A Turning Point in Healthcare Cybersecurity: HSCC Proposes One-Year Collaborative Framework Process to Replace HIPAA Security Rule Update

In a bold policy move that could reshape the regulatory landscape for healthcare cybersecurity, the Healthcare and Public Health Sector Coordinating Council (HSCC) has proposed a one-year, industry-led consultative process with the federal government to develop a practical, collaborative framework for protecting the healthcare ecosystem.

The HSCC’s Cybersecurity Working Group (CWG) released a formal policy statement this week urging the Trump Administration to pause its planned updates to the HIPAA Security Rule—announced last December—and instead pursue a cooperative path to modernizing cybersecurity expectations for healthcare stakeholders.

“Cyber safety is patient safety,” said Greg Garcia, Executive Director of the HSCC CWG, during testimony before the House Energy and Commerce Oversight and Investigations Subcommittee on April 1.

Why This Matters Now

Healthcare continues to be the most targeted industry by cybercriminals, with ransomware attacks, data breaches, and operational disruptions impacting hospitals, labs, and device manufacturers at an alarming rate. In 2024 alone, nearly every healthcare delivery organization (HDO) reported at least one cyberattack, and many experienced care interruptions and increased mortality as a result.

The sector’s complex mix of legacy infrastructure, interconnected devices (IoMT), and critical patient care systems requires cybersecurity policies that are both enforceable and adaptive. The HSCC argues that the proposed HIPAA rule changes are too rigid and outdated to meet today’s threat landscape and would fail to incentivize the real-world protections providers need.

Building on Proven Policy Models

The HSCC’s proposal draws inspiration from Executive Order 13636, which in 2013 led to the development of the widely respected NIST Cybersecurity Framework (CSF). That framework, created through public-private collaboration, has become a cornerstone of enterprise cybersecurity planning across multiple sectors.

HSCC is now recommending a similar effort for healthcare: a Healthcare Cybersecurity Framework that would integrate:

• Existing best practices and technical guidance created by and for the sector
• The HSCC’s own five-year Healthcare Industry Cybersecurity Strategic Plan
• Lessons learned from the rapid evolution of digital health technologies

Such a framework would prioritize measurable cybersecurity outcomes while giving healthcare organizations flexibility in how they meet those goals. The government would define “what” standards need to be met, while industry would retain authority over “how” those standards are achieved based on their operational realities.

“A successful consultative process will lead to a framework that is flexible, measurable, accountable, and effective—ultimately serving patient safety and infrastructure resilience,” Garcia stated during his testimony.

A Pragmatic Path Forward

This proposed shift is not just about easing compliance burdens—it’s about aligning federal oversight with practical implementation strategies that actually improve cyber resilience. Instead of relying on top-down regulations, the HSCC envisions a future where public-private collaboration leads to mutual accountability and more effective defense of the healthcare system.

The message from the sector is clear: regulation must evolve in step with the realities of healthcare delivery and cybersecurity risk. As ransomware becomes more sophisticated and interconnected medical devices continue to proliferate, the stakes for patient safety have never been higher.

If accepted by the Administration, this consultative framework approach could mark a pivotal moment—bringing together policymakers, providers, and IT leaders to co-create cybersecurity standards that not only protect data but save lives.