Why Stronger Mandates Are Necessary and Why Action Cannot Wait
By Russell Teague, CSSO, Fortified Health Security
LinkedIn: Russell Teague
LinkedIn: Fortified Health Security
Healthcare organizations are being urged to prepare for an update to the HIPAA Security Rule expected in the early part of this year. The proposed changes would require mandatory twice-annual vulnerability scanning, annual penetration testing, and formal verification of Business Associate security through expert analysis and certification.
While the direction of the rule is clear, the timeline is less certain. Based on the volume and intensity of industry feedback during the comment period, the proposed update is more likely to be delayed than fast-tracked. However, a potential delay should not be misinterpreted as a lack of necessity. In fact, the resistance itself underscores why stronger regulatory mandates are required.
Why the Proposed Rule Change Is Necessary
The proposed HIPAA Security Rule update does not introduce new or unreasonable cybersecurity expectations. Vulnerability scanning, penetration testing, and third-party risk validation are foundational elements of any mature cybersecurity program and have been standard practice in other regulated industries for years.
Healthcare, however, has largely operated under a different standard.
The existing HIPAA Security Rule provides baseline guidance rather than a true cybersecurity framework. Its flexibility around what is considered “reasonable and appropriate” has resulted in wide variability in implementation, limited validation, and an overreliance on documentation rather than demonstrable security outcomes. That approach has not kept pace with the threat landscape.
The proposed rule reflects a necessary shift from subjective interpretation to objective, repeatable, and defensible security practices. It does not raise expectations beyond what healthcare delivery organizations should already be doing. It formalizes accountability that has long been absent.
HIPAA Is Not a Cybersecurity Framework
One of the most persistent misconceptions in healthcare is that HIPAA compliance equates to cybersecurity maturity. It does not.
HIPAA was never designed to function as a comprehensive cybersecurity framework. It lacks the structure, rigor, and continuous risk management disciplines required to manage modern threats across complex healthcare environments that include cloud platforms, medical devices, third-party vendors, and highly interconnected clinical systems.
Healthcare delivery organizations should have adopted established cybersecurity frameworks, such as NIST, years ago. These frameworks provide the governance, measurement, and continuous improvement mechanisms that HIPAA alone cannot. Treating HIPAA as the ceiling rather than the floor has left many organizations exposed and unprepared.
The proposed rule does not replace the need for a true framework. It exposes the consequences of failing to adopt one.
Accountability Must Shift to Organizational Leadership
Much of the opposition to the proposed rule centers on cost, staffing challenges, and operational burden. These pressures are real, particularly for resource-constrained organizations. However, they do not absolve leadership of responsibility.
Cybersecurity incidents in healthcare are rarely the result of unknown risks. They are the result of deferred investment, underfunded programs, and repeated decisions to prioritize short-term financial pressures over long-term operational resilience. When those decisions lead to breaches or system outages, the impact is not theoretical. Care is delayed. Services are disrupted. Patients are affected.
At a certain point, the failure to invest in known cybersecurity controls becomes willful neglect. Accountability must extend beyond technical teams and land squarely with executive leadership and governing bodies.
The proposed HIPAA Security Rule update begins to place responsibility where it belongs.
Delay Should Not Mean Inaction
Even if the rule is delayed, the direction is unmistakable. Cyber threats are escalating, not stabilizing. Ransomware attacks, third-party breaches, and prolonged system outages are now routine events that directly disrupt clinical operations.
Regulators are responding to evidence, not speculation.
A delayed rule should be viewed as a narrowing window for preparation, not relief from obligation. Organizations that wait for final language or enforcement deadlines will be less prepared and face higher costs when compliance becomes mandatory.
What Healthcare Organizations Must Do Now
Preparation should begin immediately, regardless of regulatory timing.
Healthcare delivery organizations should adopt a recognized cybersecurity framework and align their programs accordingly, using HIPAA as a baseline rather than a strategy. Vulnerability management must be operationalized as a continuous discipline with clear ownership, prioritization tied to clinical impact, and documented remediation decisions.
Penetration testing should be treated as an executive-level governance exercise. Leadership must understand scope, risk tolerance, and how findings inform funding and strategic decisions.
Third-party risk management must move beyond self-attestation. Organizations should identify which Business Associates pose material operational risk and be able to demonstrate independent validation of their security posture.
These actions are not advanced enhancements. They represent the minimum standard for protecting modern healthcare operations.
Cybersecurity Is a Patient Safety and Resiliency Imperative
Cybersecurity failures increasingly translate into care disruption. When systems are unavailable, patients wait. Procedures are delayed. Trust is eroded. Cyber risk has become inseparable from patient safety and operational resiliency.
Investment in cybersecurity maturity is no longer discretionary. It is foundational to care delivery.
Closing the Loop on Readiness
Whether the proposed HIPAA Security Rule update is finalized this year or delayed by industry resistance, the expectations it sets are already clear. Healthcare organizations must be able to demonstrate objective, repeatable, and defensible cybersecurity practices.
To prepare now, organizations must move beyond treating HIPAA as a cybersecurity framework, adopt established frameworks such as NIST, institutionalize vulnerability scanning and penetration testing, and validate third-party risk through independent analysis. Most importantly, leadership must be held accountable for sustained cybersecurity investment.
The proposed rule change is necessary precisely because voluntary guidance has failed. Delay does not reduce risk. It only postpones accountability.
Organizations that act now will not only be better positioned for compliance, they will be more resilient, more defensible, and better equipped to protect patient care in an increasingly digital healthcare system.