A pivotal proposal from the U.S. Department of Health and Human Services to fundamentally overhaul the HIPAA Security Rule has exposed a deep rift within the American healthcare industry, creating a landscape of both proactive preparation and profound apprehension. Introduced in early 2025 with the laudable goal of establishing a higher cybersecurity baseline for protecting sensitive patient data, the new mandates have been met with a sharply divided response. While some forward-thinking organizations, already fortified by their own strategic security investments, feel well-prepared to meet or exceed the challenge, many industry associations and smaller providers are voicing serious concerns. They argue that the prescriptive nature and ambitious timeline of the proposed regulations could impose an unsustainable burden on an already strained system, questioning whether the new rules are a viable solution or an unworkable mandate. This division highlights a fundamental split in cybersecurity philosophy, pitting those who have proactively embraced security as a core business function against those who fear the operational and financial shock of a one-size-fits-all federal directive.
The core of the debate centers on the specific technical controls outlined in the HHS proposal, which collectively aim to modernize the industry’s defenses against an ever-evolving threat landscape. The new rules would create a new, mandatory baseline for safeguarding electronic protected health information (ePHI) by requiring several key security measures. Among the most significant are the implementation of robust and immutable data backups, a critical defense against the pervasive threat of ransomware. The proposal also mandates universal encryption for data both at rest on servers and storage systems and in transit across networks. To secure access points, the rules would enforce the use of multifactor authentication (MFA) across critical systems and applications. Furthermore, providers would be required to utilize network segmentation to isolate sensitive systems, thereby limiting the lateral movement of attackers in the event of a breach. The proposed regulations also call for continuous, real-time security monitoring, often through a dedicated Security Operations Center (SOC), alongside regular vulnerability testing and the deployment of comprehensive anti-malware software on all endpoints and servers, creating a far more rigorous and technically specific framework than the one it seeks to replace.
The Push for Proactive Security
Building Resilience from the Ground Up
The journey of Kern Medical, a 222-bed hospital in California, serves as a compelling case study in a proactive security approach born from necessity. When Chief Technology Officer Craig Witmer began an overhaul of the hospital’s aging IT infrastructure in 2018, security was a foundational component, not an afterthought. This modernization involved deploying new Cisco servers, networking equipment, and high-performance storage, but the most critical change was in data protection. The hospital replaced an inadequate tape system with a Rubrik solution for immutable backups, effectively building a fortress against ransomware. This was complemented by the implementation of role-based access control, network segmentation, and Microsoft’s Entra MFA and Defender security tools. Witmer states that his organization is already in “good shape” to meet the proposed HIPAA requirements, not because they were anticipating the regulation but because their cyber insurance provider had already mandated most of these advanced controls as a condition of coverage. This illustrates a powerful trend where market forces, rather than government regulation, are driving the adoption of higher security standards.
This proactive mindset is also evident at San Juan Regional Medical Center in New Mexico, which underwent a rapid security transformation driven by the firsthand experience of its CIO, John Gaede. Having previously navigated a debilitating ransomware attack at another facility, Gaede prioritized a “security-first” approach upon his arrival in early 2024. A strategic five-year, $6.5 million investment in a comprehensive Cisco security suite in 2025 provided the hospital with MFA, 24/7 monitoring through an extended detection and response (XDR) service, and robust endpoint protection. The value of this investment was proven in October 2025 when the hospital successfully mitigated a targeted distributed denial-of-service (DDoS) attack within two hours, ensuring no interruption to patient care. Now planning to implement Cohesity’s immutable backup solution, Gaede is confident the hospital is on track for full compliance. Both Kern Medical and San Juan demonstrate that when leadership views cybersecurity as a strategic imperative for operational continuity and patient safety, the organization naturally aligns with the principles of emerging regulations, turning a potential compliance burden into a validated business asset.
A Framework-Driven Path to Compliance
For larger organizations like OU Health, a sprawling academic health system with a proportionally larger attack surface, a mature, framework-based strategy has proven essential for navigating the complex security landscape. Under the leadership of CISO Monte Coulter, the organization made a deliberate choice to build its security program around the robust and widely respected National Institute of Standards and Technology (NIST) Cybersecurity Framework. This strategic decision was supported by a significant investment in human capital, with Coulter quadrupling his IT security staff from six to 26 people. This expansion enabled the creation of specialized teams focused on critical areas such as identity and access management (IAM), governance, risk, and compliance (GRC), and cybersecurity operations. By aligning with a comprehensive framework like NIST, OU Health ensures its security posture is built on a foundation of industry best practices rather than a reactive checklist of regulatory requirements. This approach has positioned them well ahead of the curve, as they had already implemented advanced tools like Rubrik for backup and recovery, MFA, and identity governance solutions long before the new HIPAA proposals were announced.
The primary benefit of a framework-driven approach is that it fosters a culture of continuous improvement and inherent adaptability. Rather than scrambling to meet a new rule, OU Health focuses on maturing its capabilities within the NIST structure. Coulter emphasizes that aligning with such a robust standard ensures readiness for virtually any new regulation that may emerge, as the framework’s principles often exceed the specific requirements of any single mandate. The team is now focused on further enhancing security and user experience by implementing context-aware MFA, which intelligently prompts for re-authentication based on behavioral and contextual cues. This forward-looking strategy demonstrates a higher level of security maturity. Coulter feels his organization is “fairly well set up for any changes,” needing to address only minor items to be fully aligned. This stands in stark contrast to the potential panic and resource drain faced by organizations that have treated security as a periodic compliance exercise, highlighting how a strategic, framework-based approach transforms regulatory challenges into opportunities for refinement.
Industry-Wide Apprehension and Calls for Collaboration
The Burden of Prescriptive Regulation
Despite the success stories of proactive organizations, a significant and vocal segment of the healthcare industry views the HHS proposal with deep concern. An influential coalition of over 100 hospital systems and healthcare associations, spearheaded by the College of Healthcare Information Management Executives (CHIME), has formally requested that HHS withdraw the proposed update. Their opposition is not to the goal of enhanced cybersecurity but to the method proposed to achieve it. As articulated by CHIME’s Director of Federal Affairs, Chelsea Arnone, the primary objection is that the rules are “overly prescriptive” and technically rigid. Critics argue that the proposal’s one-size-fits-all nature fails to account for the vast diversity within the American healthcare system. A mandate that may be feasible for a large, well-funded academic medical center could be financially and operationally crippling for a small, rural hospital or a community clinic operating on razor-thin margins with limited IT staff and resources. The fear is that such a rigid directive would create an unsustainable documentation and compliance burden, ultimately causing a “shock to our system.”
This apprehension is rooted in the practical realities of healthcare operations. The stringent compliance deadline, coupled with extensive documentation requirements, raises significant questions about feasibility. The healthcare industry is already facing a severe shortage of skilled cybersecurity professionals, and the sudden demand created by these new rules would likely exacerbate the problem and drive up costs. Furthermore, implementing technologies like comprehensive network segmentation or real-time monitoring across complex and often aging clinical networks can be a monumental undertaking, requiring significant capital investment and potentially disrupting patient care workflows. The concern is that the HHS proposal, while well-intentioned, was drafted without a full appreciation for these on-the-ground challenges. Critics contend that instead of fostering a more secure environment, the prescriptive nature of the rules could force under-resourced providers into a compliance-focused, checkbox mentality that does little to improve their actual security posture while diverting precious funds and attention away from direct patient care and other critical operational needs.
Advocating for a Collaborative Framework
In response to the perceived rigidity of the HHS proposal, the coalition led by CHIME has put forward an alternative vision centered on collaboration and flexibility. Instead of a top-down, prescriptive mandate, they advocate for the development of a flexible, risk-based cybersecurity framework. Crucially, they argue that this framework should be created in partnership with healthcare providers, technology experts, and other industry stakeholders. This collaborative approach would ensure that the resulting standards are not only robust but also practical, scalable, and adaptable to the diverse operational environments and resource levels found across the healthcare sector. Such a framework would move away from a checklist of required technologies and toward a model where organizations assess their unique risks and implement controls that are most appropriate for their specific circumstances while still meeting a common set of security objectives. This would empower providers to make strategic security investments that offer the greatest impact rather than forcing them to spend limited resources on mandated solutions that may not be the best fit for their environment.
This call for partnership reflects a broader desire for a more nuanced and sustainable path toward cyber resilience. The industry groups argue that a collaborative framework would foster a greater sense of shared responsibility and encourage a culture of continuous security improvement rather than periodic sprints to meet compliance deadlines. The uncertainty surrounding the final rule, which HHS anticipated for May 2026 but was not bound to, only added to the industry’s anxiety and made long-term strategic planning difficult. The central tension was never about if the industry needed to bolster its defenses—that goal was universally accepted—but about how. The final outcome hinged on whether HHS would proceed with its prescriptive proposal or embrace a more collaborative process. The path chosen was set to determine whether the future of cybersecurity in American healthcare would be defined by a rigid, one-size-fits-all mandate or by a flexible, partnership-driven framework designed for the complex realities of modern patient care.Fixed version:
A pivotal proposal from the U.S. Department of Health and Human Services to fundamentally overhaul the HIPAA Security Rule has exposed a deep rift within the American healthcare industry, creating a landscape of both proactive preparation and profound apprehension. Introduced in early 2025 with the laudable goal of establishing a higher cybersecurity baseline for protecting sensitive patient data, the new mandates have been met with a sharply divided response. While some forward-thinking organizations, already fortified by their own strategic security investments, feel well-prepared to meet or exceed the challenge, many industry associations and smaller providers are voicing serious concerns. They argue that the prescriptive nature and ambitious timeline of the proposed regulations could impose an unsustainable burden on an already strained system, questioning whether the new rules are a viable solution or an unworkable mandate. This division highlights a fundamental split in cybersecurity philosophy, pitting those who have proactively embraced security as a core business function against those who fear the operational and financial shock of a one-size-fits-all federal directive.
The core of the debate centers on the specific technical controls outlined in the HHS proposal, which collectively aim to modernize the industry’s defenses against an ever-evolving threat landscape. The new rules would create a new, mandatory baseline for safeguarding electronic protected health information (ePHI) by requiring several key security measures. Among the most significant are the implementation of robust and immutable data backups, a critical defense against the pervasive threat of ransomware. The proposal also mandates universal encryption for data both at rest on servers and storage systems and in transit across networks. To secure access points, the rules would enforce the use of multifactor authentication (MFA) across critical systems and applications. Furthermore, providers would be required to utilize network segmentation to isolate sensitive systems, thereby limiting the lateral movement of attackers in the event of a breach. The proposed regulations also call for continuous, real-time security monitoring, often through a dedicated Security Operations Center (SOC), alongside regular vulnerability testing and the deployment of comprehensive anti-malware software on all endpoints and servers, creating a far more rigorous and technically specific framework than the one it seeks to replace.
The Push for Proactive Security
Building Resilience from the Ground Up
The journey of Kern Medical, a 222-bed hospital in California, serves as a compelling case study in a proactive security approach born from necessity. When Chief Technology Officer Craig Witmer began an overhaul of the hospital’s aging IT infrastructure in 2018, security was a foundational component, not an afterthought. This modernization involved deploying new Cisco servers, networking equipment, and high-performance storage, but the most critical change was in data protection. The hospital replaced an inadequate tape system with a Rubrik solution for immutable backups, effectively building a fortress against ransomware. This was complemented by the implementation of role-based access control, network segmentation, and Microsoft’s Entra MFA and Defender security tools. Witmer states that his organization is already in “good shape” to meet the proposed HIPAA requirements, not because they were anticipating the regulation but because their cyber insurance provider had already mandated most of these advanced controls as a condition of coverage. This illustrates a powerful trend where market forces, rather than government regulation, are driving the adoption of higher security standards.
This proactive mindset is also evident at San Juan Regional Medical Center in New Mexico, which underwent a rapid security transformation driven by the firsthand experience of its CIO, John Gaede. Having previously navigated a debilitating ransomware attack at another facility, Gaede prioritized a “security-first” approach upon his arrival in early 2024. A strategic five-year, $6.5 million investment in a comprehensive Cisco security suite in 2025 provided the hospital with MFA, 24/7 monitoring through an extended detection and response (XDR) service, and robust endpoint protection. The value of this investment was proven in October 2025 when the hospital successfully mitigated a targeted distributed denial-of-service (DDoS) attack within two hours, ensuring no interruption to patient care. Now planning to implement Cohesity’s immutable backup solution, Gaede is confident the hospital is on track for full compliance. Both Kern Medical and San Juan demonstrate that when leadership views cybersecurity as a strategic imperative for operational continuity and patient safety, the organization naturally aligns with the principles of emerging regulations, turning a potential compliance burden into a validated business asset.
A Framework-Driven Path to Compliance
For larger organizations like OU Health, a sprawling academic health system with a proportionally larger attack surface, a mature, framework-based strategy has proven essential for navigating the complex security landscape. Under the leadership of CISO Monte Coulter, the organization made a deliberate choice to build its security program around the robust and widely respected National Institute of Standards and Technology (NIST) Cybersecurity Framework. This strategic decision was supported by a significant investment in human capital, with Coulter quadrupling his IT security staff from six to 26 people. This expansion enabled the creation of specialized teams focused on critical areas such as identity and access management (IAM), governance, risk, and compliance (GRC), and cybersecurity operations. By aligning with a comprehensive framework like NIST, OU Health ensures its security posture is built on a foundation of industry best practices rather than a reactive checklist of regulatory requirements. This approach has positioned them well ahead of the curve, as they had already implemented advanced tools like Rubrik for backup and recovery, MFA, and identity governance solutions long before the new HIPAA proposals were announced.
The primary benefit of a framework-driven approach is that it fosters a culture of continuous improvement and inherent adaptability. Rather than scrambling to meet a new rule, OU Health focuses on maturing its capabilities within the NIST structure. Coulter emphasizes that aligning with such a robust standard ensures readiness for virtually any new regulation that may emerge, as the framework’s principles often exceed the specific requirements of any single mandate. The team is now focused on further enhancing security and user experience by implementing context-aware MFA, which intelligently prompts for re-authentication based on behavioral and contextual cues. This forward-looking strategy demonstrates a higher level of security maturity. Coulter feels his organization is “fairly well set up for any changes,” needing to address only minor items to be fully aligned. This stands in stark contrast to the potential panic and resource drain faced by organizations that have treated security as a periodic compliance exercise, highlighting how a strategic, framework-based approach transforms regulatory challenges into opportunities for refinement.
Industry-Wide Apprehension and Calls for Collaboration
The Burden of Prescriptive Regulation
Despite the success stories of proactive organizations, a significant and vocal segment of the healthcare industry views the HHS proposal with deep concern. An influential coalition of over 100 hospital systems and healthcare associations, spearheaded by the College of Healthcare Information Management Executives (CHIME), has formally requested that HHS withdraw the proposed update. Their opposition is not to the goal of enhanced cybersecurity but to the method proposed to achieve it. As articulated by CHIME’s Director of Federal Affairs, Chelsea Arnone, the primary objection is that the rules are “overly prescriptive” and technically rigid. Critics argue that the proposal’s one-size-fits-all nature fails to account for the vast diversity within the American healthcare system. A mandate that may be feasible for a large, well-funded academic medical center could be financially and operationally crippling for a small, rural hospital or a community clinic operating on razor-thin margins with limited IT staff and resources. The fear is that such a rigid directive would create an unsustainable documentation and compliance burden, ultimately causing a “shock to our system.”
This apprehension is rooted in the practical realities of healthcare operations. The stringent compliance deadline, coupled with extensive documentation requirements, raises significant questions about feasibility. The healthcare industry is already facing a severe shortage of skilled cybersecurity professionals, and the sudden demand created by these new rules would likely exacerbate the problem and drive up costs. Furthermore, implementing technologies like comprehensive network segmentation or real-time monitoring across complex and often aging clinical networks can be a monumental undertaking, requiring significant capital investment and potentially disrupting patient care workflows. The concern is that the HHS proposal, while well-intentioned, was drafted without a full appreciation for these on-the-ground challenges. Critics contend that instead of fostering a more secure environment, the prescriptive nature of the rules could force under-resourced providers into a compliance-focused, checkbox mentality that does little to improve their actual security posture while diverting precious funds and attention away from direct patient care and other critical operational needs.
Advocating for a Collaborative Framework
In response to the perceived rigidity of the HHS proposal, the coalition led by CHIME has put forward an alternative vision centered on collaboration and flexibility. Instead of a top-down, prescriptive mandate, they advocate for the development of a flexible, risk-based cybersecurity framework. Crucially, they argue that this framework should be created in partnership with healthcare providers, technology experts, and other industry stakeholders. This collaborative approach would ensure that the resulting standards are not only robust but also practical, scalable, and adaptable to the diverse operational environments and resource levels found across the healthcare sector. Such a framework would move away from a checklist of required technologies and toward a model where organizations assess their unique risks and implement controls that are most appropriate for their specific circumstances while still meeting a common set of security objectives. This would empower providers to make strategic security investments that offer the greatest impact rather than forcing them to spend limited resources on mandated solutions that may not be the best fit for their environment.
This call for partnership reflects a broader desire for a more nuanced and sustainable path toward cyber resilience. The industry groups argue that a collaborative framework would foster a greater sense of shared responsibility and encourage a culture of continuous security improvement rather than periodic sprints to meet compliance deadlines. The uncertainty surrounding the final rule, which HHS anticipated for May 2026 but was not bound to, only added to the industry’s anxiety and made long-term strategic planning difficult. The central tension was never about if the industry needed to bolster its defenses—that goal was universally accepted—but about how. The final outcome hinged on whether HHS would proceed with its prescriptive proposal or embrace a more collaborative process. The path chosen was set to determine whether the future of cybersecurity in American healthcare would be defined by a rigid, one-size-fits-all mandate or by a flexible, partnership-driven framework designed for the complex realities of modern patient care.
