HITRUST has submitted a letter to the incoming administration and key Congressional Committees regarding proposed modifications to the HIPAA Security Rule. This comes in light of proposed legislative measures aimed at improving the cybersecurity posture of the healthcare industry.
Despite existing regulations and guidelines, the healthcare sector continues to face direct and opportunistic targeting, with ongoing attacks impacting vital patient care and trust. While HITRUST believes in and aligns with the Department of Health and Human Services and Congress on the shared objective that healthcare organizations must manage information risk effectively and guidelines must be established based on the healthcare organization’s overall risk posture and be proven through compliance systems, it is critical to revisit the outdated and incomplete approaches historically used to address cybersecurity risks in healthcare.
HITRUST’s letter emphasizes the need to rethink these approaches and recommends leveraging proven, scalable models that enhance security outcomes while avoiding inefficiencies or unnecessary complexity. We believe that substantial improvements in cybersecurity can be achieved through actionable strategies and tools, not just compliance.
A key recommendation from HITRUST is addressing a significant design flaw in the HIPAA Security Rule. Currently, the Rule fails to effectively reduce risk because it lacks relevant, clear, and prescriptive guidelines for controls and assurance. The result is inconsistent implementation and lack of objective measurement, preventing meaningful risk management.
HITRUST’s 17 years of experience, along with insights from our 2024 Trust Report, demonstrate the effectiveness of comprehensive risk management strategies. Only 0.64% of HITRUST-certified environments reported breaches over the past two years — proof that robust risk management can yield substantial security outcomes with the right strategies and tools.
We invite you to read our letter to learn more about how HITRUST is advocating for practical, impactful changes to safeguard the healthcare system.
If you liked this blog, you may also be interested in:
May 28, 2025
Too Many Stakeholders, Too Little Progress: Undermining Effective TPRM Too Many Stakeholders, Too Little Progress: Undermining Effective TPRM
Leadership,
Third-Party Risk Management
May 21, 2025
HITRUST vs. HIPAA: Comparing Key Differences HITRUST vs. HIPAA: Comparing Key Differences
HIPAA,
Healthcare,
Compliance
May 15, 2025
Beyond Compliance: The Critical Need for Healthcare Security Certification Beyond Compliance: The Critical Need for Healthcare Security Certification
Certifications,
Third-Party Risk Management,
Healthcare