“No organization, including federal agencies, is or can be immune from cyberattacks,” AHA told Healthcare IT News in its response to the Department of Health and Human Services’ policy concepts, which aim to bolster the sector’s cyber resiliency to protect patient safety.

AHA is right to say that no organization in healthcare or in any other industry can fully harden defenses and prevent entities from falling victim.

However, organizations can reduce the risk of material impact by following the industry-specific standards outlined in the HHS 405d Health Industry Cybersecurity Practices or NIST Cybersecurity Framework.

The HHS plan to incentivize provider organizations to implement these security mitigations will be paramount, as the current state of voluntary guidelines has not improved cyber resiliency at the vast majority of healthcare entities, nor has it generated the business imperative for health systems to follow these standards.

Failure to get behind these standards and the HHS push to support better cyber standards, incentives, and mandated measures will further accentuate the problem.

The Health Insurance Portability and Accountability Act’s HITECH Act was issued nearly 14 years ago and yet, we continue to see provider organizations and other healthcare entities struggle to harden their defenses. Resources, staffing and knowledge gaps, budgets, and other factors have continued to put many entities behind the ball in doing what’s needed to defend against the current state of attacks.

Even still, HIPAA has just 42 controls compared with the NIST CF standard employed by the most industries — except healthcare. Those controls have everything an entity might need or consider, and it’s routinely updated to address changes in threats and the digital landscape. Data confirms that about one-fifth of healthcare organizations still fail to meet HIPAA compliance requirements, more than 13 years since its enactment.

While massive health systems boast serious investments in cybersecurity and large cybersecurity teams, those entities do not reflect the reality of the have-nots in healthcare: rural providers, small- to medium-sized organizations, and simply those continuing to operate in the red and struggling to recover from the pandemic.

A look at the record-breaking data breaches, steady stream of cyber-related network downtime and care delays, and hospital failures to protect patient safety demonstrates that the current state of voluntary, patchwork cyber mitigation is not meeting what’s needed to protect patients and providers’ mission to do no harm.

There’s a growing accountability movement across the globe as it pertains to cybersecurity and consumer protections. We’ve seen it with the HHS concepts, but also in federal hill discussions around AI and healthcare threats, as well as New York’s proposed cyber baseline requirements for hospitals.

Executive leaders, hospital board members, and other healthcare decision makers should consider these proposals as a sign of things to come in terms of cyber regulations, as cybersecurity is a business and moral imperative, especially in healthcare.