The Hypervisor Gap in Healthcare Security
If you run security for a healthcare organization, you’ve built real protection around the systems HIPAA points to: the electronic health record (EHR), email, the VPN, the cloud apps that handle patient data. They have access controls, authentication, logging, and monitoring.
There’s one layer, though, that those safeguards usually don’t reach: the hypervisor — the software, such as VMware ESXi, that runs the virtual machines your clinical systems depend on. It tends to get left out, and for most of the past decade there wasn’t a practical way to secure it to the same standard. HIPAA applies to it just the same, which means HIPAA compliant infrastructure has to include the hypervisor, not only the systems running above it.
What HIPAA Asks of You Around Access
Within HIPAA regulations, the Security Rule comes down to a few clear obligations for electronic protected health information (ePHI): control who can reach it, confirm they are who they say they are, keep it intact and available, and encrypt it. Those obligations live in the technical safeguards at 45 CFR § 164.312 — access control, audit controls, integrity, person-or-entity authentication, and transmission security — and they apply today.
Soon they may apply more strictly. The U.S. Department of Health and Human Services has proposed the largest update to the Security Rule since 2013. If it is finalized, it would require MFA on every system that handles ePHI, require encryption of ePHI at rest and in transit, and remove the “addressable” option that has let organizations document a reason to defer a control instead of putting it in place.
Put simply: HIPAA has always asked you to secure access to patient data, and the proposed update would make that expectation harder to set aside. The proposed HIPAA MFA requirements are part of a broader shift toward stronger, mandatory controls everywhere ePHI lives.
The Layer That Usually Gets Left Out
A lot rides on the hypervisor: the EHR, imaging systems, scheduling, billing, and the backups you would count on to recover. They all run as virtual machines, and the hypervisor controls those virtual machines. If an attacker reaches it, they do not have to enter each system separately — they are already beneath all of them.
This became a blind spot for a practical reason, not a careless one. Security controls matured first on the systems facing the internet — stronger authentication, monitoring, routine patching — while the hypervisor’s console and command line kept running on local passwords and ad hoc maintenance, because few tools could enforce anything better there. That left an open path into the base of your environment, and attackers now look for it.
Why Healthcare Keeps Getting Targeted
Healthcare data security is under more pressure than any other sector’s, and the numbers show why:
- Healthcare has had the highest breach costs of any industry for 14 years in a row, at an average of $7.42 million per breach, and it also takes the longest to detect and contain, at 279 days.
- Ransomware aimed at the hypervisor rose from 3% of incidents to 25% during 2025, part of a roughly 700% increase in attacks on this layer.
- Health-ISAC reported a 55% rise in healthcare cyber incidents in 2025 and named groups such as Qilin and Akira for their continued focus on VMware ESXi.
The 2024 Change Healthcare attack shows what that can look like. The BlackCat/ALPHV group, which has a record of targeting ESXi, reached more than 100 million people and disrupted close to a third of the U.S. healthcare system, holding up pharmacy orders, claims, and care for months.
These incidents tend to follow a similar path. Attackers reach the hypervisor with stolen administrator credentials or an unpatched flaw, then encrypt every virtual machine at once. Many endpoint tools do not catch it, because to the system little looks out of place.
How ZeroLock Maps to the HIPAA Security Rule
ZeroLock® is built for this layer. It is a preemptive hypervisor security platform that brings the kinds of safeguards you already apply elsewhere — authentication, integrity protection, recovery, and logging — down to the hypervisor itself, instead of leaving it to local passwords and periodic patching. For a compliance program, its controls line up with specific Security Rule provisions:
| ZeroLock control | How it helps you comply | HIPAA Security Rule provision |
| MFA on the ESXi console and command line | Verifies the identity of anyone reaching the hypervisor, where stolen admin credentials are most often used | Person or Entity Authentication — § 164.312(d) |
| Behavioral detection with automated rollback | Stops and reverses unauthorized encryption or changes to ePHI, keeping patient data intact and available | Integrity — § 164.312(c); Contingency Plan — § 164.308(a)(7) |
| Virtual patching | Lowers exposure from known, unpatched ESXi vulnerabilities without waiting for a maintenance window | Risk Management — § 164.308(a)(1)(ii)(B) |
| Logged, enforced control at the hypervisor | Creates audit-ready records of access and activity on a layer auditors increasingly review | Audit Controls — § 164.312(b) |
| Restricted hypervisor access | Limits the hypervisor to authorized users and blocks unauthorized use | Access Control — § 164.312(a) |
Several of these specifications are “addressable” under the rule today — meaning you implement them or document why not — but the proposed update would make them mandatory. Mapping a real control to each one now is the difference between showing an auditor a finished safeguard and explaining an open item later.
The result is the same either way: the hypervisor stops being an open path to your patient data, and you can show exactly how it’s protected. For many healthcare organizations, that closes a gap they did not know was open.
“Security is layered—you have to secure every layer. And for us, the hypervisor was the one layer where our security did not meet our standards.”
—Executive Director of IT, large-scale U.S. healthcare institution
What’s Really at Stake
The cost is not only financial. When ransomware takes a hospital’s virtual infrastructure offline, ambulances are diverted, nearby hospitals absorb the overflow, and care suffers for patients who never knew an attack took place. Research on affected health systems has documented this effect, including lower survival rates in time-sensitive emergencies.
We know defenders are stretched. Healthcare security teams are asked to protect more with less, often handling today’s incident and tomorrow’s audit at the same time. Closing the hypervisor gap is one of the more direct, lower-effort gains in infrastructure security available to you, and it gives you clear, documented controls to point to when HIPAA compliance comes up.
See Where You Stand
If you are not sure whether your HIPAA safeguards reach the hypervisor, we are glad to help you find out — well before an audit or an incident forces the question.