At Fortified Health Security, we are encouraged by the Department of Health and Human Services’ (HHS) continued commitment to advancing cybersecurity across the healthcare sector. The proposed updates to the HIPAA Security Rule represent a significant step forward, ensuring providers adopt best-practice measures proven to protect healthcare networks against evolving cyber threats.
As demonstrated by HHS’s Cyber Performance Goals (CPGs) introduced earlier in 2024, there is a clear directive: healthcare organizations must meet defined industry standards to safeguard critical infrastructure. These updates send a strong message—cybersecurity is no longer optional; it is essential.
A Proactive Approach to Cybersecurity Compliance
While the proposed additions to HIPAA are promising, it’s important for health delivery organizations to recognize them as a preview of future regulatory compliance requirements. Waiting until these measures are mandated could lead to unnecessary risks, including exposure to fines, penalties, and vulnerabilities that jeopardize patient safety.
“Why wait? Act now and get ahead of the mandates,” says Russell Teague, Fortified’s Chief Information Security Officer (CISO). “If you’re going to do something that is going to be mandatory anyway, save yourself from being involved in fines and penalties and being managed by the OCR. Start your annual security reviews now; you should already be doing them either internally or externally with a provider. For most organizations that are struggling with skills, an external provider is a great place to start.”
Teague’s advice underscores the importance of immediate action. Many of these measures, such as identity and access management (IAM), and multi-factor authentication (MFA), have been standard in other industries for years because of their proven efficacy. MFA alone can prevent 99.9% of automated attacks, which is a staggering statistic that proves its value as a foundational security tool.
Tackling Common Cybersecurity Gaps with Resources
Healthcare organizations cannot underestimate the time it takes to implement meaningful change. Bureaucracy often slows the adoption of critical measures, and that delay creates an opportunity for cybercriminals to exploit vulnerabilities. The consequences are dire, with patient safety, operational stability, and financial resources hanging in the balance.
Fortunately, providers don’t have to wait for mandates to start strengthening their defenses. Resources such as the HHS 405(d) Health Industry Cybersecurity Practices (HICP) and the CPGs offer practical, NIST-aligned guidance for closing common security gaps. By leveraging these resources and engaging with a MSSP now, organizations can reduce their risks while preparing for inevitable compliance requirements.
Laying the Foundation for a Stronger Cybersecurity Program
Teague emphasizes the importance of building a strong foundation to support long-term cybersecurity initiatives. “Use this time wisely, start working on it immediately,” he advises. “Work on your policies and procedures; that’s a low-cost item. Start getting your organizational structure together to figure out how you are going to be managing cyber risk at the enterprise level. Get your risk management committees formed. If you establish the foundational elements, then those committees can assist in making the right decisions that drives funding you need to improve your cybersecurity program.”
These foundational elements, including a comprehensive risk management plan and clear governance structures, are critical for navigating the increasingly complex cybersecurity landscape. With the right committees and processes in place, organizations are better equipped to make informed decisions, prioritize investments, and secure the funding necessary to scale their cybersecurity programs.
Why Acting Now is Critical
Healthcare organizations have a unique responsibility to protect their networks, systems, and patient data from cyber threats. The stakes are high, and the timeline for compliance is narrowing. Waiting for regulatory deadlines to act is no longer a viable strategy. Cybercriminals are opportunistic, and they will continue to exploit gaps in basic security measures as long as they exist.
By starting now, whether through internal efforts or external partnerships, providers can mitigate risks and prepare for the future. The time to act is not tomorrow or next year; it is today.
At Fortified Health Security, we stand ready to help healthcare organizations navigate these challenges and build stronger, more resilient cybersecurity programs. Together, we can secure the future of healthcare.
