Careers Contact Us Portal
Careers Contact Us Portal
Careers Contact Us Portal

When “Voluntary” Isn’t Optional: How CMS Cybersecurity Expectations Are Becoming De Facto Requirements

When “Voluntary” Isn’t Optional: How CMS Cybersecurity Expectations Are Becoming De Facto Requirements

For years, healthcare cybersecurity guidance has been framed as voluntary — best practices encouraged, but not strictly enforced. That line is becoming increasingly blurred.

As CMS and HHS place greater emphasis on resilience, patient and resident safety, and operational continuity, cybersecurity expectations are quietly shifting from guidance to practical requirements for participation and funding. The message to healthcare organizations is becoming clear: demonstrable cybersecurity outcomes matter more than documented intent.

Recent federal funding initiatives and policy signals point to a growing focus on measurable performance, not just compliance checkboxes. In particular, the Voluntary Cybersecurity Performance Goals (CPGs) are emerging as a baseline reference point for what “reasonable and appropriate” security looks like in practice.

Several expectations are rising to the top:

Multi-Factor Authentication (MFA) is increasingly viewed as a minimum control, especially for remote access and privileged accounts. Organizations that still treat MFA as optional or partial are finding it harder to justify exceptions.

Incident Response Readiness, including the ability to restore critical electronic systems within 72 hours of a cyber incident, is no longer theoretical. Regulators and oversight bodies are paying closer attention to whether response plans are tested, operational, and aligned to real-world clinical environments.

Asset Visibility, particularly for IoMT and connected medical devices, is becoming foundational. Healthcare organizations are expected to maintain accurate, near-real-time inventories not only for security but also to support faster containment and recovery when incidents occur.

What’s notable is that none of these expectations is new. What is new is how tightly they are being linked to accountability, funding scrutiny, and organizational readiness. “Voluntary” frameworks are increasingly functioning as de facto standards against which preparedness is evaluated.

For healthcare leaders, this creates a critical inflection point. Compliance alone is no longer sufficient. Cybersecurity must be operationalized, integrated into daily workflows, continuously measured, and validated through real-world testing.

Healthcare organizations that are making progress are focusing on three areas:

  • Visibility across users, devices, and environments
  • Response maturity, including tested incident response and recovery processes
  • Governance alignment, ensuring policies, controls, and operations tell the same story

As regulatory expectations continue to evolve in 2026, the question is shifting from “Are we compliant?” to “Can we prove we’re ready?”

CloudWave Perspective

Turning “Voluntary” Expectations into Operational Readiness

At CloudWave, we see these evolving CMS and HHS expectations as a shift toward operational proof rather than policy intent. Healthcare organizations are increasingly being evaluated on what they can see, respond to, and recover from in real time.

That’s why CloudWave focuses on helping healthcare organizations operationalize cybersecurity across three core areas:

  • Visibility-first security operations, ensuring assets, identities, and activity are continuously monitored
  • Incident response readiness, including tested response plans and recovery timelines aligned to real-world clinical environments
  • Governance and compliance alignment, working with BlueOrange Compliance to translate regulatory expectations into measurable, defensible controls

The goal isn’t just compliance, it’s confidence that when scrutiny comes, readiness can be demonstrated.