How Asimily Helps You Comply With the Upcoming 2026 HIPAA Security Rule Changes
As the HIPAA proposed rule changes near finalization (slated for a vote in May 2026), many healthcare organizations will scramble to meet new compliance standards within the required 60-day timeframe from the date of publication and the 180-day compliance period. We’ve broken down each proposed requirement and the ways Asimily can help you meet them to remain compliant.
| Proposed Requirement | What it Requires | How Asimily Supports |
| Elimination of “Addressable” Safeguards | All implementation specifications become mandatory with limited exceptions, removing the flexibility that allowed organizations to justify alternatives. | Asimily’s platform provides continuous monitoring and automated compliance evidence, helping organizations meet mandatory requirements across all connected devices. |
| Comprehensive Risk Analysis | Organizations must conduct detailed risk analyses, including full asset inventories, vulnerability and threat identification, and documented impact assessments with regular review cycles. | Asimily’s Inventory and Vulnerability Prioritization features deliver automated asset discovery, vulnerability identification, Impact analysis and scoring, and threat assessment for all connected medical, IoT, and OT devices. Asimily also provides regular review sessions with our customer engagement team. |
| Technology Asset Inventory & Network Mapping | Entities must maintain a complete technology asset inventory with data flow maps and update them annually. | Asimily’s Asset Inventory and Network Topology features provide real-time visibility into all connected devices. The Topology Map enables organizations to trace and document data flows across the network. |
| Written Policies & Documentation | All security safeguards must be documented, regularly reviewed, tested, and updated with formal written evidence of compliance. | Asimily Cybersecurity Services Team utilizes insights from the Asimily product to help healthcare organizations develop and fine-tune written policies and documentation that demonstrate compliance and ensure a regular review cycle of all cyber risks. |
| Mandatory Encryption | Encryption is required for ePHI both at rest and in transit; this is no longer an “addressable” control. | Asimily’s platform identifies legacy devices and operating systems in the customer environment. In addition, many organizations leverage Asimily’s Cybersecurity Services to facilitate overall risk management, including the implementation of mandatory controls and risk exceptions as necessary following organizational and regulatory protocols. |
| Multi-Factor Authentication (MFA) | MFA is required for system access, privileged accounts, and remote access to ePHI systems. | Dedicated identity and access management solutions are recommended for MFA implementation. |
| Vulnerability Scanning & Penetration Testing | Vulnerability scans are required every 6 months; penetration tests are required annually. | Asimily performs continuous vulnerability discovery for medical, IoT, and OT devices – exceeding the proposed biannual minimum. Asimily also works alongside leading partner organizations to support penetration testing initiatives conducted by your organization. |
| Network Segmentation | Organizations must implement segmentation to limit ePHI exposure and prevent lateral movement during breaches. | Asimily’s Segmentation Orchestration capabilities help organizations plan, validate, and operationalize segmentation for all connected devices—reducing risk, cost, and complexity of implementation. |
| Anti-Malware Protection | Systems handling ePHI must deploy malware detection, protection mechanisms, and monitoring. | Asimily’s Anomaly and Threat Detection feature provides proactive network-based malware detection and safe monitoring for all connected devices, including devices that cannot run endpoint agents. Asimily then recommends mitigation controls based on what is detected. Asimily also integrates with existing EDRs and pulls in their data to ensure organizations are able to monitor their overall security posture. |
| Configuration Management | Entities must implement formal processes for secure configuration, patch management, and removal of unnecessary software. | Asimily’s Asset Inventory, Attack Analysis, Configuration Control, and IoT Patching features address secure configuration and patch management for IoT, OT, and IoMT devices. |
| Incident Response Planning | Organizations must maintain formal incident response procedures, breach detection capabilities, and mitigation and recovery steps. | Asimily Cybersecurity Services help organizations develop and maintain formal IR and BCDR procedures. Asimily product helps organizations develop policies and behavioral rules that support breach detection capabilities (DS, CC, and IR). |
| Backup & Contingency Planning | Strengthened requirements for ePHI backups, disaster recovery, and emergency operations | Asimily’s Configuration Control feature maintains device snapshots that support disaster recovery for medical, IoT, and OT devices, aiding restoration planning. |
| Workforce Training | Staff must be trained on cybersecurity threats, phishing, social engineering, and incident reporting. | Asimily Cybersecurity Services provides staff training on security issues, processes, and remediation procedures related to current industry trends and the organization’s risk management posture. |
| Business Associate Oversight | Covered entities must verify that business associates implement required safeguards and certify compliance annually. | Organizations can implement contractual measures and use consultants if needed to ensure their business associates implement required safeguards and certify compliance annually. |
| Annual Compliance Verification | Organizations must periodically verify that safeguards are deployed and functioning; business associates may need annual certification. | Asimily Cybersecurity Services helps organizations mandate third-party risk management processes that evaluate the TP’s safeguards, support for the organization, and any applicable annual certifications that help identify their security posture and align it with the organization’s security protocols. |
Take the First Step Toward Compliance
The proposed 2026 HIPAA Security Rule represents a generational shift in how healthcare organizations must approach cybersecurity. For connected medical, IoT, and OT devices, Asimily provides the asset visibility, vulnerability intelligence, segmentation orchestration, and threat detection capabilities that form the foundation of compliance.
Request a demo to see how Asimily can help your organization prepare for the new HIPAA Security Rule – before the compliance clock starts ticking. With such a large overhaul of existing HIPAA requirements, the earlier you start, the smoother your compliance process will be.
Secure Every IoT Device.
Automatically.
Cyber threats move fast — so should you. Asimily gives instant inventory and smart, prioritized risk mitigation insights for every IoT, OT, and IoMT device — so you can take action before threats strike.