Skip to content
MarketScale
‹ Back to IndustriesHealthcare

Get Ahead of New Healthcare Cybersecurity Standards

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required hospital networks, clinics, and research institutes to meet strict healthcare cybersecurity standards. But complying with the new Strengthening American Cybersecurity Act may be a whole new level of challenge. The bill, enacted on March 15, takes a carrot and stick approach to security. It…

This story was produced through MarketScale. See how Healthcare teams put it to work with Executive Thought Leadership.

Share

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required hospital networks, clinics, and research institutes to meet strict healthcare cybersecurity standards. But complying with the new Strengthening American Cybersecurity Act may be a whole new level of challenge.

The bill, enacted on March 15, takes a carrot and stick approach to security. It comprises three distinct acts. The Federal Information Security Modernization Act of 2022 and the Federal Secure Cloud Improvement and Jobs Act of 2022 could be described as carrots. They encourage covered entities to be proactive in improving their resilience to attacks. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is more of a stick. It stipulates harsher sanctions for breach notifications.

The rulemaking process, conducted by the Cybersecurity and Infrastructure Agency (CISA), is yet to begin in earnest. Accordingly, the extent of the law’s coverage is unclear. Currently only federal agencies and operators of critical infrastructure are definitely covered. However, the “Healthcare and Public Health Sector” is one of CISA’s 16 previously earmarked critical sectors. So the Strengthening American Cybersecurity Act will likely usher in new healthcare cybersecurity standards. The sooner they come, the better, given how the threat landscape is evolving.

Stricter Reporting Is Likely

Among the most stringent compliance requirements in the new Act is the focus on making cyberattack reporting faster and more detailed. The law requires covered entities to notify CISA within 72 hours of a breach occurring. When ransom payments are made, organizations must tell CISA within 24 hours. (Read The Life-Threatening Rise of Ransomware in Healthcare.) Reports to CISA must be detailed and provide information about how the incident happened and which security controls were in place.

Healthcare providers are familiar with the need to report certain types of HIPAA breaches. Indeed many have been busy instituting procedures to notify Protected Health Information (PHA) exposure within 60 days to comply with the most recent version of the law. However, few organizations are likely ready for the swift response reporting stipulated by the Strengthening America Cybersecurity Act.

HIPAA is designed to secure PHA only. The reporting requirements in the Strengthening America Cybersecurity Act are much broader. And the new law’s definition of a cybersecurity incident is still unclear. What is clear is that covered organizations must respond to cyberattacks much faster than they do now.

Unfortunately, when responding to security incidents healthcare organizations perform exceptionally poorly. A cross-sectoral study by Immersive Labs found health care organizations received an average cyber incident performance score of only 18 percent. This was the worst of any sector in the study. (Read The Top Three Weaknesses in Healthcare Cybersecurity.)

Stopping Attacks Is the Best Way to Beat Reporting Requirements

The best way to reduce the stress of reporting requirements is to stop breaches in the first place. Regrettably, preventing attacks is also something healthcare organizations are poor at. Last year almost 1 in 2 residents in many US states had their personal healthcare information exposed by a cyberattack.

Tighter healthcare cybersecurity standards may bring increased risk of legal action. And the average healthcare data breach already costs over $9 million and takes 75 days to contain.

Healthcare’s poor record at stopping and reporting attacks is partly a product of culture. Cybersecurity has traditionally been under-prioritized. Even in 2021, with ransomware attacks on healthcare soaring, a ComputerWeekly report showed barely 1 in 10 hospital executives prioritized cybersecurity.

Another part of the recently passed law, the Federal Information Security Modernization Act of 2022, sets out a framework for changing this status quo. This act requires covered organizations to implement a range of preventive cybersecurity measures. Implementing zero-trust architecture may soon become mandatory.

The Case for Zero-Trust in Healthcare

Taking a zero-trust approach to security essentially means no network entity is automatically assumed to be safe, even after initial verification. This approach is urgently required within healthcare.

Providing care to patients means healthcare organizations offer threat actors an immense range of attack vectors. These are both technological and human. With endpoint numbers soaring, it’s chilling to note more than half of healthcare IoT devices host a known unpatched vulnerability. No less unsettling is that almost a quarter of healthcare staff have not received any security awareness training.

Healthcare organizations can’t overcome these inherent and long-standing vulnerabilities by plastering over cracks. Instead of trusting verified endpoints and devices, organizations need a security strategy that never trusts anything or anyone connected to its network. Making this happen is part technological and part cultural.

The obvious challenge of implementing zero-trust in healthcare is how to balance healthcare professionals’ operational requirements with tighter security controls. Healthcare professionals and hospital staff need to access patient data effortlessly. In many cases, security controls that get in the way can be dangerous to patient health.

Security teams must work with practitioners and administrators to develop authentication procedures and policies that fit real-world scenarios to overcome these obstacles.

In healthcare, an effective zero-trust strategy is one that strikes a balance between accessibility and security. Zero-trust technology protects hospital networks from malicious code execution and provides deterministic protection without impacting performance or straining networks.

With Regulation Looming, Don’t Delay Security Improvements

We don’t yet know precisely what the Strengthening American Cybersecurity Act requires of healthcare organizations. By the time the rulemaking process finishes, CISA may choose to apply a different version of the law’s current statutes.

However, it’s clear regulators will ask more of healthcare organizations’ cybersecurity. Zero-trust architecture is a central part of the security improvements federal regulators will require for healthcare organizations.

Learn more about how zero-trust architecture and Moving Target Defense protects against the advanced cyberthreats healthcare needs to defend against. Read the white paper: Zero Trust + Moving Target Defense—The Ultimate Ransomware Strategy.

Healthcare: are you visible to AI?

Before they reach out, Healthcare buyers ask AI engines which vendors to trust. See how AI describes your company today, and where competitors show up instead.

Free workspace

You just read one expert. Imagine publishing your whole team.

This article was produced through MarketScale. Create a free workspace and turn your own team's expertise into articles, video, and social posts. No credit card, no demo required.

NPS +73 · 1,000+ creators · 38+ countries

What you get, free

Your own MarketScale Studio workspace
One video edit a month, on us
AI writing, editing, and publishing tools
In-platform coaching to learn the system

More Healthcare Insights

Medical device supply chains face persistent pressure as federal glove push falls short

Medical device supply chains face persistent pressure as federal glove push falls short

The medical device supply chain is under sustained pressure due to various factors including domestic glove manufacturing failures and product shortages in hospitals. Additionally, there is intense competition in the $1.5 billion heart valve market. These challenges are causing shifts in medtech supply signals.

  • 01The medical device supply chain is experiencing continued stress due to manufacturing failures and shortages.
  • 02Domestic glove manufacturing efforts have not met expectations, contributing to supply chain issues.
  • 03The heart valve market faces increased competition valued at $1.5 billion.

Jul 18, 2026

From Chaos to Control: Dr. Mo Canellas on AI, Emergency Medicine & Why Most “AI Companies” Fake It

From Chaos to Control: Dr. Mo Canellas on AI, Emergency Medicine & Why Most “AI Companies” Fake It

Dr. Maureen 'Mo' Canellas discusses the implementation of AI in emergency medicine and critiques the authenticity of many companies claiming to be AI-focused. She highlights her roles at UMass Memorial Medical Center and collaborations with institutions like MIT. Dr. Canellas also contributes to discussions around health care operations and benchmarking.

  • 01Dr. Mo Canellas is a significant figure in emergency medicine, focusing on machine learning and healthcare operations.
  • 02Many companies claiming to focus on AI in healthcare do not genuinely implement such technology.
  • 03Dr. Canellas collaborates with MIT and the Emergency Department Benchmarking Alliance for health care research and advancement.

Jul 17, 2026

Food as Medicine: Can What You Eat Replace the Medicine Bottle? - Adam Devito, Monj, and Maggie Biscarr, Food-as-Medicine SME

Food as Medicine: Can What You Eat Replace the Medicine Bottle? - Adam Devito, Monj, and Maggie Biscarr, Food-as-Medicine SME

The concept of food as medicine explores whether dietary choices can serve as an effective substitute for traditional medication. Experts are evaluating the potential of food to support health and manage illnesses. This approach aligns with a growing trend towards holistic health practices.

  • 01Food as medicine proposes using dietary choices to manage health and potentially replace medication.
  • 02This approach emphasizes preventive health through nutrition.
  • 03Food as medicine reflects a shift towards more holistic and personalized healthcare solutions.

Jul 17, 2026

Explore More Healthcare Insights

Read more expert perspectives from across Healthcare.

Browse Healthcare Hub

For B2B teams

Your experts could be publishing here

Stories like this one run on content MarketScale captures from real practitioners. See how your team's expertise becomes coverage in Healthcare and beyond.

Book a 15-minute demo

Or call us. No forms required. We pick up. 214-945-2512