The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has urged regulated entities to focus on system hardening as an important cybersecurity practice. System hardening involves customizing electronic information systems to reduce their attack surface and limit weaknesses and vulnerabilities, including through patching, removing or disabling unneeded software and services, and configuring security measures. For Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates, these actions support the HIPAA Security Rule requirement to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Creating security baselines with standardized security controls and settings for different types of electronic information systems is one step that can help protect ePHI. For additional details, refer to the January 2026 OCR Cybersecurity Newsletter.