Contributor: Vidya Murthy, WEMBA’42
To learn more about Vidya, click here.
It’s been a roller coaster of a year, and it’s only just begun. While themes have stayed the same with regards to workforce challenges, burnout on all sides of the healthcare equation, and the salvation of bleeding edge technology is just within our grasp (read: AI will save us all), the reality is the new administration in the U.S. is going to introduce an unprecedented level of uncertainty.
Activities of Note from the Government
In December 2024, the U.S. Department of Health and Human Services (HHS) proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to bolster the protection of electronic protected health information (ePHI).
These changes proposed to address increasing cybersecurity threats faced by the industry, in particular focusing on practices around the following areas:
- Asset and network map
- Annual risk assessments along with robust risk management planning
- Established change and patch management policies, procedures, and controls
- Requirements for monitoring and incident response policies and procedures
Furthermore, the proposed changes require technical safeguards to be implemented around encryption, multi-factor authentication, configuration management, vulnerability scans, network segmentation, and backup practices.
It seems many of the business associate agreements also in place would also require an update to report no less than 24 hours after activating a contingency plan.
These practices are absolutely baseline for ‘good’ security hygiene, but as we’ve seen smaller healthcare providers are already struggling under existing expectations. While a bill has been introduced to help support smaller health centers, it is far from realized today.
While the government impact is not easily influenced by individuals in key positions, the recent firing of HHS Inspector General and voluntary departure of CDRH digital health leader will likely have downstream impacts. In particular, Troy Tazbaz had led the artificial intelligence (AI) guidance for medical device development, which will likely be at odds with the executive branch’s position on artificial intelligence.
Perhaps hearteningly, the FDA continues to ramp up enforcement efforts. In particular, Q1 2025 brought a safety recall based on cybersecurity, indicating the agency continues to actively address security concerns. Additionally, many device manufacturers are pushing for an exemption from proposed tariffs, which if implemented are expected to hurt research/development as well as innovation efforts - where security initiatives typically reside.
It is also of note that the European Union has continued its efforts around enhancing healthcare security, so even if the U.S. regulatory environment stalls, in all likelihood many device manufacturers will be forced to resolve security challenges.
What will shape the industry going forward?
The United Healthcare debacle is indicative of the reality of the order of magnitude of impact security can have - whether on personnel being able to receive care, claims being processed, or data being safe. This is likely the wake up call that will drive behavior going forward - because healthcare is a business, and insurance hugely impacts what those dollars look like.
While there’s plenty of adjacent noise in healthcare governance, it is no longer theorized that vulnerabilities are directly impacting care delivery. This reality and paradigm of immediate patient care delivery concerns is likely to motivate device manufacturers, providers, and regulators on the importance of security.
Lastly, the JP Morgan healthcare conference highlighted the desire to grow inorganically, leverage data, and embed artificial intelligence. It also sadly noted the lack of focus on security. While I believe the business value of security is directly related to revenue growth, proving that to those not embedded in the security industry is hard. If security practitioners cannot articulate their board level importance, sustained change is unlikely to occur across the industry.
Contact Vidya at: [email protected]