Hardening Systems for HIPAA 2026: A Hospital IT Guide to Compliance

In December 2024, the U.S. Department of Health and Human Services (HHS) proposed updates to the HIPAA Security Rule to strengthen cybersecurity requirements and better align HIPAA with modern security standards.

The updates emphasize stronger cybersecurity, faster response times, and improved accountability through stricter requirements for risk management, access controls, network security, and compliance monitoring.

In January 2026 the HHS issued a newsletter with enforcement requirements directly addressing baseline configuration hardening of servers and workstations. December 2024 and January 2026 publications reflect a major change in the way the HHS, HIPAA approach configuration hardening, and what health care providers will need to implement.

Organizations must take proactive steps to comply with these new requirements, to both safeguard Protected Health Information (PHI) and mitigate security risks. HIPAA server compliance means applying secure configurations to servers that store or process Protected Health Information (PHI).

What you will learn

• Key HIPAA 2026 updates to the Security Rule and penalties
• Why baseline hardening is critical for HIPAA compliance
• Configuration management changes introduced by NIST, HICP, and CISA
• Best practices for secure change management from NIST
• Which healthcare entities are most affected by the updates
• Practical steps to prepare for HIPAA 2026
• How CalCom can help with automated server hardening

How baseline hardening supports HIPAA compliance

Any US-based company or associated business handling PHI must be HIPAA compliant. This includes healthcare providers, insurance companies, and any other stakeholders who might come into contact with that information, such as IT service and cloud storage providers.

The December 2024 HIPAA proposed updates introduce new security expectations, emphasizing stricter technical safeguards, including system hardening. Previously, HIPAA did not specify any hardening requirements, but with an increase in cyber threats targeting healthcare systems, enforcing configuration management has become essential. 

By default, systems such as servers and application settings are configured to prioritise functionality over security, leaving infrastructure vulnerable. Establishing a hardening baseline, especially across large environments, can be complex, and that’s without considering the maintenance required. Correctly configuring a system requires meticulous attention to detail, planning, and testing, as misconfigurations can cause operational disruption. 

Organisations that fail to meet the new security expectations will face compliance violations, with potential financial impacts in the form of fines and an increased risk of data breaches. 

HHS OCR January 2026 baseline configuration hardening guidance for HIPAA-enforced entities

n its January 2026 Cybersecurity Newsletter, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) clarified that system hardening and the use of defined security configuration baselines are core elements of HIPAA Security Rule compliance. OCR characterized system hardening as a risk management activity that operationalizes the required risk analysis under 45 C.F.R. § 164.308(a)(1), emphasizing actions such as vulnerability remediation, configuration management, and the elimination of unnecessary services on systems that create, receive, maintain, or transmit electronic protected health information (ePHI).

The newsletter explicitly references the use of established configuration standards—such as Department of Defense Security Technical Implementation Guides (DoD STIGs), CIS Benchmarks, and vendor-provided baselines including Microsoft security configuration guidance—as acceptable mechanisms for implementing and evidencing compliance with the Security Rule’s technical and administrative safeguards. OCR stressed that these baselines must be formally adopted, documented, and periodically reviewed as part of an ongoing risk management program, reinforcing the agency’s position that compliance in 2026 will be evaluated based on demonstrable implementation of security controls rather than the existence of policies alone.

Configuration management changes in HIPAA 2026 based on the December 2024 HIPAA proposed revision

The mandatory changes are based on what were once cybersecurity recommendations from a variety of sources, including CPG, CSF, NIST, HICP, and CISA. These sources, and therefore the new HIPAA requirements, are complex and can be hard to implement correctly. 

Intertwined throughout HIPAA regulations are Cybersecurity Performance Goals (CPG). CPG is a set of security objectives designed to strengthen an organization’s cyber resilience and protect electronic Protected Health Information (ePHI). These objectives align with the NIST Cybersecurity Framework (CSF), focusing on practical, measurable steps. 

The CPG framework links directly to section 164.312(c)(1)—Standard: Configuration Management of the new HIPAA regulations. The CPG framework establishes a baseline configuration of information technology/industrial control systems incorporating fundamental security principles (e.g., the concept of least functionality). 

HICP recommendations for hardening baselines

These recommendations stem from the Health Industry Cybersecurity Practices (HICP) document: Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations. This document focuses on creating a set of cybersecurity best practices for medium to large healthcare organizations. Amongst other things, the document discusses the growing cybersecurity risk of configuration errors due to poor or misconfigured systems. To combat this, it recommends performing regular performance audits and vulnerability scans. 

This also relates to the hardening baselines section in the same document, which reviews configuring operating systems using the most secure configurations available. This includes best practices such as:

• Enabling local firewalls
• Restricting access to only necessary ports
• Disabling weak authentication, such as NTLM
• Preventing auto-run features that will allow malware execution from USB devices
• Considering Security Technical Implementation Guides (STIG)

 Steps for ongoing configuration management

Along with the recommendations for hardening baselines, the HICP recommends following the configuration management configurations set out by the Healthcare and Public Health (HPH) Sector, part of the Cybersecurity and Infrastructure Security Agency (CISA). These recommendations are to help organizations reduce vulnerabilities and ensure systems are properly hardened. By continuously managing configurations and changes, HPH organizations can minimize attack surfaces, maintain compliance, and enhance cybersecurity resilience. These steps include:

1. Identify Configuration Items: Use asset inventory to track hardware, software, and firmware, documenting key details (e.g., OS, location, owner).
2. Establish Secure Baselines: Replace vendor default settings with security-hardened configurations based on CIS/NIST guidelines.
3. Implement and Audit Changes: Use automated tools to apply and track configurations, reducing human error and preventing unauthorized modifications.
4. Assess and Remediate: Regularly audit configurations, integrate them into vulnerability management, and remediate any misconfigurations.

NIST Best Practices for Secure Configuration Changes 

NIST recommends a number of best practices for Change Management (7.M.E: NIST Framework Ref: PR.IP-1, PR.IP-3, PR.IP-12) in order to help execute configuration changes smoothly, without interruptions. This approach helps organizations to maintain a secure and stable process while keeping transparency throughout the changes. 

These best practices include: 

• Change ticket Implementation Plan: Clearly outlines the steps for applying the change, provides enough detail for the Change Advisory Board (CAB) to make an informed decision, and includes a vulnerability scan in a test environment before deployment to identify potential security risks.
• Testing Plan: Defines how the change will be tested to confirm successful implementation and ensures validation of its effectiveness before full deployment.
• Back-out Plan: Preparation of a rollback strategy in case the change fails, ensuring the system can be restored to its previous state if issues arise. No change should proceed without an approved and tested Back-out Plan.
• Communication Plan: Details how stakeholders will be informed about the change, including updates on new features, system adjustments, and necessary user actions.

Who Will These Changes Affect 

These proposed changes will impact several sectors within the healthcare industry, in particular those handling PHI. They will need to implement stricter security controls, conduct frequent risk assessments, and ensure faster patching of vulnerabilities.

It’s easy to think that larger hospitals with established IT teams may have an easier time implementing the changes, but with scale comes bureaucracy and complexity that smaller health centres do not have. Smaller clinics, although easier to implement changes quickly, can struggle with limited resources and additional technical demands. Changes will also affect insurance and payment providers, who must enhance their oversight of business associates and third-party vendors to meet stricter security and reporting requirements. 

These associates include the entire medical supply chain, from software vendors, cloud service providers, medical software and devices, pharmaceutical and research companies that all must comply with increased monitoring and restrictions.

How to prepare for the 2026 HIPAA updates

1. Conduct Security Configuration Reviews: Identify and mitigate security gaps in system configurations.
2. Automate Compliance Checks: Use automated tools to detect deviations from hardening baselines.
3. Implement Secure Baselines: Apply industry-recognized hardening guidelines to system components.
4. Test Changes Before Deployment: Ensure security changes do not disrupt critical healthcare applications.
5. Maintain Audit-Ready Documentation: Track and log all system configuration changes for compliance verification.

Impact of HIPAA changes on daily operations

Although the majority of the changes will be on the shoulders of the IT department, other teams will also be affected. The 2025 HIPAA updates will increase compliance requirements at both organisational and employee levels:

Organizational Level Impact

Hospitals and healthcare providers will face increased frequency of audits, stricter patch management policies, and mandatory network segmentation to limit exposure. Vendors and supply chain partners will also see tighter compliance oversight.

Employee Level Impact

IT and clinical staff will undergo expanded risk analysis training, annual phishing simulations, and stricter privileged access monitoring. Teams will also need to prepare for more frequent backups and disaster recovery drills.

Key Takeaways

• HIPAA 2025 enforces stricter hardening and configuration management.
• Server misconfigurations are a leading compliance gap.
• Both large hospitals and small clinics face challenges in implementation.
• Automation reduces errors and costs while ensuring continuous compliance.
• CalCom Hardening Suite streamlines HIPAA compliance for healthcare IT.

How Calcom Can Help You 

Ensuring continuous HIPAA compliance while maintaining operational efficiency requires an automated and streamlined approach. Calcom Hardening Suite (CHS) enables organizations to:

• Deploy hardened security configurations without disrupting healthcare services.
• Reduce the cost and complexity of implementing secure configurations.
• Manage system hardening across all infrastructure components from a single interface.
• Ensure continuous compliance with HIPAA security requirements.
• Prevent configuration drifts and minimize security risks.

How Calcom Can Help You 

Ensuring continuous HIPAA compliance while maintaining operational efficiency requires an automated and streamlined approach. Calcom Hardening Suite (CHS) enables organizations to:

• Deploy hardened security configurations without disrupting healthcare services.
• Reduce the cost and complexity of implementing secure configurations.
• Manage system hardening across all infrastructure components from a single interface.
• Ensure continuous compliance with HIPAA security requirements.
• Prevent configuration drifts and minimize security risks.

Don’t Wait Until it’s Too Late, Take Action: Ensure Compliance with HIPAA 2026 Updates

As HIPAA compliance requirements evolve, organizations must proactively implement system hardening strategies. Contact one of CalCom’s cybersecurity experts for a demo to see how we can help you meet the new security expectations and maintain compliance with ease.

Glossary