As regulators weigh updates to the HIPAA Security Rule, healthcare leaders are pushing for a framework that strengthens cybersecurity without creating impractical mandates.
By Alyx Arnett
For the first time in over a decade, federal officials are proposing major changes to the HIPAA Security Rule. The US Department of Health and Human Services Office for Civil Rights published the notice of proposed rulemaking in the Federal Register on Jan 6, 2025. On paper, the intent is hard to argue with: strengthening cybersecurity to defend healthcare from escalating attacks. In practice, critics say the lengthy draft could create impractical requirements without actually improving security.
Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, told me that industry feedback was overwhelmingly skeptical. “It’s vague, it’s costly, [and] it’s unclear, in some cases, whether certain requirements actually would improve cybersecurity,” he says. “The public comment period showed a whole lot of concern, including among my members….many of them the big hospitals [and] the big medical device companies. We looked at that and said, ‘It’s actually not really grounded in reality.’”
Those concerns were echoed in formal comments from the Healthcare Information and Management Systems Society (HIMSS), which urged the Office for Civil Rights to adopt a more scalable approach that takes into account the realities of small practices, rural providers, and other under-resourced entities. HIMSS warned that prescriptive requirements—such as mandatory penetration testing, documenting failed breach attempts, and detailed technology inventories—could add cost and administrative burden without meaningfully improving security.
Rather than pushing through a rigid regulation, Garcia and the HSCC Cybersecurity Working Group have proposed an alternative: a one-year consultation between federal officials and healthcare stakeholders to negotiate a framework of sound cybersecurity practices. The idea is modeled after Executive Order 13636 (2013), which directed the National Institute of Standards and Technology (NIST) to convene industry and government leaders to create the NIST Cybersecurity Framework. That process produced a widely used framework that still guides enterprise cybersecurity today.
“A successful consultative process will lead to government promulgating expectations for industry accountability to ‘the what’—measurable cybersecurity outcomes—and the industry determining ‘the how’—specific governance and technical controls we should be held to,” Garcia said during testimony before the House Energy and Commerce Oversight and Investigations Subcommittee earlier this year. “Then together industry and government will be aligned to a framework that is flexible, measurable, accountable, and effective, ultimately serving patient safety and infrastructure resilience.”
That flexibility is vital. Cyber threats and defenses evolve quickly. Ten years ago, multi-factor authentication was uncommon; in another five years, AI-driven tools may render today’s controls outdated. Locking specific technical measures into regulation could make them obsolete before they’re even in place. A collaborative framework would instead establish expectations for outcomes—secure systems, resilient recovery, and accountability—while leaving room for methods to adapt.
Just as important is who those expectations apply to. The Security Rule applies to covered entities and their business associates, but patient data also flows through device manufacturers, electronic health record vendors, payers, and third-party technology providers. Any one of these can serve as an entry point for attackers, another reason industry groups prefer a sector-wide framework over hospital-centric fixes.
“That’s part of the problem with this HIPAA [proposal], that it’s really only looking at hospitals,” Garcia says. He argues that the very name “HIPAA Security Rule” reflects that narrow focus. HIPAA was designed to protect health information, not to safeguard every corner of the healthcare ecosystem. If a new framework is to succeed, it should be developed and branded as something broader—one that makes clear it applies across the entire sector.
In the meantime, organizations aren’t without guidance. HHS’s Healthcare and Public Health Cybersecurity Performance Goals (2024) lay out voluntary “essential” and “enhanced” safeguards that hospitals can prioritize now while broader policy discussions continue. They specifically target three areas most often exploited by attackers: unpatched systems, insecure third-party connections, and phishing. Addressing these gaps today would strengthen defenses without waiting for regulation to settle.
The Trump Administration’s regulatory agenda now points to May 2026 for a final Security Rule, but Garcia says that doesn’t mean the collaborative framework proposal is off the table. He remains hopeful industry and government can still come together.
The question isn’t whether to hold the sector accountable, but how to do it in a way that lasts. A rule pushed forward without deeper consultation may look like action, but a collaborative framework is more likely to deliver the security patients and providers can count on.
ID 385726869 © Iryna Kushnarova | Dreamstime.com
