Search
Explore digital transformation resources.
Uncover insights, best practises and case studies.
Article
by
Liz Kiehner, Chief Growth Officer of North America, Nortal
2025: The year cybersecurity rules rewrite U.S. healthcare
The U.S. healthcare industry is entering 2025 under the spotlight of heightened cybersecurity threats and evolving regulatory landscapes. In response to the growing number of cyberattacks targeting sensitive patient data and critical infrastructure, new cybersecurity regulations are being introduced at both federal and state levels. These measures aim to enhance the resilience of healthcare organizations and protect patient privacy.
Service
Cyber Resilience
Industry
Healthcare
Industry
Key regulatory changes impacting the healthcare sector in 2025
1. Health Infrastructure Security and Accountability Act (HISAA)
Proposed by Senators Ron Wyden and Mark Warner, HISAA introduces minimum cybersecurity standards for healthcare organizations, including hospitals and health plans. Key requirements: annual security audits, improved threat detection, and enhanced technical safeguards. Federal funding will help smaller providers meet these standards. Currently under Senate review, HISAA could be enacted by 2025.
2. New York State Department of Health Cybersecurity Regulations
Starting January 1, 2025, New York hospitals must implement comprehensive cybersecurity programs, conduct regular risk assessments, and promptly report incidents. These measures aim to protect patient data and maintain healthcare services during cyberattacks. Non-compliance could lead to penalties and reputational harm.
3. California Assembly Bill 749
Effective 2025, AB 749 mandates a zero-trust architecture for healthcare, emphasizing micro-segmentation for medical devices and clinical networks. Quarterly assessments will ensure effectiveness and prevent attackers from exploiting weak links. This law addresses the rising vulnerabilities of interconnected medical systems.
4. Updates to the HIPAA Security Rule
The updated HIPAA Security Rule requires network segmentation to prevent unauthorized lateral movement in systems with electronic Protected Health Information (ePHI). These enhancements target modern threats like ransomware and advanced persistent threats, ensuring healthcare organizations stay ahead of evolving cyber risks.
Implications for healthcare organizations
To comply with these new regulations, healthcare organizations must:
- Establish a Comprehensive Cybersecurity Program: Ensure policies, procedures, and governance structures align with evolving regulations, providing a solid foundation for all security efforts.
- Conduct Ongoing Risk Assessments: Regularly evaluate vulnerabilities, threats, and potential compliance gaps. Use these assessments to continuously refine a cybersecurity program.
- Implement a Zero-Trust Architecture: Incorporate elements such as micro-segmentation, network segmentation for ePHI, and continuous monitoring to prevent unauthorized lateral movement and strengthen overall network defenses.
- Build a Cyber-Aware Workforce: Provide robust training and education programs that equip employees with the knowledge to recognize threats, follow best practices, and effectively utilize security tools.
While these regulations introduce new compliance responsibilities and operational burdens, they also present a critical opportunity to enhance overall resilience and strengthen trust in healthcare delivery. By going beyond mere box-ticking exercises and investing in meaningful improvements—such as advanced threat detection, zero-trust architectures, and robust employee training — organizations can significantly reduce their exposure to cyber risks. Conversely, viewing these new rules solely as compliance hurdles risks leaving valuable security potential on the table, ultimately increasing vulnerability and undermining patient confidence. In other words, embracing these regulations not just as mandates, but as a catalyst for long-term cybersecurity maturity, can pay dividends in both patient trust and organizational stability.
As the healthcare industry navigates these new regulatory landscapes, partnering with experts in digital transformation and cybersecurity is crucial. Nortal, with its proven track record in creating world-leading national health record systems in Estonia, Finland, and Lithuania, and its extensive experience working with U.S. healthcare organizations, is uniquely positioned to help meet these challenges. By leveraging Nortal’s expertise, healthcare providers in the U.S. can build resilient cybersecurity frameworks, ensure compliance, and safeguard patient trust. Contact Nortal today to future-proof your organization in the face of evolving cybersecurity demands.
Learn more about our cybersecurity offerings
Explore how our customized cybersecurity solutions can transform your organization. Discover innovative ways to harness healthcare insights, streamline patient care processes, and drive smarter decisions for improved outcomes.
Related content
Get in touch
Nortal is a strategic innovation and technology company with an unparalleled track-record of delivering successful transformation projects over 20 years.