Randy Hildebrandt | Product Marketing, Data Protection
More About This Author >
Randy Hildebrandt | Product Marketing, Data Protection
More About This Author >
Introduction: Architecture Is Now a Regulatory Issue
The proposed HIPAA Security Rule update does more than raise expectations around encryption. It implicitly defines what a compliant data security architecture must look like.
These aren’t paperwork tasks. They are architectural prerequisites.
Buried within the regulatory language are requirements for asset inventory, data flow mapping, risk analysis documentation, and demonstrable technical safeguards. These are not administrative checkboxes. They are architectural mandates.
Encryption, therefore, becomes inseparable from visibility. Compliance becomes inseparable from architecture. Healthcare organizations must now design environments that assume regulators will evaluate not just whether encryption exists, but whether it is consistently deployed, centrally governed, and auditable across the enterprise.
Hidden Technical Mandates Inside the HIPAA Security Rule
The regulation requires organizations to:
- Inventory all technology assets
- Identify where ePHI is created, received, stored, or transmitted
- Map data flows between systems
- Assess risks at each data location
Those requirements create an unavoidable conclusion: You cannot secure or encrypt data you cannot see.
This visibility gap is already a major issue in healthcare. According to the 2026 Thales Data Threat Report Healthcare Data Sheet, only 31% of healthcare organizations have complete knowledge of where their data is stored. That means many organizations may struggle to prove where ePHI resides, whether it is encrypted consistently, and whether access controls and audit logging are applied across the full data estate.
Visibility becomes a compliance control, not a convenience. These requirements effectively establish visibility as a compliance control.
Without comprehensive asset awareness and data mapping, organizations cannot confirm encryption coverage, demonstrate uniform safeguards, prove policy enforcement, and defend audit findings. Encryption must be implemented systematically, not opportunistically.
See What’s Driving Healthcare Data Security Risk
Explore the 2026 Thales Data Threat Report Healthcare Data Sheet for insights on cloud risk, AI-driven threats, encryption gaps, key management complexity, and healthcare security priorities.
Required Capability Stack
Most healthcare environments operate partial encryption with decentralized key management and limited monitoring coverage. The gap between current state and regulatory expectation is often wider than leadership assumes. Meeting regulatory expectations now requires five integrated layers of control.
- Data Discovery and Classification: Sensitive data must be identified across structured databases, unstructured file systems, cloud storage, endpoints, and backups.
- Encryption: ePHI must be protected at rest, in transit, and, where possible, in use, across on-premises and cloud environments.
- Enterprise Key Management: Encryption keys must be centrally generated, stored, rotated, revoked, and audited. Separation of duties is essential.
- Data Activity Monitoring: Access to sensitive data must be monitored continuously, including privileged activity and anomalous behavior detection.
- Evidence and Audit Logging: Tamper-resistant logs must demonstrate consistent enforcement and enable forensic reconstruction if necessary.
Healthcare Use Cases and Required Controls
1. Electronic Health Record (EHR) Databases
EHR systems centralize vast volumes of patient data. Attackers frequently target database servers directly.
Risk: Database exfiltration, compromised credentials, or unauthorized administrative access.
Control Strategy: Database encryption, real-time activity monitoring, centralized key control and tokenization.
Technology Alignment:
- CipherTrust Transparent Encryption from the CipherTrust Data Security Platform protects structured data at the operating system level without requiring application rewrites.
- Thales Database Activity Monitoring provides continuous monitoring of database queries, privileged access behavior, and anomalous patterns, delivering the audit evidence regulators increasingly expect.
- CipherTrust Cloud Key Management centralizes encryption key lifecycle management and reduces operational burden enforcing consistent security controls across environments. Tokenization can be used to help reduce risk from third party business associates.
2. Medical Imaging Repositories
Imaging systems often reside on file servers or network storage environments that historically lacked encryption enforcement.
Risk: Large, unencrypted file stores containing radiology and diagnostic data.
Control Strategy: File-level encryption, centralized key management, and access monitoring.
Technology Alignment:
- CipherTrust Transparent Encryption protects unstructured files while preserving clinical workflows.
- CipherTrust Enterprise Key Management ensures encryption keys are centrally controlled and rotated.
- Thales Database Activity Monitoring provides visibility into who accessed imaging files and whether access patterns deviate from policy.
3. Claims Processing Platforms
Claims platforms involve financial data, identity records, and payment workflows. Insider misuse and credential abuse are common breach vectors.
Risk: Insider misuse of identity and billing information.
Control Strategy: Encryption of sensitive databases, file and database monitoring, and detailed audit logging.
Technology Alignment:
- CipherTrust Transparent Encryption protects sensitive claims data.
- Thales Database Activity Monitoring and File Activity Monitoring deliver granular oversight into billing system access and potential data staging activity.
4. Telehealth and Cloud-Based Applications
Rapidly deployed telehealth platforms often expand faster than security governance.
Risk: Cloud misconfiguration, API exposure, and session data interception.
Control Strategy: Application-layer encryption, tokenization of sensitive identifiers, and policy-based access enforcement.
Technology Alignment:
- CipherTrust Application Data Protection, CipherTrust RESTful Data Protection, CipherTrust Batch Data Transformation and CipherTrust Data Protection Gateway enable encryption and tokenization at the application layer, protecting session data, stored transcripts, and patient identifiers while maintaining application performance.
5. Research Data Environments
Research datasets may include partially de-identified but still regulated data.
Risk: Intellectual property theft or unauthorized analysis of sensitive datasets.
Control Strategy: Tokenization, controlled re-identification, and continuous activity monitoring.
Technology Alignment:
- CipherTrust Tokenization Solutions protects sensitive fields while enabling analytics use cases.
- Thales Database Activity Monitoring ensures dataset usage remains aligned with research policy and regulatory expectations.
What CISOs / Executives See vs Compliance Practitioners See
Bridging these viewpoints is now a regulatory requirement. Both perspectives must align within a unified governance framework. Architecture decisions directly affect compliance defensibility.
The CISO Lens
- Enterprise attack surface
- Architecture scalability
- Vendor consolidation
- Incident response readiness
The Compliance Practitioner Lens
- Evidence generation
- Policy adherence
- Audit traceability
- Documentation completeness
The Cost of Waiting
Encryption expansion delays create compounding risk. Organizations that begin transformation only after final rule publication will be implementing under regulatory pressure.
| Delay Duration | Likely Impact |
|---|---|
| 3 Months | Asset inventory gaps |
| 6 Months | Compliance deficiencies |
| 12 Months | Enforcement exposure |
Practical Takeaways
The proposed HIPAA update does not simply require encryption. It requires demonstrable, enterprise-wide, consistently governed encryption supported by monitoring and evidence.
Healthcare organizations that modernize their architecture now will gain not only compliance defensibility but operational resilience. Those that delay may face compressed timelines, fragmented controls and increased regulatory scrutiny. Encryption must now be treated as architectural infrastructure, integrated, visible, and provable.
For Practitioners
- Run comprehensive data discovery scans
- Identify unencrypted repositories
- Validate centralized key management
- Test monitoring alerts and logging integrity
For Decision Makers
- Approve unified data security architecture
- Reduce tool fragmentation
- Mandate centralized key governance
- Fund automation for audit evidence generation
Steps You Can Take Now
- Visit the following resources:
- Check out self-guided demos CipherTrust Data Security Platform.
- Contact a Thales Data Security Specialist to learn how Thales can help your organization comply with the proposed HIPAA regulations.