The future of healthcare cybersecurity is at a turning point as organizations face new, stricter regulations, workforce challenges, and evolving threats.
Fortified Health Security’s Executive Director, Government Affairs, Kate Pierce, recently appeared on This Week Health’s podcast, Unhack the News to discuss her cybersecurity predictions when it comes to what’s ahead when it comes to regulations, talent gaps, and Federal updates and the implication it can have on the healthcare ecosystem nationwide.
New York’s Game-Changing Cybersecurity Regulations
New York State is leading the way in cybersecurity standards with newly mandated regulations that are considered game-changers, as they go beyond HIPAA’s outdated framework. These rules require every hospital, almost 200 total in the state, to appoint a Chief Information Security Officer (CISO). Unlike before, this role must be filled by a qualified professional who can manage a robust cybersecurity program.
“Everything they are calling for is not too far out of CPGs out there – they are just saying it’s not voluntary, it’s mandatory,” Pierce emphasized during the podcast.
These regulations represent a significant financial burden for many hospitals, so the state has allocated $650 million to support them, introducing funding tiers based on hospital size to ensure resources are distributed fairly:
- Small Hospitals: Fewer than 10 inpatient beds, $50,000–$200,000 in funding.
- Medium Hospitals: 10-100 beds, $200,000–$500,000.
- Large Hospitals: Over 100 beds, up to $2 million annually.
National Implications
New York’s regulatory leadership could set a precedent for others. Pierce predicts states like California, Colorado, and Massachusetts could be next, signaling a nationwide push toward stricter cybersecurity regulation.
“I think New York has always been the leader in regulatory items,” Pierce noted, suggesting that this move might inspire federal action as well.
Such developments could accelerate the adoption of advanced cybersecurity frameworks across the U.S., enhancing the overall security posture of healthcare organizations.
Insights from the HIMSS Cyber Panel
The HIMSS Cyber Panel, held in November, highlighted another pressing issue: the critical shortage of cybersecurity professionals.
Despite increased awareness and initiatives, the 2024 ISC² report reveals a worldwide gap of 500,000 cybersecurity workers, with healthcare being one of the most affected sectors.
“The workforce gap is one of our biggest challenges,” Pierce explained. This shortage creates immense pressure on existing staff, particularly CISOs, who face high levels of stress and burnout.
Pierce suggests to combat this, healthcare organizations must:
- Promote Work-Life Balance: Offering flexible schedules and mental health support.
- Invest in Upskilling: Providing training in emerging areas such as artificial intelligence and cloud security.
- Foster Inclusive Cultures: Building environments that support diversity and collaboration.
Women in Cybersecurity: Unlocking Untapped Potential
Despite progress, women remain significantly underrepresented in cybersecurity, comprising just 24% of the workforce. Pierce discussed the historical perception of cybersecurity as a male-dominated field.
“Historical mindset this is a male job, world,” she said. “We can’t change that overnight.”
However, initiatives like Women in Cybersecurity (WiCyS) are creating pathways for women, offering mentorship and networking opportunities. These programs are critical for broadening the talent pool and addressing the workforce gap.
HIPAA Security Rule: Overdue for an Overhaul
The outdated HIPAA Security Rule, which hasn’t been revised in 23 years, is also leaving healthcare organizations prime targets for criminals. The rule’s failure to keep up with today’s evolving threats leaves healthcare organizations vulnerable to ransomware attacks, phishing schemes, and other advanced attacks.
But, there is hope. In October 2024, the Department of Health and Human Services (HHS) proposed updates to the Security Rule, with a public comment period expected in early 2025. Pierce expressed optimism about these changes, emphasizing their bipartisan support and potential to modernize healthcare security.
“These updates are long overdue,” she said. “They reflect a growing consensus that healthcare cybersecurity needs a significant overhaul.”
Building a Resilient Healthcare Future
As Pierce emphasized on the podcast, the evolving regulatory landscape and workforce challenges highlight the urgency for healthcare organizations to prioritize cybersecurity. New York’s proactive measures provide a blueprint for the nation, ensuring that hospitals remain resilient in an increasingly hostile cyber environment. The time to act is now—patient safety depends on it.
To hear more about her cybersecurity predictions for 2025, you can listen to the podcast in its entirety here.
