Newly proposed federal legislation, titled the Health Infrastructure Security and Accountability Act (HISAA), instructs the Department of Health and Human Services (HHS) to establish minimum cybersecurity requirements for the healthcare industry.

Cybersecurity threats often surface with little to no warning, catching organizations off guard and forcing them into a reactionary posture. Many companies feel confident in their level of preparedness, but the true measure of that readiness is exposed only when a cyber incident occurs. Without a functional and practiced Cyber Incident Response Plan (CIRP), even the best intentions can fall short, leaving businesses vulnerable when it matters most.

Based on years of experience guiding healthcare companies through catastrophic ransomwares, we highlight a few takeaways from the Change incident and what this could mean for the future of cybersecurity standards in the healthcare industry.

Businesses navigating the new SEC cybersecurity requirements must prioritize risk management, incident reporting, and governance. The new SEC rules demand comprehensive disclosures and a proactive stance on digital threats, underscoring the importance of readiness and strategic compliance planning. Key focuses include enhancing data protection practices and ensuring timely, transparent communication with investors.