Article
Building a resilient cybersecurity program amidst regulatory change
Adapting to evolving regulations while strengthening healthcare cybersecurity
Jul 16, 2025 · Authored by Nicole Kramer
Shifting from regulatory compliance to cyber resilience
Cyberattacks targeting healthcare organizations are becoming increasingly sophisticated and widespread, while regulatory requirements continue to grow in complexity. For healthcare leaders, this dual pressure raises a critical question for healthcare leaders: Should the priority be strict adherence to every new regulation, or building a cybersecurity foundation that is resilient, adaptive and future-ready?
The answer is clear — prioritize cyber resilience.
Rather than reacting to each regulatory shift, healthcare organizations should focus on developing a robust cybersecurity program that proactively safeguards patient data and critical systems. A resilience-first approach not only positions organizations to meet complex compliance requirements more naturally, but also strengthens their ability to anticipate, withstand and recover from emerging threats. By shifting the mindset from compliance-driven to resilience-driven, healthcare leaders can better protect their institutions—and the people who depend on them.
A practical starting point lies in adopting the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which is endorsed by the Office for Civil Rights (OCR) as a reliable structure for risk-based security programs. Anchoring efforts on this framework enables healthcare organizations to align their cybersecurity strategies with recognized standards while preparing for regulatory changes.
A strong core cybersecurity program matters
The value of a strong cybersecurity program extends far beyond legal compliance. At its core, it serves to protect sensitive patient information and uphold the trust that is fundamental to the provider-patient relationship. Patients expect their health data to remain private and secure. When that trust is broken—through a breach or security lapse—it can undermine confidence not only in the organization’s technology, but in the quality of care itself.
By investing in a resilient cybersecurity foundation, healthcare organizations reinforce both their legal obligations and their ethical commitment to patient safety and trust.
As regulatory demands continue to evolve, a resilient cybersecurity foundation offers organizations the agility they need to adapt. Those with a strong baseline of security controls and selected framework are able to integrate new seamlessly — without the disruption and urgency that come from scrambling to comply.
Moreover, a strong cybersecurity program significantly reduces the risk of data breaches, which can disrupt hospital operations, compromise patient safety, and result in substantial financial and reputational damage. By prioritizing resilience, organizations not only minimize these risks, but also strengthen their overall security posture — ensuring they are prepared for both today’s threats and tomorrow’s challenges.
How emerging regulations layer onto your core program
While a core cybersecurity program provides the foundation, emerging regulations add layers of specificity and expectation. Understanding these new requirements is essential for healthcare organizations to stay ahead of the curve:
Recent proposed updates to the HIPAA Security Rule signal a shift toward more prescriptive requirements. Key changes include eliminating the distinction between "required" and "addressable" safeguards, thereby creating stricter compliance obligations. Core practices like asset inventories, network mapping, multi-factor authentication (MFA) and encryption are poised to become standard, non-negotiable elements of a compliant security program.
In addition, the updates formalize critical operational processes like incident response planning and disaster recovery, while placing greater emphasis on audit readiness and comprehensive workforce training. By embedding these elements into their cybersecurity programs, healthcare organizations can not only align more effectively with HIPAA’s evolving standards but also enhance their overall security posture, reinforce patient trust, and ensure continuity of care.
(10 NYCRR 405.46)
New cybersecurity regulations in New York are driving transformative change across the healthcare sector. These include establishing a risk-based cybersecurity program, appointing a chief information security officer (CISO), ensuring board-level oversight and implementing a 72-hour breach notification rule.
A key component of the regulation is the requirement for annual vulnerability assessments and penetration testing—now considered standard practice. In addition, leading organizations are adopting continuous vulnerability scanning to proactively identify and address security gaps. Together, these measures not only support regulatory compliance but also significantly enhance an organization’s ability to defend against cyber threats and maintain operational resilience.
Certain provisions went into effect in October 2024, with full compliance expected by October 2025.
Effective Oct. 2, 2024: Immediate requirement to report cybersecurity incidents within 72 hours of determination. This applies to all Article 28 general hospitals licensed under PHL §2801(10) — not nursing homes or clinics.
Effective Oct 2, 2025: Full suite of requirements must be in place. Hospitals that have already implemented the NIST CSF and HIPAA Security Rule standards will be better prepared to comply with these new obligations.
Practical advice for healthcare organizations
To effectively address these emerging regulations, healthcare organizations should focus on these key strategies:
- Conduct a regulatory gap assessment: Compare current cybersecurity practices against HIPAA Security and Privacy Rule standards, emerging federal updates and state-specific laws.
- Strengthen foundational capabilities: Focus on risk analysis, governance, asset inventories, threat monitoring and formalized incident response.
- Integrate federal and state requirements Embed specific compliance obligations — such as breach notification timelines and discharge documentation — into overarching security and privacy programs to ensure consistency and readiness.
- Prepare for enforcement and audits: Establish internal audit routines, maintain clear and accessible documentation, and ensure workforce training keeps pace with evolving regulatory expectations.
- Foster cross-departmental collaboration: Cybersecurity is no longer just an IT issue. Legal, operational, and clinical teams must work together to ensure a holistic, organization-wide approach to protecting patient data and maintaining trust.
Conclusion
While navigating the complexities of evolving cybersecurity regulations may seem daunting, starting with a strong, resilient cybersecurity foundation empowers healthcare organizations to adapt with confidence. Rather than reacting to each new requirement, organizations with a mature security posture can integrate regulatory changes more efficiently and strategically.
By prioritizing resilience, healthcare providers not only meet compliance obligations — they also protect critical operations, preserve their reputation, and most importantly uphold patient trust.
Our Baker Tilly cybersecurity specialists are here to support your journey. Let us help you build a program that’s not just compliant, but truly secure.