DistilINFO Hospital IT

US Healthcare Provider IT News & Updates.

Healthcare Cybersecurity: New Mandates Coming Soon

healthcare

The Rise of Healthcare Cyber Threats

Over the past decade, cybersecurity breaches have dramatically increased across industries, with healthcare becoming a primary target. The devastating attack on Change Healthcare served as a crucial wake-up call for the entire sector. This incident directly prompted the Department of Health and Human Services (HHS) to issue a notice of proposed rulemaking (NPRM) in December 2024, designed to strengthen cybersecurity requirements throughout healthcare organizations.

This proposed rule follows the HHS Cyber Performance Goals introduced in 2023, clearly signaling a regulatory push for much stricter security measures industry-wide. Despite the HITECH Act being signed into law more than 15 years ago, cybersecurity experts widely agree that HIPAA regulations have not kept pace with the rapidly evolving landscape of modern cyberthreats.

Key Changes in the Proposed Regulations

The NPRM aims to eliminate longstanding ambiguity in the original HIPAA security rule while reinforcing essential safeguards for patient data protection. Key proposed changes include:

  • Mandatory Implementation: Eliminating all “addressable” standards, making every security requirement fully mandatory for compliance.
  • Comprehensive Asset Management: Requiring documented network diagrams, data transmission maps for electronic personal health information (ePHI), annual penetration testing, and vulnerability scans every six months.
  • Formalized Security Programs: Implementing structured policies, accurate self-assessments, and documented risk registers for continuous security improvement.
  • Enhanced Disaster Recovery: Establishing a strict 72-hour restoration requirement for all critical services following any disruption.
  • Stronger Access Controls: Ensuring timely workforce updates and proper authentication protocols across all systems.
  • Technical Safeguards: Mandating encryption, multifactor authentication, and robust anti-malware protections to safeguard sensitive patient data.

Implementation Timeline and Challenges

For many healthcare organizations still struggling with basic asset management and facing budget constraints, these comprehensive updates could represent a significant operational challenge. The NPRM is anticipated to move through Congress by mid-2025, though the timeline remains uncertain.

With ongoing leadership changes and a recent executive order temporarily pausing new regulations, it’s unclear whether these critical updates will take effect in 2025 or be pushed to 2026. Regardless of the final implementation date, the message to healthcare providers is unmistakable: strengthen your cybersecurity posture immediately or risk becoming the next breach headline.

Expert Insights: Proactive Cybersecurity Measures

Scott Mattila, CISO and COO of Intraprise Health (a Health Catalyst Company), offers valuable expertise on reducing cyber-risks in healthcare environments. He emphasizes that prescriptive, proactive measures are essential because they eliminate ambiguity and ensure organizations implement necessary controls to protect electronic protected health information.

“Historically, the open-ended nature of HIPAA regulations has led some organizations to interpret requirements subjectively rather than adopting the technical safeguards needed for robust security,” Mattila explains.

By leveraging established frameworks such as HITRUST and NIST, healthcare organizations gain clear expectations for achieving security maturity and resilience, significantly minimizing cyberthreat exposure. As one of Mattila’s colleagues aptly describes it: “It’s akin to maintaining good health – exercising, eating vegetables, and taking vitamins; in cybersecurity, we must plan and act for the future.”

Preparation Steps for Healthcare Organizations

With proposed security regulations approaching rapidly, hospitals and health systems should begin preparation immediately by:

  1. Engaging Leadership: Ensure all stakeholders understand upcoming changes and align on compliance strategies.
  2. Conducting Gap Analysis: Assess current security posture against proposed requirements, either internally or with specialized security vendors.
  3. Prioritizing Quick Wins: Tackle immediate improvements like strengthening access controls and improving governance protocols.
  4. Planning Larger Initiatives: Develop phased approaches for complex projects like network segmentation and comprehensive asset management.
  5. Evaluating Technology: Review current security tools to identify opportunities for consolidation or more integrated solutions.
  6. Building Vendor Partnerships: Work with trusted vendors who understand the evolving regulatory landscape to enhance compliance efforts.

Achieving Compliance with Critical Mandates

Compliance with crucial mandates should begin with identifying the most vulnerable areas within your organization and prioritizing risks accordingly. A cross-functional team approach ensures that both technical and operational aspects receive appropriate attention.

The NPRM isn’t merely about checking compliance boxes – it emphasizes prescriptive measures designed to protect against an increasingly complex threat landscape. A proactive, structured approach ensures that encryption, multifactor authentication, and vulnerability management become essential components of long-term security strategy rather than just regulatory obligations.

Business Associate Liability and Partnerships

The proposed rule significantly increases accountability for business associates, effectively removing the distinction between mandatory and addressable requirements. Business associates are now considered direct extensions of covered entities, bearing greater responsibility and liability for protecting patient information.

One major change is the expanded definition of business associates, now including more subcontractors handling PHI. This expansion means covered entities must implement stricter third-party risk management protocols and conduct more frequent security reviews of their partners.

Business associates must now notify covered entities of any PHI breaches within 24 hours and will face direct enforcement actions for non-compliance with the HIPAA Security Rule. For these organizations, proactive alignment with covered entities on security expectations, strengthened internal controls, and comprehensive HIPAA compliance programs are no longer optional but essential to avoid potentially severe regulatory penalties.

Discover the latest Provider news updates with a single click. Follow DistilINFO HospitalIT and stay ahead with updates. Join our community today!

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Coffee with DistilINFO's Morning Updates...

Sign up for DistilINFO e-Newsletters.

SUBSCRIBE
SUBSCRIBE WITH LINKEDIN
Subscribe to DistilINFO Publications
PROCEED

Trending This Week

Publications
DistilINFO Healthplan
DistilINFO Hospital IT
DistilINFO IT
DistilINFO Retail
DistilINFO Aging
DistilINFO HealthIndia
DistilINFO EHS
DistilINFO GovHealth
Distil AI
Distil POPHealth

About Us

DistilINFO is media company that publishes Industry news, views and Interviews. We distil the information for you are saving time and keeping you up to date on your interest areas.

More About Us

Follow Us


Become an Editor

Run a co-branded publication with us. Contact us for partnership opportunities. Get in Touch

Useful Links