Healthcare industry leaders, including the HSCC Cybersecurity Working Group, are urging the Trump administration to abandon the proposed HIPAA Security Rule updates.
What happened
The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has joined a growing chorus of healthcare industry stakeholders opposing the Department of Health and Human Services' (HHS) proposed updates to the HIPAA Security Rule. Published in the Federal Register in January 2025, the Notice of Proposed Rulemaking (NPRM) has sparked debate over whether its provisions are practical or effective in improving healthcare cybersecurity.
Going deeper
The HSCC CWG called on the Trump administration to suspend the NPRM in its current form and instead initiate a one-year consultation period with industry leaders. This would aim to build consensus on how to strengthen cybersecurity, resilience, and accountability across the healthcare sector.
Greg Garcia, Executive Director of the HSCC, elaborated on the group’s position during an April 1 testimony before the House Energy and Commerce Oversight and Investigations Subcommittee. The hearing focused on cybersecurity risks associated with legacy medical devices.
What was said
The HSCC's policy statement criticized the NPRM, stating the proposed updates are “not practicable or effective.” It added, “While we cannot say that these recommended controls are yet as widely adopted as we know they will be with government amplification, leaders in the health sector have forged these recommendations with the recognition that they are affordable, scalable, implementable and effective.”
The group also expressed concern that the NPRM "either dismisses these important developments or mischaracterizes their potential for measurable improvement."
Financial feasibility emerged as another sticking point. HHS estimates the first-year implementation costs at around $9 billion, with an additional $6 billion per year for the following four years. However, the HSCC warned that these numbers are likely underestimated. “A considerable number of the 52 CWG member industry associations... have made their concerns clear... about the cost and complexity of implementing the rule and the dubious effectiveness that compliance could achieve at improving security,” the statement said.
Instead of moving forward with the NPRM, the HSCC proposed a process modeled after the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), calling for a collaborative development of a healthcare-specific regulatory model.
“A successful consultative process will lead to government promulgating expectations for industry accountability to ‘the what’ — measurable cybersecurity outcomes — and the industry determining ‘the how,’” Garcia said in his testimony [adopted from TechTarget].
In the know
The HIPAA Security Rule, originally crafted to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI), has long been considered flexible and technology-agnostic. However, as cyber threats have evolved, this flexibility has left gaps in protection. The proposed 2025 updates aim to modernize the rule by introducing more stringent and specific cybersecurity requirements.
Key changes include:
- Mandatory encryption of ePHI both at rest and in transit to prevent unauthorized access.
- Multi-factor authentication (MFA) for all systems handling ePHI.
- Network segmentation to prevent attackers from moving laterally within healthcare networks.
- Regular vulnerability scanning and penetration testing are needed to identify and resolve security weaknesses proactively.
- Annual HIPAA Security Rule compliance audits to ensure continued adherence to updated standards.
- Enhanced incident response and contingency planning, including a requirement to restore operations within 72 hours of a cyberattack.
Go deeper: HHS proposes updated HIPAA security rule
Why it matters
The outcome of this regulatory debate could have sweeping implications for how hospitals, clinics, and health IT providers secure their systems in an increasingly threat-prone digital landscape. If adopted as proposed, the NPRM would impose costly and complex requirements on a sector already grappling with limited resources and growing cyber risks. Industry leaders argue that a consensus-driven approach could better balance accountability and practicality while ultimately safeguarding patient data and healthcare infrastructure.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
What is the HIPAA Security Rule?
The HIPAA Security Rule is a federal regulation designed to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). It sets standards for protecting patient data from unauthorized access and breaches.
Who is required to comply with the HIPAA Security Rule?
Covered entities (like hospitals, clinics, and health insurance providers) and their business associates (such as IT vendors and billing companies that handle ePHI) must comply with the Security Rule.
What are “addressable” and “required” implementation specifications in HIPAA?
Previously, “required” specifications had to be followed exactly, while “addressable” ones allowed flexibility based on the organization’s size, resources, and risk profile. The new proposal removes this distinction, making most safeguards mandatory.
Tshedimoso Makhene
