الثلاثاء 07 يوليو 2026 03:13:43 GMT+02:00

Netcrook

الرئيسيةالبيان
الأخبار
Techcrook
Geocrook
WikicrookالفريقAppاتصال
ArabicEnglishItaliano

Cybercrime

Under the Knife: Healthcare Industry Fights Back Against Rushed HIPAA Overhaul

Published: 24 December 2025 00:09Category: CybercrimeGeo: North AmericaAuthor: AUDITWOLF

Subtitle: Hospitals and industry leaders warn that new cybersecurity mandates could do more harm than good if rushed into practice.

It’s a rare sight: the nation’s leading healthcare organizations, from elite hospitals to major medical associations, are united-not in pursuit of a cure, but in a battle against what they call a dangerously unrealistic cybersecurity rule. As the Department of Health and Human Services (HHS) pushes to overhaul the HIPAA Security Rule in response to a surge in cyberattacks, industry insiders are sounding the alarm: “Not so fast.”

The HHS’s proposed update aims to bring HIPAA’s security requirements in line with today’s cyber threats-think ransomware gangs holding patient records hostage, or devastating breaches like the Change Healthcare attack, which compromised data on 190 million Americans. The new rules mandate everything from multi-factor authentication (MFA) to network segmentation, and demand rapid compliance-just 60 days after publication, with full implementation required within 180 days.

The backlash has been swift and fierce. A coalition of over 100 organizations, including the College of Healthcare Information Management Executives (CHIME), Yale New Haven Health System, and the American Medical Association, sent a letter to HHS calling for the rule’s “immediate withdrawal.” Their main concerns? Crushing financial costs, technical misalignment with real-world hospital operations, and deadlines they say are “unreasonable.”

“HHS estimates MFA deployment can be done in one-and-a-half hours,” says Chelsea Arnone, CHIME’s director of federal affairs. “But for hospitals, MFA touches every clinical workflow and requires months of redesign-not hours.” The same disconnect plagues other requirements: network segmentation, for example, is estimated by HHS to take less than five hours, while hospital CISOs insist it requires weeks of architectural overhaul and testing.

Compliance isn’t just about flipping a switch. Business Associate Agreements (BAAs)-the contracts that govern data sharing with vendors-would need to be renegotiated across the industry, a process that could take even well-resourced hospitals a year or more. And all the while, hospitals must maintain round-the-clock patient care, with little tolerance for system downtime.

Cybersecurity leaders like Mind CEO Eran Barak agree the intent is right but warn that “prescriptive controls on tight timelines, especially across legacy systems, won’t be realistic for many organizations.” The risk? Hospitals could face operational disruptions that endanger patient care-the very thing the rule aims to protect.

Some in the industry point to the Health Care Cybersecurity and Resilience Act of 2025 as a more practical path, since it pairs mandates with funding grants for hospitals. Others urge HHS to phase in the rules, prioritize the highest risks, and offer flexibility for clinical realities.

For now, the standoff continues. The healthcare sector desperately needs stronger cybersecurity, but experts warn that a rushed, one-size-fits-all approach could leave patients-and their data-more vulnerable than ever. Will policymakers heed the call for balance, or will the cure prove worse than the disease?

WIKICROOK

  • HIPAA: HIPAA is a US law that safeguards health data privacy and security, though it may not cover all neural data collected in research.
  • Multi: Multi refers to using a combination of different technologies or systems-like LEO and GEO satellites-to improve reliability, coverage, and security.
  • Network Segmentation: Network segmentation divides a network into smaller sections to control access, improve security, and contain threats if a breach occurs.
  • Business Associate Agreement (BAA): A BAA is a HIPAA-mandated contract between healthcare entities and vendors to protect and manage the privacy of patients’ health information.
  • Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.