code entering production systems
• Incident reporting — what to do when someone accidentally puts patient data into an AI tool

Download our AI Governance Policy Template →

What To Do Next

RESCOR has served healthcare organizations from small practices to large health systems for over 30 years. Every engagement starts with understanding your specific risk environment — not selling you a product.

Schedule a free 30-minute HIPAA risk consultation →

Or contact us: +1 863 SECURE1 (+1 863 732-8731) | www.rescor.net/contact