HSCC Proposes Alternative to the HIPAA Security Rule Update

The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) is urging the Trump administration to halt proposed updates to the HIPAA Security Rule that were published during the final days of President Biden’s term. Instead of the rule changes, the CWG is recommending a structured series of consultations and workshops to develop modern cyber policies for healthcare.

The CWG is a government-recognized critical infrastructure industry council comprised of more than 470 healthcare providers that develops and publishes cybersecurity practices and policy recommendations, and produces outreach and communications programs emphasizing cyber safety.

HSCC’s Recommendation

In a statement released by the CWG, the group asked that the current administration suspend any further consideration of the HIPAA Security Rule NPRM as written. It also requested a structured series of consultations and workshops with the CWG and other owners and operators of national critical healthcare infrastructure to reach a consensus on a modernized policy for healthcare cybersecurity. The CWG claims this approach would bolster two executive orders focused on security signed by President Trump, the Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure EO from 2017, and the Critical Infrastructure and Achieving Efficiency Through State and Local Preparedness EO from 2025.

The CWG cites the development of the NIST Cybersecurity Framework (NIST CSF) as precedent for its recommended approach to improving healthcare cybersecurity. Beginning in 2013, NIST CSF development was largely driven by the private sector with guidance from NIST workshop processes. Since then, NIST CSF has continued to grow and is one of the most respected sources for cybersecurity practices. The HSCC proposes that the Cybersecurity Working Group and other industry leaders work with the government to design a healthcare-specific framework that maps to CSF for all interconnected owners/operators and their supporting healthcare infrastructure. The CWG argues this collaborative approach should replace one-size-fits-all regulations with scalable guidance that is relevant to unique sectors, flexible to meet evolving threats, cost-efficient, and effective at measurably improving cybersecurity outcomes.

In 2019, the HSCC worked with the federal government to develop the Health Industry Cybersecurity Practices (HICP), a framework for the healthcare industry that directed HHS to work with the healthcare industry on a set of best practices for cybersecurity. The CWG identifies the HICP as a starting point for identifying priority practices that can be mandated as baseline controls.

The CWG also argues that the framework should be applied to unregulated technology and service providers that interact with healthcare. This would remove the existing burden healthcare organizations currently face of independently confirming their vendors have the appropriate cybersecurity controls for HIPAA compliance.

Other Objections to the Proposed HIPAA Security Rule Update

The HSCC is not the first healthcare organization to voice its concerns about the proposed HIPAA Security Rule changes. In February 2025, a group of healthcare organizations sent a letter to President Trump and the HHS Secretary Robert Kennedy Jr., asking for the proposed HIPAA Security Rule updates to be immediately rescinded. In the letter, the organizations said they had the following objections to the proposed rule changes:

• Costs and regulatory burden
• Inefficiencies for the government and private sectors
• Significant burdens without cybersecurity improvements
• Cybersecurity investments are already being made
• Conflicts with existing laws

Our Take on the HIPAA Security Rule

As we stated when the organizations mentioned above asked for immediate recension, CompliancePoint believes the requirements outlined in the Proposed HIPAA Security Rule update should be considered basic cybersecurity practices. It can be argued that if the healthcare industry had been more proactive regarding basic security practices, then HHS might not have been compelled to push the proposed rule through.

The Proposed Rule addresses some significant risks that continue to impact the security of PHI, including requiring providers to assess the security of their business associates and third-party vendors/partners. The 2024 HIMSS Healthcare Cybersecurity Survey found that only 31% of the providers surveyed had a fully implemented risk management program, yet in 2024, reported data breaches showed that at least 80% of the breaches were related to business associates. Also included in the Proposed Rule is guidance for performing security risk assessments, something HIPAA has required since the Security Rule was implemented in 2005. Yet, in all five of the settlement agreements reached as of February 26, 2025, failing to conduct a risk assessment was noted as a contributing factor.

Unfortunately, past experiences indicate that a more forceful regulatory push is needed for the protection of PHI.

CompliancePoint has a team of professionals that can help healthcare organizations reach their cybersecurity and privacy goals, including HIPAA compliance. Reach out to us at connect@compliancepoint.com to learn more about our healthcare services.