2025: The year cybersecurity rules rewrite U.S. healthcare

1. Health Infrastructure Security and Accountability Act (HISAA) 

Proposed by Senators Ron Wyden and Mark Warner, HISAA introduces minimum cybersecurity standards for healthcare organizations, including hospitals and health plans. Key requirements: annual security audits, improved threat detection, and enhanced technical safeguards. Federal funding will help smaller providers meet these standards. Currently under Senate review, HISAA could be enacted by 2025.

2. New York State Department of Health Cybersecurity Regulations

Starting January 1, 2025, New York hospitals must implement comprehensive cybersecurity programs, conduct regular risk assessments, and promptly report incidents. These measures aim to protect patient data and maintain healthcare services during cyberattacks. Non-compliance could lead to penalties and reputational harm.

3. California Assembly Bill 749

Effective 2025, AB 749 mandates a zero-trust architecture for healthcare, emphasizing micro-segmentation for medical devices and clinical networks. Quarterly assessments will ensure effectiveness and prevent attackers from exploiting weak links. This law addresses the rising vulnerabilities of interconnected medical systems.

4. Updates to the HIPAA Security Rule

The updated HIPAA Security Rule requires network segmentation to prevent unauthorized lateral movement in systems with electronic Protected Health Information (ePHI). These enhancements target modern threats like ransomware and advanced persistent threats, ensuring healthcare organizations stay ahead of evolving cyber risks.

To comply with these new regulations, healthcare organizations must:

• Establish a Comprehensive Cybersecurity Program: Ensure policies, procedures, and governance structures align with evolving regulations, providing a solid foundation for all security efforts.
• Conduct Ongoing Risk Assessments: Regularly evaluate vulnerabilities, threats, and potential compliance gaps. Use these assessments to continuously refine a cybersecurity program.
• Implement a Zero-Trust Architecture: Incorporate elements such as micro-segmentation, network segmentation for ePHI, and continuous monitoring to prevent unauthorized lateral movement and strengthen overall network defenses.
• Build a Cyber-Aware Workforce: Provide robust training and education programs that equip employees with the knowledge to recognize threats, follow best practices, and effectively utilize security tools.

While these regulations introduce new compliance responsibilities and operational burdens, they also present a critical opportunity to enhance overall resilience and strengthen trust in healthcare delivery. By going beyond mere box-ticking exercises and investing in meaningful improvements—such as advanced threat detection, zero-trust architectures, and robust employee training — organizations can significantly reduce their exposure to cyber risks. Conversely, viewing these new rules solely as compliance hurdles risks leaving valuable security potential on the table, ultimately increasing vulnerability and undermining patient confidence. In other words, embracing these regulations not just as mandates, but as a catalyst for long-term cybersecurity maturity, can pay dividends in both patient trust and organizational stability.

As the healthcare industry navigates these new regulatory landscapes, partnering with experts in digital transformation and cybersecurity is crucial. Nortal, with its proven track record in creating world-leading national health record systems in Estonia, Finland, and Lithuania, and its extensive experience working with U.S. healthcare organizations, is uniquely positioned to help meet these challenges. By leveraging Nortal’s expertise, healthcare providers in the U.S. can build resilient cybersecurity frameworks, ensure compliance, and safeguard patient trust. Contact Nortal today to future-proof your organization in the face of evolving cybersecurity demands.