6 Key Regulations for Healthcare Cybersecurity

Healthcare cybersecurity is always changing. As an organization, you have to follow a complex web of rules — and if you break a single rule, you’re on the hook for thousands in fines. Unfortunately, this means that in addition to your core competency — providing quality healthcare — your organization also has to have expertise in cybersecurity. It’s the only way to keep your patients safe while avoiding the headaches of breaches and HIPAA penalties, which remain prevalent in the healthcare industry.

All healthcare cybersecurity regulations matter, but some are more critical than others. Let’s break down the six most important regulations and frameworks for healthcare cybersecurity.

1. HIPAA Security Rule

You already know about HIPAA, but its Security Rule is arguably the most important regulation for healthcare cybersecurity. If you’re a covered entity or a business associate of a covered entity, you have to follow the HIPAA Security Rule. However, HIPAA’s Security Rule is open-ended enough that organizations can choose how they want to implement the rules.

At a minimum, the Security Rule requires you to conduct a risk assessment at least once a year. Since every healthcare organization has some level of risk, this can help you understand your risks and make a plan to mitigate them. The Security Rule also requires you to follow administrative, physical, and technical safeguards for all ePHI.

2. HHS 405(d)

The 405(d) regulations are a collaborative effort between the healthcare industry and the U.S. Department of Health and Human Services (HHS). Under the Cybersecurity Act of 2015 (CSA), Section 405(d), HHS created the CSA 405(d) Task Group. The Task Group’s goal is to create a “common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use to enhance cybersecurity.”

The result of this effort is a framework called Healthcare Industry Cybersecurity Practices (HICP) which helps organizations implement healthcare cybersecurity best practices. While the HICP changes to keep up with the times, it includes best practices for:

  • Email
  • Endpoint protection
  • Access management
  • Data loss prevention
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies


All HIPAA-covered entities must follow HITECH guidelines. Enacted in 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) promotes the adoption and meaningful use of healthcare technology such as electronic health records (EHR). It also added new regulations to address patient privacy and security concerns associated with sharing protected health information (PHI) electronically.

HITECH specifically addresses patient privacy concerns, but it also made civil and criminal HIPAA penalties more severe. HITECH also:

  • Added the requirement for annual healthcare cybersecurity audits.
  • Created a tiered HIPAA violation system.
  • Extended HIPAA’s Privacy Rule and Security Rule to business associates.
  • Strengthened the Breach Notification Rule.


Payment Card Industry Data Security Standards (PCI DSS) apply to any healthcare organization that processes credit cards. PCI DSS specifically covers credit card information, so while it isn’t unique to the healthcare industry, it’s still a regulation providers should know about.

PCI DSS ensures that providers protect the privacy of people who pay for medical services with a credit card. This rule governs how you process, store, and transfer credit card data, so if you interact with patient card data at all, you must comply with PCI DSS.

5. QSR

Hackers are now trying to breach medical devices, which often don’t have the same level of defense as a laptop or even mobile devices in a healthcare setting.

In response to these threats, the FDA instituted the Quality System Regulation (QSR) rule, which largely applies to organizations that manufacture medical devices, but also applies to any practice that uses medical devices. This legislation requires you to:

  • Design medical devices to prevent unauthorized access
  • Conduct risk management
  • Monitor IoT medical devices and their use
  • Update firmware and conduct regular maintenance

In early 2022, the FDA proposed changes to the QSR in an effort to harmonize worldwide quality management systems by aligning the regulation with the ISO 13485 standard. If implemented, the resulting rule would be called the Quality Management System Regulation (QMSR).


Unlike the other regulations on this list, HITRUST isn’t actually a law. It’s a global framework for healthcare cybersecurity created by the HITRUST Alliance, in collaboration with healthcare, technology, and cybersecurity organizations. However, it maps well to many HIPAA guidelines, so it’s a useful resource for organizations that want to boost internal compliance and also third-party vendor cyber compliance.

HITRUST gives you a framework for monitoring:

  • Endpoints
  • Mobile devices
  • Wireless security
  • Configuration management
  • Access management
  • Risk management
  • Physical security

Again, HITRUST isn’t a requirement, but it provides a helpful framework for healthcare organizations that need clarity and direction.

Simplify Cybersecurity Compliance

Digital transformation is a must for healthcare, but it opens organizations up to more risks. Many attacks go unnoticed, which means the damage is often already done by the time you detect the breach.

This is why healthcare organizations need to identify patient data and take proper measures to protect it. These six regulations offer some guidance, but they still put the onus on healthcare providers to lock down their systems.

That’s where Tausight comes in. Tausight’s Situational ePHI Awareness solution helps healthcare organizations identify ePHI throughout the healthcare ecosystem and continuously validate cyber preparedness. Tausight provides a comprehensive, real-time view of all structured and unstructured PHI as it’s created, copied, stored, transferred, and shared among healthcare providers, patients, third-party entities, and applications.

The platform also creates an immutable, off-site audit trail with forensic-level detail across all endpoints, speeding the time to recovery from cyber incidents should they occur. Contact us today to learn how Tausight can help you gain visibility into your ePHI and minimize your risk.

profile photo of David Ting

David Ting

Founder and CTO, Tausight

Related Articles