Software supply chain security for healthcare under HIPAA in 2026 is a different conversation than it was two years ago. The HHS Office for Civil Rights published the Notice of Proposed Rulemaking to modernize the HIPAA Security Rule on 6 January 2025, with the final rule moving through rulemaking during 2025 and compliance dates falling in 2026-2027. Combined with the statutory requirements for "recognized security practices" under Public Law 116-321 (HR 7898), the HHS 405(d) Health Industry Cybersecurity Practices 2023 edition, and the FDA's Section 524B postmarket cybersecurity authority for medical devices, healthcare organizations are facing a coherent -- and far more technical -- supply chain mandate.
This post walks through what the HIPAA Security Rule updates actually require for software supply chain, how the 405(d) Cybersecurity Performance Goals (CPGs) and essential/enhanced practices map to SBOM workflows, and what covered entities and business associates need to have in place in 2026.
What does the 2025 HIPAA Security Rule update require for software inventory and supply chain?
The proposed update explicitly introduces a technology asset inventory requirement. Under the NPRM at 45 CFR 164.308 and 164.312, regulated entities must maintain a written inventory of technology assets used to create, receive, maintain, or transmit ePHI, including the type, location, configuration, and dependencies. "Dependencies" is the key word -- it brings software components into scope.
The proposed rule also codifies vulnerability management, patching timelines (critical patches within 15 calendar days in the NPRM, subject to final rule language), and risk analysis that explicitly addresses technology asset inventory results. The previous "addressable" vs. "required" distinction that led covered entities to defer controls has been tightened -- most controls are now required with limited documented exceptions.
OCR expects covered entities and business associates to be able to demonstrate, on demand, which software components are running in systems that touch ePHI, which components have known vulnerabilities, and what the remediation status is. That is an SBOM problem. Spreadsheets of server hostnames and OS versions will not satisfy the updated Security Rule.
How do the 405(d) Cybersecurity Performance Goals apply to supply chain?
The HHS 405(d) task group published voluntary Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals in January 2024, organized as Essential and Enhanced goals. Several map directly to software supply chain:
- Essential Goal: Asset Inventory -- maintain a comprehensive inventory of technology assets.
- Essential Goal: Vulnerability Management -- identify and manage vulnerabilities, including in third-party software.
- Enhanced Goal: Third-Party Vulnerability Disclosure -- participate in coordinated vulnerability disclosure with vendors.
- Enhanced Goal: Supply Chain/Third Party Incident Reporting -- incorporate supply chain incidents into the incident response plan.
The 405(d) Health Industry Cybersecurity Practices (HICP) publication, updated in 2023, is explicitly one of the "recognized security practices" that HR 7898 directs HHS to consider when assessing penalties, resolution agreements, and audits. Demonstrating alignment with HICP reduces your exposure during an OCR enforcement action. HICP Practice 8 (Medical Device Security) and Practice 10 (Cybersecurity Oversight and Governance) both require SBOM-aware processes.
What about the FDA postmarket authority for medical devices?
Section 524B of the Food, Drug, and Cosmetic Act, added by the Consolidated Appropriations Act of 2023 and effective 29 March 2023, gives the FDA authority over "cyber devices" including an explicit requirement at 524B(b)(3) to provide "a software bill of materials, including commercial, open-source, and off-the-shelf software components." The FDA guidance "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" (finalized 26 September 2023) operationalizes this.
For healthcare delivery organizations (HDOs), this means medical devices procured from 2023 onward come with an SBOM. But receiving an SBOM is only half the problem. The HDO needs to ingest, store, and continuously monitor those SBOMs for new vulnerabilities -- and that monitoring program is evaluated under the HIPAA Security Rule when those devices touch ePHI.
Who is a business associate for software supply chain purposes?
This matters more than teams realize. A SaaS vendor that processes ePHI is a business associate and is directly liable under HIPAA. Since the 2013 Omnibus Rule, business associates have had direct obligations. In 2026, business associates are being asked to produce SBOMs, demonstrate vulnerability management, and sign business associate agreements (BAAs) that flow down technical safeguard obligations.
If your EHR vendor uses a third-party library for audit log export, that library is part of your HIPAA attack surface. The Security Rule update makes the chain-of-custody for ePHI explicit. Business associate subcontractor agreements must reflect the same technical controls, and OCR has been willing to name subcontractors in recent enforcement actions.
What do OCR investigations actually look at in 2026?
Based on published resolution agreements from 2023-2025, OCR investigators look at: (a) the most recent risk analysis and whether it considered technology dependencies, (b) evidence of a technology asset inventory, (c) vulnerability management records including patching timelines, (d) access control reviews, and (e) incident response documentation. Multi-million-dollar settlements in 2024 and 2025 consistently cite inadequate risk analysis and missing asset inventories as root causes.
OCR's 2024 Report to Congress on HIPAA Compliance flagged that 89% of investigated breaches involved hacking/IT incidents, and a growing share involved third-party vendor compromise. That statistical reality is why the 2025 NPRM hardens supply chain expectations.
What SBOM workflow does a healthcare provider need?
A functional workflow for an HDO or large covered entity in 2026 covers five things:
- Intake: accept vendor-supplied SBOMs in SPDX or CycloneDX, validate format and completeness, store with the contract and device/software metadata.
- Internal generation: produce SBOMs for any internally developed software that touches ePHI (patient portals, integration middleware, custom apps).
- Continuous correlation: match components in SBOMs against the NVD, CISA KEV, and vendor advisories, with alerts routed to the responsible team.
- Risk-based prioritization: use exploitability data (CISA KEV, EPSS), patient-safety impact, and ePHI exposure to rank remediation.
- Evidence production: export audit packs on demand for OCR, Joint Commission, and internal audit.
Missing any of these steps leaves a gap that an examiner or plaintiff's counsel will exploit after a breach.
How does the Change Healthcare incident shape 2026 practice?
The 2024 Change Healthcare ransomware incident -- which affected roughly one-third of U.S. healthcare claims processing -- drove OCR to publish additional FAQs in 2024 on business associate obligations and to intensify enforcement. The incident exposed concentration risk: a single business associate compromise cascaded across thousands of covered entities. In 2026, concentration risk is part of the risk analysis required under 164.308, and supply chain security is examined with that context in mind.
What are the penalties and enforcement trends?
HIPAA civil monetary penalty tiers updated for inflation in 2025 reach up to $2,134,831 per violation per year in the top tier. State AGs also enforce under HITECH. More importantly, OCR's Right of Access Initiative and Risk Analysis Initiative -- both ongoing -- have generated dozens of settlements each. The 2025 resolution agreements tied to inadequate risk analysis routinely include software inventory and vulnerability management deficiencies.
How Safeguard.sh Helps
Safeguard.sh provides the SBOM generation, intake, and continuous monitoring capabilities that covered entities and business associates need to meet the modernized HIPAA Security Rule, align with 405(d) practices, and manage medical device SBOMs from FDA-regulated vendors.
The platform generates SPDX and CycloneDX SBOMs for internally developed software that touches ePHI, ingests vendor and medical device SBOMs, and maintains a single searchable inventory of components across the clinical technology stack. Continuous correlation with NVD, CISA KEV, and EPSS exploitability data lets clinical engineering and infosec teams prioritize based on real-world risk rather than raw CVSS scores.
For OCR audit readiness, Safeguard.sh exports the evidence the Security Rule and 405(d) CPGs require: technology asset inventory, vulnerability remediation timelines mapped to patching policies, third-party monitoring records, and business associate SBOM receipt logs. For HDOs managing FDA-regulated medical devices, Safeguard.sh aligns with the FDA 524B framework so the same SBOM pipeline that supports HIPAA compliance also supports postmarket cybersecurity obligations. Healthcare organizations using Safeguard.sh replace dozens of manual processes with one operational platform that the Security Rule, 405(d), and FDA all recognize.