Newly proposed federal legislation, titled the Health Infrastructure Security and Accountability Act (HISAA), instructs the Department of Health and Human Services (HHS) to establish minimum cybersecurity requirements for the healthcare industry.

Cybersecurity threats often surface with little to no warning, catching organizations off guard and forcing them into a reactionary posture. Many companies feel confident in their level of preparedness, but the true measure of that readiness is exposed only when a cyber incident occurs. Without a functional and practiced Cyber Incident Response Plan (CIRP), even the best intentions can fall short, leaving businesses vulnerable when it matters most.

Based on years of experience guiding healthcare companies through catastrophic ransomwares, we highlight a few takeaways from the Change incident and what this could mean for the future of cybersecurity standards in the healthcare industry.

Businesses navigating the new SEC cybersecurity requirements must prioritize risk management, incident reporting, and governance. The new SEC rules demand comprehensive disclosures and a proactive stance on digital threats, underscoring the importance of readiness and strategic compliance planning. Key focuses include enhancing data protection practices and ensuring timely, transparent communication with investors.

The OCR's 2024 guidance surrounding the use of online tracking technologies by healthcare entities addresses the balance between digital innovation and patient privacy, focusing on compliance with PHI disclosures and marketing practices. Entities must review online tracking usage, ensure HIPAA-compliant authorizations, and enhance privacy measures. This guidance mandates a proactive approach to safeguard patient data amidst evolving digital landscapes, urging healthcare providers to align technology use with stringent HIPAA standards for data protection and privacy.