By the EHR Association’s Privacy & Security Workgroup

Health care faces several security risks that make a focus on cybersecurity particularly critical. In particular, the industry is challenged by dual threats: highly valuable patient data (worth more on the black market than financial data at this point) and system interdependencies that directly introduce additional risk. A single cyber incident can disrupt hospital operations, delay treatments, and even jeopardize patient safety. 

Because it has been more than 20 years since the HIPAA Security Rule was first implemented and 12 years since the last significant update, technology has transformed significantly and is no longer sufficiently addressed by the rules in place. Coupled with the fact that the threat environment has also expanded exponentially, the result is a current mismatch between the challenge and the regulatory environment that is supposed to help the industry respond. 

OCR’s proposed update to the Security Rule, published earlier this year, accordingly aims to strengthen the cybersecurity baseline. While we support this goal, we also caution that successful implementation requires balance. The final mandates must be achievable, cost-effective, and aligned with industry best practices such as the NIST Cybersecurity Framework. Otherwise, smaller and rural hospitals will face unmanageable burdens. 

While we may not see the final rule until 2026, healthcare organizations cannot afford to wait to implement critical safeguards. The following are our recommendations on actions that should be taken now to harden cybersecurity, along with a few considerations related to the recent creation of CMS-Aligned Networks by HHS. 

While we may not see the final rule until 2026, healthcare organizations cannot afford to wait to implement critical safeguards. The following are our recommendations on actions that should be taken now to harden cybersecurity, along with a few considerations related to the recent creation of CMS-Aligned Networks by HHS. 

Multi-Factor Authentication

Passwords alone are no longer enough to keep attackers out. By combining something you know (like a password) with something you have (like a device) or something you are (like a fingerprint), multi-factor authentication (MFA) provides a critical line of defense against credential theft. 

The challenge is in its application. Requiring MFA every single time a clinician logs in could disrupt workflows, slow care, and add significant costs. Instead, MFA should be deployed only where its use provides the greatest security benefit, such as with remote access, privileged accounts, and high-value systems. 

A risk-based approach, such as authenticating once per shift for on-site staff, strikes a better balance between security and usability. 

Patch and Vulnerability Management

Cyber criminals often exploit known vulnerabilities. That’s why patching and vulnerability management are crucial: they close doors before attackers can walk through them. 

By aligning patch timelines with NIST standards or recommendations and prioritizing based on risk, organizations can maintain system stability while strengthening security. 

Yes, healthcare IT environments are complex. Systems must often be tested before updates can be safely applied and, in some cases, providers must rely on vendors to release patches for specialized equipment. As such, immediately applying every update is not always possible. By aligning patch timelines with NIST standards or recommendations and prioritizing based on risk, organizations can maintain system stability while strengthening security. 

Audit Trails and System Log Monitoring

Seeing what is happening inside your systems is just as important as locking the doors to prevent unauthorized access. With audit trails and log monitoring, organizations can detect unusual activity that might indicate an intrusion or misuse. 

The challenge is volume. Healthcare systems generate enormous amounts of log data, and not every anomaly is a true threat. Without focus, teams can become overwhelmed by noise and miss the real signals of danger. A smarter approach is to prioritize monitoring of clinically critical systems and review anomalies that truly raise red flags. This type of risk-based monitoring helps detect threats early while keeping efforts manageable.

Based on guidance from the CMS Interoperability Framework, audit log transparency for patients should provide “an accounting record of all network-facilitated transactions, including for treatment, (accessed patient’s data, when, and why)”. This goes beyond local SIEM streams and suggests the need for queryable logs that capture all of the following:

• Requestor identity (patient, provider, app)
• Declared purpose of use (individual access, treatment, payment, operations)
• Consent context
• Data domains returned
• Response metadata 

Encryption 

Encryption, which turns sensitive data into unreadable code unless you have the right key, remains a cornerstone of protecting patient information in transit and at rest. Whether it’s records sent between providers or data stored on servers, encryption is one of the most effective safeguards against unauthorized access. It should therefore be implemented in a way that preserves system performance and clinical usability. 

Our core recommendation is to follow NIST-aligned crypto and deploy encryption where it most reduces real risk. This approach can still align with CMS’s “open, standards-based, market-friendly” blueprint. 

Our core recommendation is to follow NIST-aligned crypto and deploy encryption where it most reduces real risk. This approach can still align with CMS’s “open, standards-based, market-friendly” blueprint. 

While the CMS Framework doesn’t prescribe specific encryption algorithms, it does establish rules for identity, security, and trust that all networks should adhere to. To meet these rules, organizations would have to use encrypted connections by default and complete a recognized security certification (e.g., HITRUST or an equivalent), which typically requires strong encryption for data in transit and at rest. 

Still, implementation has its challenges. Encrypting every layer of a system can require expensive hardware upgrades or slow system performance. Teams must evaluate where encryption adds the most value and where performance or costly hardware trade-offs would be warranted. 

SMART Health Cards and QR Codes

CMS is promoting the use of SMART health cards and QR codes as part of its efforts to enhance health information sharing and streamline the exchange of medical histories between patients and providers. The goal is to improve outcomes and alleviate administrative burdens on providers by freeing them to focus on patient interactions and care quality.

While we support the overarching goal, implementation is crucial to its success, particularly where security is concerned. As such, we don’t recommend embedding PHI in the QR codes. A more secure approach is to encode a short-lived, audience-restricted reference that aligns with NIST standards by requiring IAL2/AAL2 reverification on the receiving side.

Conclusion

Cybersecurity is not one-size-fits-all—context and criticality matter. Safeguards must be tailored to the systems and workflows that matter most for patient safety. 

EHRA encourages providers and healthcare organizations to invest in core safeguards now (e.g., MFA, patching, monitoring, and encryption) while also advocating for federal policies that support risk-based, industry-aligned approaches. Together, we can strengthen healthcare’s defenses without compromising its mission to deliver care.