Tension between uniformity and flexibility in health-sector cybersecurity

“On one hand, the HISAA would provide for consistent standards and a more proactive approach to address cybersecurity and breach risk (i.e., set the baseline). This approach is consistent with the proposed HIPAA Security Rule update’s move away from ‘addressable’ implementation specifications to requirements,” says Brent Hoard, partner in the Privacy + Cyber practice group at Troutman Pepper Locke. 

“On the other hand, health care is a diverse ecosystem. A large hospital system will have different needs than a small medical practice or pharmacy. Minimum security standards could result in under- or over-protection depending on an entity’s size, risk profile, data footprint, and other factors. The HISAA would also layer material administrative burdens on an already heavily regulated industry. To that end, the OCR has recently started to focus enforcement efforts on the existing risk analysis requirement under the Security Rule. I think enforcement of existing requirements, together with targeted modernization of the rule, would be a less onerous alternative.”  

This quote from Brent Hoard shows a central dilemma in healthcare cybersecurity regulation today: how to impose consistent, enforceable security baselines without suffocating the varied realities of hospitals, clinics, pharmacies, and other providers. On one side, HISAA (the proposed Health Infrastructure Security and Accountability Act) promises to bring discipline, predictability, and regulatory teeth to cyber risk in healthcare. On the other hand, critics worry that a “one-size-fits-all” regime might misfire, either by being too weak for large, complex systems or too onerous for small practices.

Hoard also points to a practical alternative: lean harder on enforcement of existing HIPAA rules (especially the risk analysis requirement) while modernizing parts of the regulation. That approach might achieve many of the same goals without the full weight of sweeping new legislation.

Why many favor a baseline approach

Reducing inconsistent bottoms

One compelling rationale for HISAA’s baseline is that it reduces unevenness across the ecosystem. As Hoard puts it, “set the baseline” is a way of preventing the weakest links, be they small practices, vendors, or rural facilities, from dragging down the system’s overall resilience.

This rationale finds echoes in regulatory thinking. The OCR’s Risk Analysis Initiative itself reinforces that proper risk analysis is a linchpin for effective cybersecurity. According to the OCR, a risk analysis is “the foundation for effective cybersecurity practices and the protection of ePHI.” 

This view indicates that without a standardized expectation of baseline competence, too many entities may disregard or under-invest in core safeguards.

Proactive rather than reactive regulation

Hoard and proponents of HISAA see value in shifting from a posture of response to one of prevention. That mirrors broader trends: as threats escalate in sophistication and volume, many experts argue a reactive, after-the-fact approach is inadequate.

The Biden administration took note of this shift in 2024. Reuters reported that the administration proposed cybersecurity rules to tighten health data protections, in part by requiring encryption and compliance checks. “Hospitals have been forced to operate manually … the healthcare information of more than 167 million people was affected in 2023,” said Anne Neuberger, U.S. deputy national security advisor for cyber. 

Stronger deterrence via enforcement

Hoard suggests that HISAA’s “material administrative burdens” are a concern, but one counterpoint is that the added enforcement capability itself is the deterrent needed to push laggards to improve. HISAA would remove caps on penalties and require executive accountability, making noncompliance riskier.

Indeed, the ongoing enforcement under HIPAA is already exercising this lever. OCR’s enforcement actions under its Risk Analysis Initiative show how penalties for deficient risk analysis are emerging as a major regulatory tool. 

Related: Who conducts a risk assessment?

The counterpoint: One size rarely fits all

Where Hoard’s caution is sharpest is in recognizing that large hospitals and small practices differ dramatically. That variance complicates a regime that imposes uniform standards.

Small entities versus large systems

Under HISAA, a small clinic might have to comply with the same audit, attestation, and stress-testing obligations that a multi-hospital system must. That could allocate scarce compliance resources inefficiently or even drive smaller practices to consolidate or outsource just to manage the burden.

Similarly, overly minimal baselines may be insufficient for large systems that face more sophisticated attackers or manage broad digital footprints. A mandatory baseline might become a ceiling rather than a floor for large, high-risk entities.

Compliance theater risk

When regulation mandates formality, audits, attestations, and stress tests, organizations may focus on checking boxes rather than improving true security posture. The danger is that compliance becomes symbolic rather than substantive. In the words of Mitchell Parker, CISO at Temple Health: “You can say you make systems secure and compliant. Or you can have operational checks and balances to make sure they actually stay compliant.” 

If enforcement is overly focused on documented compliance rather than real resilience, we may see a proliferation of theater rather than security.

Regulatory rigidity and evolving threats

Regulations inherently tend to lag behind emerging threats. If baseline standards are codified too rigidly, organizations may find themselves constrained from adopting new architectures or emerging safeguards. Security norms change fast: cloud models, zero trust, AI-driven defenses, evolving supply chain threats. A static baseline may not allow flexibility.

The regulatory design must account for this dynamism, lest it become stale or counterproductive.

Enforcement and modernization of existing rules

Hoard’s suggestion to lean harder on existing HIPAA rules, especially risk analysis, reflects real momentum in regulatory practice. 

OCR’s Risk Analysis Initiative in practice

In October 2024, OCR launched a dedicated “Risk Analysis Initiative” to zero in on entities’ compliance with the risk analysis requirement under the HIPAA Security Rule. The agency noted that many entities’ risk analyses were incomplete, often lacking comprehensive inventories of ePHI locations or threat assessments. Since that launch, OCR has announced multiple enforcement actions:

• Virtual Private Network Solutions, LLC (VPN Solutions) settled for $90,000 for failing to conduct a compliant risk analysis after a ransomware incident. 
• A radiology group settled for $350,000 after unauthorized access to a PACS server, where the root cause included deficiencies in risk analysis. 

More broadly, OCR has stated it will investigate whether entities have proof of an up-to-date, thorough risk analysis in any breach or complaint review. 

According to an article published by Feldesman, in its first six months, the initiative produced at least seven enforcement actions. 

OCR’s posture sends a clear signal: risk analysis is no longer optional or perfunctory, but foundational and enforceable.

Legal and practitioner vocalizations

Legal observers and counsel echo this focus. Legal counsel Gayland Hethcoat remarked, “In most of the Risk Analysis Initiative enforcement actions to date, the CE [covered entity] or BA [business associate] … failed to conduct a sufficient risk analysis (if at all).” And, “OCR’s position is that compliance with the risk analysis requirement is the linchpin to preventing these breaches.” 

In a recent enforcement involving a CPA firm, OCR Director Paula Stannard said: “A HIPAA risk analysis is essential for identifying where ePHI is stored and what security measures are needed to protect it. Completing an accurate and thorough risk analysis … is a foundational step to mitigate or prevent cyberattacks and breaches.” 

These statements echo the logic behind HISAA’s baseline: unless we establish minimum expectations for risk analysis, many entities may never cross a threshold of adequacy.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Why is HISAA being proposed now?

The proposal stems from an increase in healthcare ransomware attacks and data breaches.

What concerns have experts raised about HISAA?

Experts, including Brent Hoard, caution that HISAA could result in “under- or over-protection” depending on an organization’s size and risk profile.

Would HISAA replace HIPAA?

No. HISAA would complement and strengthen HIPAA, not replace it. It aims to modernize existing standards and close regulatory gaps that cybercriminals have exploited in recent years.