5 min read

New HIPAA Compliance Rules - The next phase of SASE/SSE for Healthcare

New HIPAA Compliance Rules - The next phase of SASE/SSE for Healthcare
Photo by Natanael Melchor / Unsplash

Healthcare cybersecurity is entering a new phase. For years, organizations have discussed Zero Trust, microsegmentation, and SASE largely through the lens of modernization and operational efficiency. But emerging regulatory pressure—particularly the proposed updates to the HIPAA Security Rule—is shifting the conversation from technology adoption to demonstrable control and visibility.

The next wave of healthcare security transformation will not simply be about deploying new tools. It will be about proving that protected health information (PHI) is observable, controlled, and segmented across the entire digital ecosystem.

And this is precisely where the broader SASE and Security Service Edge (SSE) architectures are beginning to intersect with regulatory compliance.

The HIPAA Security Rule Is Being Modernized for a New Threat Landscape

In December 2024, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to significantly update the HIPAA Security Rule—the first major revision in over a decade. The proposal aims to strengthen cybersecurity protections for electronic protected health information (ePHI) amid a surge in ransomware attacks and healthcare breaches. ()

If finalized, these changes could take effect around 2026, representing the most sweeping cybersecurity compliance update since the 2013 Omnibus Rule. ()

While the rule remains technology-neutral, the direction is clear: healthcare organizations will be expected to demonstrate stronger security controls, more comprehensive risk analysis, and greater visibility into how PHI is accessed, transmitted, and protected.

Visibility Into PHI Data Flows Is Becoming a Core Requirement

One of the most impactful elements of the proposed update is a stronger emphasis on asset inventories and network mapping as part of risk analysis.

Organizations may be required to maintain:

  • A technology asset inventory
  • A network map of electronic information systems
  • Documentation showing how ePHI flows across systems and environments

These requirements are designed to help organizations identify risks to ePHI and understand how information moves across clinical applications, cloud environments, connected medical devices, and third-party platforms. ()

For many healthcare systems, this will be a significant shift. Historically, HIPAA compliance focused more on policy and administrative safeguards. The updated rule is moving toward operational cybersecurity visibility.

Why IoT and Medical Device Segmentation Is Now Critical

Healthcare networks today include thousands of connected devices:

  • Imaging systems
  • Infusion pumps
  • Patient monitoring equipment
  • Smart building infrastructure
  • Clinical IoMT (Internet of Medical Things)

These devices often run legacy operating systems and cannot easily be patched. Flat network architectures allow attackers to move laterally between clinical systems once inside the environment.

That is why segmentation—especially around IoMT and clinical systems—is rapidly becoming a foundational security control.

Under modern cybersecurity frameworks, organizations are expected to:

  • Isolate clinical and administrative networks
  • Segment medical devices from core systems
  • Control east-west traffic between workloads
  • Monitor abnormal communication patterns

In practice, this requires deep network visibility and granular segmentation policies, capabilities that traditional perimeter security architectures were never designed to provide.

The SASE and SSE Control Plane Is Becoming Strategic

This shift toward visibility and segmentation aligns closely with a broader trend highlighted in SASE Advisors’ recent analysis of the 2025 Gartner SASE Magic Quadrant:

SASE is evolving from hype into a strategic security control plane.

In the SASE Advisors blog post, “Gartner SASE MQ 2025 Insight: From Hype to Strategic Control Plane,” we noted that leading organizations are no longer evaluating SASE solely as a networking architecture. Instead, they are increasingly looking at it as a platform capable of delivering:

  • Unified policy enforcement
  • Consistent identity-based access controls
  • Visibility across users, applications, and devices
  • Integrated security services delivered from the cloud

This evolution is particularly relevant in healthcare environments where applications and data now span:

  • On-premises clinical systems
  • SaaS healthcare applications
  • Remote providers and staff
  • Connected medical devices
  • Partner and vendor ecosystems

SASE and SSE architectures provide a framework to extend security controls beyond traditional data center boundaries, making them a natural fit for the new compliance expectations emerging around PHI protection.

Where SSE and SASE Help Address Emerging Compliance Expectations

Security Service Edge capabilities—when implemented correctly—can help healthcare organizations address several requirements implied by the proposed HIPAA updates.

1. Visibility into PHI Access and Data Movement

SSE platforms can provide centralized telemetry and logging across:

  • SaaS healthcare applications
  • Internet and web access
  • Remote user sessions
  • Cloud workloads

This visibility helps security teams better understand how sensitive data is accessed and transmitted.

2. Identity-Based Zero Trust Access

Zero Trust Network Access (ZTNA), often delivered as part of SSE, enables organizations to replace legacy VPN architectures with identity-driven access policies.

This ensures that:

  • Only authorized users can access PHI systems
  • Access is continuously verified
  • Lateral movement risks are reduced

3. Segmentation and Application Isolation

Modern architectures increasingly combine SSE controls with microsegmentation inside the network.

Together, they can enforce:

  • Workload segmentation
  • Application segmentation
  • IoMT and medical device isolation
  • Context-based policy enforcement

This layered approach helps limit the blast radius of cyber incidents while improving auditability.

Why Healthcare Organizations Need an Architecture Strategy—Not Just Tools

The challenge for many healthcare systems is not simply selecting a vendor.

It is aligning architecture with compliance outcomes.

Questions healthcare leaders increasingly ask include:

  • How do we map PHI flows across hybrid environments?
  • How do we segment medical devices without disrupting clinical workflows?
  • Which technologies best support Zero Trust and HIPAA modernization?
  • How do SSE, SASE, microsegmentation, and IoMT visibility tools work together?

These are complex architectural questions that require both regulatory understanding and deep technical evaluation.

How SASE Advisors Helps Healthcare Organizations Navigate This Shift

At SASE Advisors, we work with healthcare providers, health systems, and life sciences organizations to help them navigate the rapidly evolving security landscape.

Our work often includes:

  • Evaluating SASE and SSE platforms
  • Assessing microsegmentation and Zero Trust architectures
  • Supporting RFPs and vendor selection
  • Mapping security architecture to HIPAA and regulatory requirements
  • Designing strategies to secure IoMT and clinical environments

Our goal is not to push a specific vendor—but to help organizations identify the right combination of technologies that can deliver both security outcomes and regulatory readiness.

As the healthcare sector prepares for potential HIPAA Security Rule updates, organizations that build visibility, segmentation, and identity-driven security architectures today will be far better positioned to pass tomorrow’s audits.

The Bottom Line

Healthcare cybersecurity is entering a new era.

Regulators are increasingly focused on demonstrable security controls, including the ability to understand how PHI flows across systems and to isolate high-risk assets like connected medical devices.

At the same time, security architectures are evolving toward cloud-delivered control planes such as SSE and SASE, capable of providing the visibility, access control, and policy enforcement required in modern healthcare environments.

The convergence of these trends means one thing:

The future of HIPAA compliance will be deeply tied to security architecture.

Organizations that recognize this shift—and plan accordingly—will not only improve compliance readiness, but also build more resilient healthcare systems capable of defending patient data in an increasingly hostile threat landscape.

To learn more about how SASE is evolving into a strategic security control plane, read the SASE Advisors analysis:
https://saseadvisors.com/blog/gartner-sase-mq-2025-insight-from-hype-to-strategic-control-plane/