Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

I Moderated a Panel on the Proposed HIPAA Security Rule. Here’s What Three CISOs Actually Think.

I Moderated a Panel on the Proposed HIPAA Security Rule. Here’s What Three CISOs Actually Think.

Last week I had the privilege of moderating a panel at the AZ HIMSS West Coast Chapter event in Tempe, and the conversation did not disappoint. Three CISOs from different healthcare organizations sat down to talk through the proposed HIPAA Security Rule updates. What’s realistic, what’s not, and what keeps them up at night. Here’s what stood out.

The 72-Hour Recovery Requirement Is Ambitious to the Point of Crazy

This was the hottest topic of the panel and it wasn’t even close. The proposed rule would require organizations to restore critical electronic information systems and data within 72 hours of loss. On paper, that sounds reasonable. In practice? The panelists had questions. A lot of questions. When does the clock actually start – at the moment of the incident, the moment you detect it, or the moment you confirm what happened? What counts as “restored”? Are we talking full operational capacity or bare minimum functionality? And who’s defining “critical”? Because the EHR is obviously critical, but what about the ancillary systems that feed into it? The ambiguity in the proposed language leaves a lot of room for interpretation, and in a post-incident environment where you’re also dealing with forensics, legal, communications, and patient safety, 72 hours feels less like a target and more like a fantasy for many organizations.

The Vendor Accountability Gap Is Real; They’re Taking it Personally

If there was one thread that ran through the entire conversation, it was frustration. Not with the idea of stronger security — nobody on this panel was arguing against that. The frustration was with who’s being held to account. Providers are staring down mandatory encryption, annual pen testing, 72-hour restoration windows, and a mountain of new documentation requirements. Meanwhile, the vendors and third parties who often introduce the most risk into the ecosystem? They’re not facing anywhere near the same level of scrutiny. The proposed rule does tighten business associate requirements, but the panelists were pretty unified in feeling like the regulatory burden falls disproportionately on the provider side. When you’re the one getting fined while your vendor is the one who got breached, that stings.

Asset Inventory and Network Mapping: “We’ve Got This” (Do You Though?)

This one surprised me a little. All three panelists were fairly relaxed about the asset inventory and network mapping requirements. The general consensus was that mature security programs are already doing this work, and formalizing it into a regulatory requirement isn’t going to be a heavy lift. I’ll be honest, I’m a little skeptical. In my experience, the organizations that say they have a handle on their asset inventory often discover some interesting surprises when they actually sit down and document everything end to end. Medical devices, shadow IT, legacy systems that nobody wants to claim ownership of all add up. I hope they’re right, but the conversations I’m having have been different.

Massive Costs, Zero New Funding

Here’s the elephant in the room that doesn’t get enough airtime. HHS estimated first-year industry costs at $9 billion. The proposed rule doesn’t come with a single dollar of additional funding to help organizations get there. For large health systems with deep pockets, this is a budget headache. For small and mid-size providers, rural hospitals, and safety-net organizations? It could be existential. The panelists were candid about the tension between wanting to do the right thing on cybersecurity and facing the reality that these investments compete directly with clinical programs, staffing, and patient care. Stronger security is not free, and pretending otherwise doesn’t help anyone.

Final Thoughts

Walking off that stage, the thing that stuck with me most was how pragmatic these CISOs were. They’re not fighting the direction of the rule; they get why it’s needed. They’ve seen the breaches, they’ve lived through the incidents, they understand the stakes. What they’re asking for is clarity, fairness, and a realistic path to get there. That doesn’t feel like too much to ask.

Big thanks to the AZ HIMSS West Coast Chapter for putting this together and to our three panelists for being willing to share what’s actually happening inside their organizations instead of the sanitized conference version. These are the conversations that move the industry forward.


Jacob Wheeler
Sr. Solutions Architect