Navigating the New Federal Security Standards for Hospitals
By Dr. Scott Schell, Chief Medical Officer, Cognizant
LinkedIn: Scott Schell
LinkedIn: Cognizant
As cyber threats become increasingly sophisticated, proposed updates to federal healthcare cybersecurity standards have reignited debate across the industry. Introduced in December 2024, these regulations represent the first significant update to the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule, aiming to address the advent of AI, quantum computing, and virtual reality. These changes mandate that HIPAA-covered entities encrypt data, implement multifactor authentication, and conduct regular security audits. Additionally, they require written procedures to restore critical information systems and data within 72 hours of a security incident.
The comment period for the proposed rule closed in early March 2025, with more than 4,000 responses submitted. The healthcare sector is watching closely, yet even as the future of the rule remains uncertain, one thing is clear: cyberattacks are not waiting on legislation. The pressure to modernize cybersecurity infrastructure is mounting, and hospitals, especially smaller ones, face real challenges in doing so cost-effectively. The Department of Health and Human Services (HHS) estimates that the first-year costs of complying with the new standards will total approximately $9 billion, with annual costs for years two through five estimated at $6 billion.
Large regional or multi-state healthcare systems have robust IT departments, which small hospitals cannot afford. Even the largest healthcare systems struggle with limited access to IT talent while their staff must maintain daily operations. How can these systems comply with new federal standards?
How Healthcare Systems Can Implement the New Standards
- Staff Augmentation: Healthcare providers can bolster their IT departments with flexible staffing solutions, ensuring they have the necessary resources to implement and maintain the new security standards. For example, hospitals may work with managed service providers (MSPs) to bring in specialized security staff, hire health IT consultants for short-term projects or tap freelance talent for help with specific needs like network security, compliance audits or cloud migration. This approach allows healthcare providers to scale their IT workforce as needed and tap into global talent pools to fill skill gaps and resource constraints. Staff augmentation gives access to a large pool of skilled professionals with specific healthcare industry experience, which is particularly helpful for addressing short-term talent needs, fulfilling skill gaps on projects or executing time-sensitive tasks tied to compliance deadlines.
- Advanced Tools and Technologies: Using advanced IT security and AI technologies can enhance cybersecurity measures, protect patient information, and ensure compliance with the new regulations. Tools like AI-driven threat detection systems, for example, can monitor network activity and flag anomalies in real time to reduce the burden on overstretched IT teams. Automated response mechanisms have the ability to contain breaches faster, while advanced encryption technologies can safeguard sensitive information, as required by the proposed regulations. For hospitals with limited in-house expertise, AI can improve patient care and streamline administrative processes. The HHS Strategic Plan emphasizes the responsible use of AI to improve health outcomes, increase access to services, and optimize public health.
- Program Management and Testing: Effective program management and testing services are the key to smooth implementation and compliance of these new regulatory standards. This includes developing and maintaining a technology asset inventory, conducting regular security audits, and ensuring all systems are up to date with the latest security protocols. Prioritizing regular testing and validation of security measures can help identify vulnerabilities and provide robust protection against cyber threats. Healthcare providers should implement formal risk assessment frameworks to uncover weak points before they can be exploited. Tabletop exercises and incident response simulations can help clinical and IT team practice coordinated responses to cyberattacks, driving accountability and minimizing downtime if a real scenario occurs.
- Resilience and Continuity: A robust service provider with a proven track record of providing disaster recovery services is essential for helping healthcare systems bounce back up and minimize disruptions during a cyber incident. Comprehensive disaster recovery plans should include data backup strategies, system restoration procedures, and contingency plans to ensure business continuity during and after a cyberattack. These plans should also account for any communication protocols to reduce confusion and delays during response efforts. Effective disaster planning provides several benefits designed to account for a healthcare organization’s overall recoverability and resiliency.
The new federal cybersecurity standards pose formidable challenges but are necessary steps toward safeguarding patient information and ensuring the resilience of healthcare infrastructure. Adopting these changes will enable healthcare providers to leverage advanced technologies and comprehensive services, allowing them to forge ahead with their mission of delivering quality patient care.