Newly proposed federal legislation, titled the Health Infrastructure Security and Accountability Act (HISAA), instructs the Department of Health and Human Services (HHS) to establish minimum cybersecurity requirements for the healthcare industry.

Cybersecurity threats often surface with little to no warning, catching organizations off guard and forcing them into a reactionary posture. Many companies feel confident in their level of preparedness, but the true measure of that readiness is exposed only when a cyber incident occurs. Without a functional and practiced Cyber Incident Response Plan (CIRP), even the best intentions can fall short, leaving businesses vulnerable when it matters most.

Based on years of experience guiding healthcare companies through catastrophic ransomwares, we highlight a few takeaways from the Change incident and what this could mean for the future of cybersecurity standards in the healthcare industry.