January 2026 OCR Update:
In its January 2026 Cybersecurity Newsletter, the HHS Office for Civil Rights (OCR) delivered one of its most direct statements yet about how it expects HIPAA-regulated entities to approach cybersecurity going forward.
OCR stated they will continue with its risk analysis enforcement initiative, which will evolve to include risk management to ensure that regulated entities are taking prompt action to reduce risks and vulnerabilities to ePHI identified by their risk analyses. The guidance focuses on system hardening, not as an abstract security concept, but as a practical, ongoing obligation tied directly to HIPAA Security Rule compliance. More importantly, OCR made clear that its enforcement posture is evolving. Risk analysis alone is no longer enough. Regulated entities will be expected to demonstrate timely, documented action to reduce risks and vulnerabilities to ePHI once those risks are identified.
System Hardening as a HIPAA Security Rule Requirement
OCR defines system hardening as the process of customizing electronic information systems to reduce their attack surface and limit the number of weaknesses and vulnerabilities that attackers can exploit. In practice, this includes a combination of patching known vulnerabilities, removing or disabling unnecessary software and services, and enabling and properly configuring security controls.
Under the HIPAA Security Rule, covered entities and business associates are required to ensure the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain, or transmit. OCR positioned system hardening and the creation of standardized security baselines as one concrete way regulated entities can meet that obligation.
The guidance also reinforced that medical devices are explicitly in scope. OCR reminded regulated entities to consult manufacturer labeling and follow security guidance throughout a device’s lifecycle, referencing FDA expectations around cybersecurity risk management, security architecture, and testing.
Patching Known Vulnerabilities Is Foundational and Ongoing
OCR emphasized that patching known vulnerabilities remains one of the most basic and essential system hardening activities, regardless of whether a device is new or long in service.
This includes not only operating systems and common enterprise software, but also firmware embedded in devices such as routers, firewalls, and other network infrastructure. An accurate, up-to-date IT asset inventory was highlighted as a prerequisite for understanding what systems need to be hardened and maintained.
Importantly, OCR explicitly tied patching to both risk analysis and risk management requirements under the Security Rule. Identifying vulnerabilities is only the first step. Regulated entities are expected to implement security measures that reduce those risks to a reasonable and appropriate level.
OCR acknowledged that immediate patching may not always be possible, such as when vulnerabilities are newly disclosed or exist in legacy systems without available updates. In those cases, OCR expects entities to implement compensating controls or other remedial actions to reduce the risk of exploitation until a permanent fix is available.
System hardening, OCR noted, is not a one-time event. New vulnerabilities will continue to emerge, and regulated entities are expected to continuously identify and mitigate them over time.
Reducing the Attack Surface: Removing What You Do Not Need
A significant portion of the guidance focused on attack surface reduction which is an area OCR continues to see repeatedly in investigations.
OCR warned that many systems include unnecessary software, features, and services that are never used but still introduce exploitable vulnerabilities. This includes pre-installed applications, unused utilities, and operating system services that serve no business purpose for the organization.
The guidance also called out a persistent and dangerous issue: generic and service accounts created during software installation. These accounts often have elevated privileges and may retain default or weak passwords that attackers know to target.
OCR cited investigations where default credentials were still in place for databases, networking software, and even anti-malware solutions. Even when software is removed, associated service accounts may remain behind, silently increasing risk.
Removing unneeded software and services, and ensuring that orphaned accounts are fully removed, was positioned as a critical system hardening activity particularly when vulnerabilities cannot be patched.
Misconfiguration Remains a Leading Cause of Breaches
OCR reinforced that many cyber incidents occur not because security controls are missing, but because they are improperly configured or not enabled at all.
As OCR explained:
“Security measures often found in operating systems, as well as some other software, intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as, for example, access controls, encryption, audit controls, and authentication.
“A regulated entity’s risk analysis and risk management plan can inform its decisions regarding the implementation of these and other security measures.”
The guidance highlighted that in some cases, additional third-party solutions may be required to adequately reduce risk, such as implementing multi-factor authentication when it is not natively supported.
Security Baselines and Recognized Frameworks
To support system hardening efforts, OCR pointed to the use of standardized security baselines, defined sets of controls and configurations that can be applied consistently across systems.
OCR referenced resources such as NIST SP 800-53, Microsoft Security Baselines, and Department of Defense STIGs as examples of tools organizations can use to guide implementation. However, OCR cautioned that publicly available baselines should not be adopted blindly. They must be reviewed, understood, and tailored to the organization’s specific environment and risk profile.
Again, OCR emphasized that baselines should be implemented in the context of HIPAA risk analysis and risk management processes, not as a standalone compliance exercise.
The Most Important Shift: Risk Management Will Be Scrutinized
The most consequential takeaway for healthcare leaders appears not in a checklist, but in OCR’s framing.
OCR confirmed that its ongoing risk analysis enforcement initiative will evolve to include risk management, with a focus on whether regulated entities are taking prompt action to reduce risks and vulnerabilities to ePHI identified through their assessments.
OCR closed the guidance with a clear warning about how compliance will be evaluated over time:
“Defining, creating, and applying system hardening techniques is not a one-and-done exercise.”
“Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time,” and is essential for HIPAA Security Rule compliance.
What Healthcare Leaders Should Take Away in 2026
OCR is not asking healthcare organizations to chase the latest tools or adopt overly complex controls. Instead, it is reinforcing discipline around fundamentals:
Knowing what systems you have
Understanding where your risks are
Acting on those risks in a timely, documented way
Reassessing effectiveness over time
In 2026, HIPAA compliance is no longer about proving you looked. It is about proving you acted, and that you continue to act as conditions change.
How Clearwater Can Help
Clearwater supports healthcare organizations with a thorough, asset-based HIPAA risk analysis aligned to OCR’s 9-element methodology. Our risk analyses have maintained a 100% acceptance rate by OCR when submitted during investigations. Beyond identification, we guide clients through true risk reduction, helping translate findings into prioritized, documented risk management actions that align with HIPAA and evolving enforcement expectations.
Review the on-demand webinar “Secure and Compliant: OCR-Quality Risk Management in Action” for insight on Beth Israel Lahey Health implemented a strong risk management program with Clearwater’s support.
