HSCC proposes collaborative approach to replace ‘arbitrary’ HIPAA Security Rule update

The Healthcare and Public Health Sector Coordinating Council (HSCC) called for the Trump administration to replace its December 2024 HIPAA Security Rule update with a one-year consultative process between government and industry leaders, according to a statement released in March. The group, representing more than 470 healthcare organizations, argues that only a collaborative model can effectively address the sector’s unique security challenges. 

“As an alternative to the arbitrary HIPAA Security Rule notice of proposed rulemaking published in December, this collaborative process would align with the Administration’s pledge to Make America Healthy Again on the imperative that Cyber Safety is Patient Safety,” the HSCC wrote in a statement released on April 1. “It would build on the many leading healthcare cybersecurity practices developed by the industry over the last 7 years.” 

The HSCC’s proposal addresses a fundamental problem in healthcare cybersecurity – the disconnect between how regulations are created and the operational realities of healthcare delivery. 

The HSCC’s proposed framework would: 

• Use existing security frameworks as starting points 

• Allow government to define security outcomes while healthcare organizations determine implementation methods 

• Create scalable guidelines appropriate for organizations of all sizes 

• Include security standards for technology vendors 

• Provide pathways for resource-limited providers 

The approach draws inspiration from how the successful NIST Cybersecurity Framework was developed – through structured collaboration between industry and government rather than top-down regulation. 

The healthcare cybersecurity community has already done significant groundwork, developing resources like the Health Industry Cybersecurity Practices (HICP), which received formal recognition under a 2021 law signed by former President Trump. 

For health technology leaders, the HSCC proposal represents a potential turning point. Rather than treating cybersecurity as a compliance exercise, it acknowledges that securing a rural hospital requires different tactics than protecting an academic medical center, even when the security objectives remain the same.  

“If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission,” said Greg Garcia, HSCC Cybersecurity Working Group Executive Director in a testimony before the House Energy and Commerce Oversight and Investigations Subcommittee on April 1. The hearing, focused on cybersecurity vulnerabilities in legacy medical devices, provided a platform for the HSCC to present its broader policy recommendations. 

“A successful consultative process will lead to the government promulgating expectations for industry accountability to “the what” – measurable cybersecurity outcomes – and the industry determining “the how” – specific governance and technical controls we should be held to. Then together industry and government will be aligned to a framework that is flexible, measurable, accountable and effective, ultimately serving patient safety and infrastructure resilience.”