Back to the blog
June 3, 2025

The new HIPAA security rule: Why SaaS security and identity governance can’t wait

As HIPAA modernizes its standards for a SaaS & AI-powered world, healthcare organizations require new approaches to safeguarding access to sensitive data.

The Nudge Security Team
Perspectives

When most people think of HIPAA compliance, they picture paper forms, privacy notices, and locked file cabinets. But today’s modern healthcare organizations run on cloud services—from telehealth and scheduling platforms to shared spreadsheets and clinical collaboration tools.

This digital transformation of healthcare continues to create new possibilities for delivering better and more efficient health outcomes. Yet, given the highly sensitive nature of electronic personal health information (ePHI), organizations must maintain rigorous security controls to safeguard sensitive data and access to it. This is no easy feat, and as the cloud revolution of the last decade gives way to the modern SaaS and AI revolution, it becomes even more challenging to maintain HIPAA standards. Regulators have taken note and recently introduced a series of updates to the HIPAA security rule.

HIPAA enforcement is shifting toward the cloud.

While the HIPAA Security Rule hasn’t changed on paper, recent guidance and enforcement actions from the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) make one thing clear: compliance is no longer just about securing on-premise systems or formal EHR platforms. It’s about every system that stores, transmits, or even touches electronic Protected Health Information(ePHI)—especially in the cloud.

In practice, that means:

  • Multi-factor authentication (MFA) is no longer optional. It’s considered a basic expectation for any system that handles ePHI.
  • Shadow IT is a compliance risk. If your workforce is using cloud-based tools outside of IT’s view, and those tools touch sensitive data, you may be exposed.
  • Risk analysis must evolve. OCR expects organizations to account for all cloud services and user accounts in their HIPAA risk assessments—not just the ones IT approved.

These aren’t theoretical shifts. In breach investigations, OCR now asks detailed questions about MFA, SaaS governance, and cloud visibility. If answers fall short, enforcement follows.

A modern attack surface, a legacy security model

The problem is, most healthcare organizations aren’t equipped to manage security at the speed of modern cloud (re: SaaS) adoption.

As in other industries, clinical and administrative staff are under constant pressure to move fast, serve patients, and collaborate efficiently. So when a SaaS or AI tool promises to save time or streamline a task, it gets adopted—often without IT approval.

Over time, this creates a sprawl of unsanctioned apps, orphaned accounts, and unclear data flows. Meanwhile, identity sprawl grows alongside it: shared credentials, stale admin access, and personal email logins all become easy targets for attackers—and audit red flags.

Much of this happens outside the purview of traditional security tools. And without visibility, there’s no way to enforce policies, monitor MFA, or know where ePHI might be exposed.

Regulators aren’t the only ones paying attention.

The new HIPAA guidance doesn’t exist in a vacuum—it reflects and shifting threat landscape that healthcare organizations now face:

  • Ransomware attacks are increasingly targeting cloud platforms and third-party apps.
  • Phishing campaigns often bypass perimeter defenses by compromising personal or unmonitored SaaS accounts.
  • Supply chain vulnerabilities in connected SaaS services are becoming a top risk vector.

In short, attackers have already moved to the cloud, security programs aren’t keeping pace, and the regulators are catching up.

How Nudge Security can help

At Nudge Security, we help healthcare organizations meet this moment. Our platform delivers complete visibility into every SaaS and cloud account in use, across your workforce—not just the ones IT knows about. We help you:

  • Discover shadow IT and SaaS sprawl before it becomes a compliance issue.
  • Monitor MFA adoption everywhere and nudge users automatically to secure their accounts.
  • Track identity usage and reduce risky or orphaned accounts.
  • Inform HIPAA risk assessments with real-time SaaS and identity data.

We believe security doesn’t have to be a blocker to healthcare innovation. With Nudge Security, we deliver automated guardrails to help you manage risk in a modern, cloud-enabled healthcare environment.

The rules have changed and the risks have escalated. Now is the time to get your arms around SaaS and identity security.

Start your free 14-day trial of Nudge Security today →

Table of Contents

Example H2
Example H3
Example H4
Example H5
Example H6

Related posts

Guides
Exploring identity management for SaaS

How to streamline IAM, starting with a complete inventory of every and SaaS app that’s been introduced into your organization.

Read more
Product
A deep dive on SaaS spend management

How to use spend data and insights to prioritize your SaaS rationalization efforts, maximize impact, and earn quick wins.

Read more
Guides
A guide to SaaS security best practices for 2025

How to expose shadow IT, eliminate SaaS sprawl, and take control of your supply chain.

Read more
Report

Debunking the "stupid user" myth in security

Exploring the influence of employees’ perception
and emotions on security behaviors

Download the report
Watch the webinar

Let’s stay in touch.

Sign up for product updates, resources, and news. We promise we'll never send you spam. Or boring emails. Ever.
Product
OverviewChangelogPricingStatus
Resources
FAQSecurity ProfilesSaaS Security GlossaryData Breach ExplorerKnowledge BaseAPI Documentation
Company
Our ApproachOur TeamPress
Assurance
Trust & SecurityTerms & ConditionsPrivacy PolicySitemap

Use Cases

SaaS Security
SaaS Security Posture Management (SSPM)Okta SecurityAudit & ComplianceSaaS Attack SurfaceSOC 2 Compliance
SaaS Management
Shadow ITSaaS SpendAI SecurityCloud Governance
Third-Party Risk Management
Supply Chain SecurityOAuth Risk Management
Identity Governance
SSO OnboardingUser Access ReviewsEmployee OffboardingAccount Takeover Detection
© {year}, Nudge Security
1401 Lavaca St, Suite 40219
Austin, TX  78701