Compliance 2025 Review — And What’s Changing in 2026

Show Notes

Thank You for Listening to the VRC Podcast!
Visit us at VanRein Compliance
You can Book a 15min Call with a Guide
Follow us on LinkedIn
Follow us on X
Follow us on Facebook

Chapters

• 0:00: Setting The Stage For 2025
• 1:25: Why 2025 Became A Turning Point
• 2:36: HIPAA 2.0: What Changes Now
• 5:15: MFA, Incidents, Vendors, And Evidence
• 8:20: BAAs Grow Up And Go Deep
• 11:00: Telehealth Hardening And Data Location
• 13:20: NIST CSF 2.0 And Control Mapping
• 15:40: ISO 27001:2022 And SOC 2 Reality
• 18:30: State Laws, Privacy, And Breach Windows
• 21:10: Preparing For 2026: AI And Vendors

Transcript

Speaker: 0:05

Welcome to the Ven Rein Compliance Podcast. I'm Rob. Hey Don, we're back. We are off for a little bit, but we're back. Because this week we are going to talk about 2025 and do compliance review and talk about 2026.

Speaker 2: 0:22

Sounds fun. Let's do it.

Speaker: 0:25

Are you ready?

Speaker 2: 0:26

We're ready.

Speaker: 0:29

Well, this is our annual review that Dawn and I like to do and kind of review about 2025 and what's changed, what's new, what's upcoming. And then obviously we take a look at some of the big changes that are going on in 26. And then also, Dawn, we talked about kind of some of the areas of compliance that you're seeing that need to be focused upon in 2026.

Speaker 2: 0:50

Yes, yes. But first, uh, we're gonna walk through what changed this year and what's coming next year and what your organization should be doing now so you don't get caught scrambling later. Because is it uh always said, Rob, right, that um it's not when, no, it's not if it happens, it's when it's gonna happen.

Speaker 1: 1:12

Exactly.

Speaker 2: 1:13

All right, so it took me a minute. Um, but because breaches, incidents are they're here, they're here to stay. And we need to make sure that uh we as a compliance company prepare you for when it happens.

Speaker: 1:28

That is. So why do you think Dawn 2025 became a turning point in the industry?

Speaker 2: 1:34

Uh well, a massive increase in ransomware and fishing that just increases every year. But that in itself uh wasn't the only thing. AI showed up. And uh wow, every conference we go to, AI, AI, AI, it has driven um impersonation attacks and telehealth growth. And, you know, regulators have scrambled and said, okay, we need to have a framework around this. And I know ISO has created uh, you know, an AI uh certification. The NIST has an AI certification. Um, and um we're still waiting for for HIPAA, but um it will come soon. So we need to um, you know, we need to realize what's been going on, and then we need to realign and we need to look forward to 2026 and focus, focus forward, as we say, and uh look forward and prepare.

Speaker: 2:28

Yeah. And that that kind of brings up to the first one is I like to call it the HIPAA because people just call it HIPAA, but it is the only law. Everything else is jewelry, as I like to call it. Nice to have jewelry. We like jewelry, right? But it is really, you know, we're gonna, it's really the law. It is a law. So what we're gonna run into for next year is HIPAA is gonna have the is gonna be the biggest headline of the year. And what we are anticipating and what we're seeing is that HIPAA is going to get updated on the first time since 2013, since the HIPAA security rule of 2013. Um, there's already been regulation published, it's already gone out to public review. Um, it was supposed to get put into law this fall, but I think with the government shutdowns and everything else, it got postponed and kicked to spring. That's we're kind of hearing, February-March standpoint. But here are the areas that we are gonna we're gonna dive into and take a look at, see what's really gonna change. If we know within HIPAA, there is addressable, there's uh the addressable, there's the standard, and the required, right? Um, those are the three areas. Well, a lot of those addressable ones are gonna be just gone. So we're not gonna have those addressable ones anymore. And let's just run through kind of like what we're gonna see. So before, where we saw MFA everywhere, uh, it has got to be required. It used to be addressable. And now you have to have two-factor or multi-factor authentication. It's always addressed, addressable. Now it's pretty much standard, but now it's gonna be required. Um, we've got to have that. Next up, documented incident response. How are you gonna respond to an incident? Because it's gonna happen, like Don, you mentioned earlier. So, how what does that look like? Along with required vendor due diligence, majority of all security breaches or incidents, they are a result of a third party. And with that third party, we've got to make sure that we have good, solid third parties. Um, our vendors, our strategic partners, people that help us compute and work. Uh, basically, we need to make sure that they have been audited and they are set and ready to go. Um, access reviews. This is a big gap that I see with a lot of our, a lot of clients. And not to make anybody feel bad, but it's a gap, is basically how are we looking and verifying um that we have good access reviews, right? Are we reviewing when people access the the accounts to the data? Do we have we have a list of when there's failed login attempts or when there's problems with that nature? And what do we do when we see an access issue? Those are key. That's a key piece. And the last three is vulnerability scanning. Um, you got to have vol scans and penetration testing. And then lastly is the annual audits with evidence. I love that one because that's why we have VRC one is an annual audit with evidence. You've got to provide evidence that you have all the controls in place. And they're right, Don.

Speaker 2: 5:14

Right.

Speaker: 5:15

Correct. Now, why don't you walk us through BAAs? Because that's always been an issue.

Speaker 2: 5:20

Yes, it has. If you're a business associate, especially like an answering service, an MSP or a SaaS vendor, the days of one page or BAAs are over. Just sending something quick with a contract, just get them to sign it. The BAAs need to outline the actual security controls, timelines, encryption requirements, and 24-hour instant reporting. So that's what the OCR wants to see. Again, they haven't the uh HIPAA just hasn't been pressed upon it in and made it, made it really um, you know, at the forefront of the requirements, but it's going to be. Um, it should be. Um, I know RBAs, if you use ours, um they're they're I think 12 pages now.

Speaker 1: 6:02

Yeah, something like that. 12 or 13.

Speaker 2: 6:03

Um, so and and you just they need to be they need to be complex, they need to be robust. And you know, it's not a one pager. So we we have already sort of been on that bandwagon. And so I feel pretty good about that one.

Speaker: 6:18

Yep. Yep. Yep, definitely. That's a big one. BAs are very important. And then don't forget the subcontractor business associate agreements. Yes, correct. Yes. AI, you know, you using GBT or Gemini or Claude or or Grok or any of those. Do we have BAs with those platforms? Do we build our own? And the other IT companies that may have access as well. The telehealth rules are getting hardened, you know, with COVID, they kind of got a little bit open and then telehealth exploded. But uh, we're just gonna make sure that we have our secure messaging in place, identity, identity verification, patient workflows, and last is location-based care compliance. And so location base is basically verifying the the uh the location of the device and health information, and then also with the patient. Does it all match up? Yeah, because now that we're interconnected world, there's data and stuff everywhere. So those are some key key pieces in there.

Speaker 2: 7:11

Yep. And the key is if it's free, it's not compliant, more than likely. And you know, back in the COVID days, you know, the OCR kind of said, okay, you can use these items, you can use these or these platforms rather, do what you need to get things done. And now it's like, no wait, we need to back up and we need to say we need to have compliant these telehealth, these secure messaging, these need to be compliant.

Speaker: 7:37

Speaking of downstream suppliers, what was that? Um was that headphone company that was using AI that was moving the data overseas?

Speaker 2: 7:46

Oh, it was headphones um that were for translation purposes, yeah, that were created, created, you know, they're Chinese, um, you know, Chinese made, and they they're in their BAA, they said, we will hold the data, your data, your healthcare, your US healthcare data in China.

Speaker: 8:08

Yeah.

Speaker 2: 8:08

Wow. That's all I have to say.

Speaker: 8:10

Because it looks good, does it mean or it's cheap, does it mean it's cheap?

Speaker 2: 8:14

Um, and then, you know, as everyone knows now, Apple came out with their ear pods. You can do translation services through the app on your on your phones and that type of thing. So we kind of already have that. We don't need something like that. And certainly we don't want to use anything that takes our US healthcare data offshore.

Speaker: 8:32

Yep. Yeah. So be aware anytime there's any translation services or anything, is it onshore, is it offshore, is it a third party uh going with that? Yep. Good deal. So HIPAA is there's gonna be a big changes with HIPAA. It's HIPAA is is uh is near and dear to our hearts. We do a lot of healthcare space, so we're gonna make sure we're ahead of that, which we always do anyway.

Speaker 2: 8:52

So yeah, and it's been coined as HIPAA 2.0, HIPAA 2.0, which I think we coined that. I think a lot of people have coined it that. Um but that's what we're waiting for, probably springtime. So look for some some some the security rule. It's just exclusively the security rule that's going to be get updated. Get updated, but we will keep you updated.

Speaker: 9:12

Yeah.

Speaker 2: 9:13

Yep.

Speaker: 9:14

Well, next up, I want to talk about HISS HIST. How about NIST? Let's talk about NIST. We did HIPAA. NIST and then ISO. Let me talk about NIST and I'll let you dive into ISO because you're you're focused in in that area. NIST has always been kind of the backbone of modern compliance. That's always been the foundation of HIPAA and ISO and SOC and everything. Um, but there's a couple areas with that NIST Cybersecurity Framework 2.0 to not overlook. Uh, a couple of things we saw in 25 is the introduction of the new govern function. So govern is focused on the governance, supply chain, vendor oversight, and program uh metrics. Um that's really what it's focused on. And then there's an update with NIST 853 to version 5.2, where those controls uh modernize a lot of the privacy language and tighter map the FedRAMP, HIPAA, and high trust. So there's FedRAMP, there's TexRAMP, all of those. Uh, we have those here in Texas. And so you're they're starting to map those out and use that NIST as a foundation. So NIST allows us to line the risk assessments around NIST, prepare for HIPAA, ISO, soccer, high trust are all at once. So I think the overlappings with the with the NIST framework update, 800-53, kind of really helped all the different verticals.

unknown: 10:26

Yep.

Speaker: 10:27

And that leads us into ISO. Since you're the ISO queen, you do a lot of our well, you do our ISO.

Speaker 2: 10:32

Yeah.

Speaker: 10:33

What is new in ISO?

Speaker 2: 10:35

Well, um, ISO is now, we know we're the 2022 uh version, which the 2013 um um, I believe it sunsetted. Um, yeah, October. This this fall it did. Um, and so that changed. Uh people that we have clients that went from 2013 to 2022, obviously it changed the the controls and that type of thing. Um, there was enhancements and cloud identity coding, just just more threat monitoring expectations and things like that. So there were some additional items. And I really like ISO a lot. It is a true certification if you are looking to globalize your business, meaning working with global companies. ISO is great. It is really a great certification to get. SOC2 is also wonderful. That's for um North America. Um, SOC2 needs to catch up a little bit. Um, they haven't really updated their their standards, like ISO has is really kept on track. Um, but again, um our SOC 2 external auditors, um, they they do audit, you know, with if you've got you know you're utilizing cloud AI, of course they do. Um, but they're they're um they're there's not their standards are are are still a little archaic, I should say. Yeah versus ISO is more, they keep up to date more. But with SOC 2, this is this is really the domination in in SaaS companies. Our our clients are this is really because if you're just utilizing North America or have North America customers, that's really what you're gonna go for as a SOC 2. So that's what a lot of our customers do. Um typically they do HIPAA plus SOC 2. And so this is this is really great. The great thing about either ISO or SOC 2 is the mapping to HIPAA and and forward to you know GDPR, even high trust. There's a lot that you do that maps over. And so a lot of the controls that you adhere to in either of those compliance programs, moving forward, you're already, you're already partially adhering to the you know controls for let's just say high trust. Um, you know, you're already touching on some of the other compliance programs. So um it it's really, it's really, it's really good. And and it allows you to beef up your data security programs with your business, whether it's an answer service, whether it's a SaaS company, um, whether it's a healthcare company, whatever company um is, you know, if you have data or either of those are great to have depending on your your business needs.

Speaker: 13:02

Yeah, and High Trust, too, also introduced that 11.4 uh CSF uh introduction. So they've tightened those technical controls, that vendor inheritance mapped additional, obviously with SOCHIP and NIST. So those are some key pieces. So kind of the kind of the hidden one or the silent earthquake, right? That's kind of fun. Cool, that's fun. Or the state laws. So the states love to kind of throw their own laws out there, and our team here at Van Rein keeps an eye on all those. But some of the areas that we're kind of what we're taking looking at, or we looked at in 25, um, is everything from privacy acts. A lot of privacy acts and telehealth consent rules. Like you notice when there's a a consent rule um stating that you must notify a client, you know, if you're on a phone, that there may be recordings of health information, or you accept a telehealth or telemed uh privacy policy online. So those are kind of the key pieces there. Um, they've also really focused on some stricter breach notification windows. So um a lot there's been a lot of there's been a lot of breaches that nobody was notified. And now they're starting to require notifications. So if your information, which is your information, is is stolen or in or had an incident or a breach, now they're gonna have stricter breach notification windows. So they'll pop-ups on the website and you get the mailings and all of that. So those are the areas that we're seeing with state laws. Now in 26, it is an election year, right? It's midterms next fall. So uh what always feels like an election year, but what we start seeing is more and more state laws on the books, or before they're on the books, they have to be voted upon. So we're starting to see a lot of that. So that'll be our busy point of next fall is making sure we're in front of everything that gets um that gets basically put on uh out for ballot, and then what actually is approved and voted into law. So yeah. Now, what about 26, Dawn? We spent a lot of the time, the first part of the of the podcast this week, really focused on 25 and the changes there. So, what about 26? What can our clients do to prepare for 26?

Speaker 2: 15:12

Yeah, absolutely. That's a great question. So I've been having a lot of conversations with customers on, you know, what I've seen over this year for, you know, not only HIPAA, but SOC2 and ISO and what gaps I've seen. Um, you're you're gonna see more AI. You're gonna see AI policies. We, you know, we basically need to create policies for our customers and we need to understand what AI they're using, what they're using it for, and is it an internal, external type of situation where that data is stored, all that stuff. So that's gonna be a big part of 26 is preparing for that. The other part of that is vendor management, really risk, vendor risk management. ISO does a very good job, um, ISO 27001 with you have to have a risk, a supplier risk register. And I really think everyone should have one.

Speaker 1: 16:00

Yeah.

Speaker 2: 16:01

And um, I really um have been promoting that to customers because we all use a lot of different types of software. We have a lot of cloud, and we have data everywhere, let's be honest. And so this is very important. I see a huge gap when I'm asking customers for a list of their vendors and who they use. And when some of them don't all know everything, that's concerning. You should know where your data is and what third party is using your data and how they're using it and where they're storing it. So this is a huge gap. And then the other gap that I'm seeing is just the instant response, disaster recovery, that type of thing. And that is huge. We've seen disasters. This year has been a big year of disasters. We've gone from breaches, ransomware to floods to fires. You've got to have this, this, um, this plan for your business. It doesn't matter if you are all remote. It doesn't matter if everything's in the cloud with Amazon or Google. Um, you've got to have a plan and everyone needs to know what it is. You've got to plan for any type of disaster for your business. And so, in that, these go together. You have to know what's critical. What are critical applications? Can you go to your you know, community center and and log in? What do you need? What do you need to continue your business? And so you can continue paying your paying your staff so you can keep your doors open, basically. Um, so these are huge gaps I saw this year. And we we at Van Ryan are, we pride ourselves in remediation items. Um, I know that may not be a fun word for a lot of customers when they have a lot of remediation items, but we work with you. We work with you throughout the year to remediate some of these items. And these are gonna be a lot of items you're gonna see on your list of things to do. It's very important. Our our responsibility is to make sure that that you see all these blind spots and that you can close some of these gaps.

Speaker: 17:53

Yeah. Yeah, really focus on those policies. You know, we've kind of talked a little bit about that, but 26 is gonna be a year we need to focus on our policies, especially with AI and secure messaging, making sure that those are aligned and and put it correctly. Um, and and the ISO, if you haven't transitioned to 27,001 2022, you got to do that because it's already, if you're on 2013, you're already expired. So um you're gonna have to transition over to 2022 and get that completed. Um, supposed to be completed last October, a couple months ago. But if you haven't done it, get your roadmap ready to do it. Sooner the better. Um, you know, also align that with high trust. You know, if you're going to deal with healthcare, may consider a high trust certification just because it is it is one of that top, you know, it is kind of the top certifications in the industry um that it's a true certification. So, you know, ISO is a certification, high trust is a certification where SOC2 is an examination and HIPAA is a attestation. So think about how do you continue to build upon your frameworks and security because your competitors are doing it and in the in the industry, and then your customers are gonna expect you to maintain you protect that data and you secure that data. And then kind of that last piece is really just looking at those state laws. You know, state laws are gonna continue to change next year, but that's why we're here. We're gonna keep an eye on everything and and make sure we know what's going on and we're what we're gonna do and how we're gonna do it. So those are the key pieces. So that's kind of what we're seeing in 26, and then really filling those gaps out. But I think also is just making sure you you have you have solid compliance officers and privacy officers to make sure that they are really dialed in and they're they're committed. Uh and committed not only is just at heart or on paper, but time. Maybe an hour a week, maybe two hours a week, just saying, hey, what how are your compliance training? How are you in a compliance environment? What do we need to do? Is there anything we need to focus on and ramp up? So items like that.

Speaker 2: 19:52

And how how Van Ryan is is here to prepare you for next year is we've got uh additional training, we have compliance. Clients officer training. We have uh training for HIPAA training for specific industries. Um, we just completed uh for SAS, SAS uh companies. Um really just educating you and your business and how you handle your healthcare data, your PAI, PII data, whatever data you have. And so we are here to help you and assist you and to make sure you're successful, your staff understands how to handle the data. We are uh big on our education and we also are big on our frameworks of our policies. So we create policies for a lot of things. Uh we aren't general at all. We we definitely create robust policies. We we feel we're very passionate about the policy procedure, make sure you have everything correctly documented, how you do do business, and making sure your your staff understands it as well. So we we are here to guide you um through through your compliance journey, whatever that may be, um, and and and assist you insist in just helping you make sure you're maintaining it. Um, because that really is the other key is you can create a program, but you've got to maintain it as well.

Speaker: 21:09

Yep. So have accountability partners. Yes, accountability partners, yeah. That's another one. Definitely. No, this was good. I think it was a very good year in 25. I think it's definitely is kind of the warm-up of what we're seeing in security. I think 26 is going to be kind of where everything kind of levels up. Like we're really gonna be focused on showing evidence of your compliance and security and really taking care of what's what's needed and proving that to your clients and investors and folks like that. So and we're here to help every step of the way. Yes. Well, very good, Dawn. Always a pleasure. Um, of course. Like, what else are you gonna say? No. Oh, well, thank you everybody for joining us this week of the Van Ryan Compliance Podcast. And for saying bye. Thank you for all of your wonderful listening to this show.