It's worth noting that cybersecurity requirements can be a mechanism of control.

As a government regime, do you want to build an effective surveillance system where health data on large numbers of suspects can be pulled into a data fusion system at the push of a button, once a judicial framework for rubber-stamping is in place? And do you want to be able to pressure vendors into not supporting certain types of research/analysis and even direct patient care that could be construed/presented as counter to the regime's goals?

Both of these are easier when smaller vendors are forced out and larger vendors are the only ones left standing. As such, regulatory capture becomes a mutually beneficial tool to dominant vendors and regulators alike.

There are few coincidences when lobbying is involved. Which is not to say that cybersecurity improvements aren't a good thing! But speed and mechanisms of required rollout need to be balanced. And with the numerous signatories of [0] opposing the rule and describing "unreasonable implementation timelines," it's hard to say that this is entirely done in the interest of patients.

[0] https://assets.ctfassets.net/opszt4tga0mx/4QrJlGP2EkCiZjgvGx... (2025)

As is the case with SOC2, the "vulnerability scan" requirement here is likely to be meaningless; any automated process that can plausibly be described as instrumental in finding some kind of vulnerability is a "vulnerability scan", so all you have to do is run nmap.

Here's the full proposed rule: https://www.federalregister.gov/documents/2025/01/06/2024-30...

The institutional moats grow ever wider.

PCI-DSS still takes the cake for most oppressive rules out of all the compliance frameworks. The notion that your system might become "in-scope" is one of the scariest things you have to deal with. Avoiding this designation is almost always easier than satisfying all the controls they prescribe. Stripe & friends have it really good. I don't know who their equivalents are in the health care industry but I am certain they exist.

I don't understand why there shouldn't be a strict-liability play here on top of penalties for knowing violations.

You lose all your customer's data to a darknet leak? We should be taking a huge chunk out of your balance sheet.

My insurer has disclosed names, social security numbers, and ENTIRE MEDICAL CASEFILES for their entire client base more than once at this point in overlapping data breaches. Why exactly don't they owe me $10k for my trouble, or N% shares of the company? If that's too much, why do these penalties exist for knowing disclosure, if incompetence is so tolerated that knowing disclosure does no damage?

It's so grating to read obviously LLM-generated text, even more so from a company that is asking us to hire them for a security audit.

AI writing makes somewhat more sense on tech blogs. Where a business' value proposition is "We are knowledgeable and reliable about computer security", it seems unwise.

It really depends on who is testing and enforcing these standards. I have worked in this area, built scalable systems for medicare. The annual pen testing used to be a joke. Any consultant who would come had no clue what was being built, how the process worked - and they wouldn't even care to understand. After a meeting, we'd get the notification that the pen testing was successful. So, on paper you can change any rule - if the consultants you are hiring don't give a shit (which they usually don't)- nothing gets enforced. We would go out of our 'job responsibilities' to do internal testing of all sorts (the external agency would not even do 2% of that).

Wait a second. If encryption is required for all ephi, that means faxes will finally die, right? Right??? Please!

How kind of them to require 2FA without requiring the governments to issue real 2FA tokens for use in signing / interacting. No doubt this will require some rootkit 'authenticator' app on the consumer's purchased mobile device that they are then not allowed to truly own.

Interesting. I haven’t fully read through the rule change, but seems like HHS is directly adopting the controls required by HITRUST? I have been out of the industry for a while. Always interesting how the industry shapes regulation and vice versa.

Is this why every healthcare website has 2FA now? It's so annoying.

eh how are they going to make the usual small practice do "penetration testing"?