In what may be remembered as one of the most contentious regulatory battles in modern healthcare, over 100 hospital systems and provider associations have united to demand the withdrawal of the Biden administration’s sweeping update to HIPAA’s Security Rule. The December 8, 2025 letter to HHS Secretary Robert F. Kennedy Jr. represents an unprecedented coalition pushing back against regulations designed to protect patient data in an era of escalating cyberattacks.
The timing is striking: healthcare is hemorrhaging from cyber wounds, yet the industry is rejecting what regulators view as essential medicine.
The Perfect Storm: When Cybersecurity Crisis Meets Regulatory Reality
The numbers paint a devastating picture. In 2024, healthcare experienced 444 reported cybersecurity incidents, including 238 ransomware attacks and 206 data breaches, making it the most targeted critical infrastructure sector in America. Healthcare organizations faced 181 confirmed ransomware attacks involving 25.6 million patient records, with average ransom demands reaching $5.7 million.
The Change Healthcare attack in February 2024 stands as a watershed moment. A ransomware affiliate compromised credentials for a Citrix portal lacking multi-factor authentication, ultimately affecting an estimated 190 million individuals—69% of all healthcare records breached that year. The company paid $22 million to attackers, only to be victimized again when the ransomware group pulled an exit scam. UnitedHealth Group’s total losses exceeded $2.9 billion.
For healthcare executives watching systems crash, patient care disrupted, and ransoms escalate, the message seemed clear: something had to change. The Department of Health and Human Services agreed.
The Biden Administration’s Parting Shot
On January 6, 2025, the Office for Civil Rights published its Notice of Proposed Rulemaking—a nearly 400-page document representing the first major update to the HIPAA Security Rule since 2013. The proposed changes were ambitious, detailed, and expensive.
According to the HHS, the regulation would address fundamental vulnerabilities that have allowed attackers to exploit healthcare systems. The update would eliminate the distinction between “required” and “addressable” implementation specifications, making nearly all security measures mandatory. Organizations would need to maintain detailed technology asset inventories, conduct annual network mapping, implement mandatory encryption for all electronic protected health information both at rest and in transit, and deploy multi-factor authentication across all systems.
HHS estimated first-year costs at approximately $9 billion, with annual costs of $6 billion for years two through five, totaling $34 billion over five years. The agency argued these investments would pay for themselves if they reduced breaches by just 7 to 16 percent.
The proposed rule also imposed strict timelines: organizations would have just 240 days to achieve full compliance after finalization—60 days until the rule becomes effective, plus 180 days to implement all requirements.
The Industry’s Resounding “No”
But the healthcare industry saw something very different in those 390 pages: an impossible mandate that fundamentally misunderstands the operational realities of modern healthcare delivery.
The December 8 coalition letter, led by the College of Healthcare Information Management Executives (CHIME) and signed by organizations including Cleveland Clinic, Yale New Haven Health System, Advocate Health, the American Medical Association, and the American Academy of Pediatrics, rejected the proposal outright. The signatories called for immediate withdrawal and urged HHS to instead conduct a collaborative outreach initiative to develop practical cybersecurity standards without extreme regulatory burden.
Russell Branzell, CHIME’s president and CEO, articulated the industry’s frustration: CHIME members are deeply committed to protecting patient data but are not asking for less security—they are asking for smarter policy. The proposal, he argued, would impose rigid technical mandates adding cost and complexity without meaningfully improving cybersecurity.
The coalition’s concerns center on several critical issues:
Financial Impossibility: Small and mid-sized healthcare providers simply cannot absorb billions in unfunded mandates. Rural hospitals operating on razor-thin margins would face existential choices between cybersecurity compliance and keeping doors open for patient care.
Operational Disruption: The 240-day implementation timeline fails to account for the complexity of healthcare IT environments. Provider groups cited the complexities of modern healthcare IT as evidence against the tight implementation timeline, noting that these systems can’t be overhauled like installing new software—they support life-and-death patient care 24/7.
One-Size-Fits-All Approach: The rule treats a 15-bed rural clinic the same as a major academic medical center. Healthcare leaders argue that effective cybersecurity standards must be flexible enough to accommodate the wide range of provider organizations while setting strong protections that allow innovation.
Resource Diversion: Perhaps most troubling, the requirements would pull limited IT and financial resources away from direct patient care. In an industry already struggling with staffing shortages and financial pressures, the opportunity cost is measured in delayed treatments and reduced access to care.
The Deeper Regulatory Debate
This standoff reveals a fundamental tension in cybersecurity regulation. Should government mandate specific technical controls, or should it set performance standards and allow organizations flexibility in how they achieve security?
The previous Trump administration favored incentivizing voluntary adoption of cybersecurity best practices. Prior to the proposed Security Rule update, HHS published voluntary Cybersecurity Performance Goals offering guidance without mandatory compliance. Many in the industry preferred this collaborative approach.
The Biden administration took the opposite view: voluntary measures weren’t enough given the accelerating threat landscape. OCR issued the rule to strengthen cybersecurity protections for electronic protected health information, updating standards to better address ever-increasing cybersecurity threats.
Critics of the proposed rule point to legal complications that undermine its foundation. In University of Texas M.D. Anderson Cancer Center v. HHS, the 5th Circuit held that implementing encryption mechanisms satisfied regulatory requirements even if they didn’t result in encrypting all data. The new rule explicitly responds to this decision by requiring organizations to not just implement but “deploy” and ensure controls are “actually in use and operational”—a standard that may prove legally contentious.
An Alternative Path Forward?
Interestingly, a potential compromise emerged the same week as the coalition letter. A bipartisan quartet of Senators reintroduced the Health Care Cybersecurity and Resiliency Act of 2025. This legislation includes many similar cybersecurity provisions but couples mandates with grants to help hospitals, cancer centers, rural health clinics, and other facilities afford improvements.
The bill requires updates to HIPAA including mandatory multi-factor authentication, encryption of health information, and regular cybersecurity audits—remarkably similar to the proposed Security Rule. But the availability of federal grants fundamentally changes the equation, addressing the industry’s core concern about unfunded mandates.
Whether this legislative approach gains traction remains uncertain, but it demonstrates there may be middle ground between regulatory abdication and regulatory overreach.
What Happens Next?
The proposed Security Rule’s fate now rests with the Trump administration’s HHS leadership. The comment period closed March 7, 2025, and OCR is reviewing submissions. Given the extent of industry opposition and the new administration’s general skepticism of burdensome regulations, significant revision or complete withdrawal seems likely.
Meanwhile, the attacks continue. In 2024, 67% of healthcare organizations experienced ransomware attacks, up from 60% in 2023. Recovery times are lengthening—only 22% of victims fully recovered in a week or less in 2024, down from 47% in 2023. The average recovery cost excluding ransom payments reached $2.57 million, up from $1.82 million the previous year.
Healthcare remains under siege. Patient records continue flowing to criminal networks. Systems crash, surgeries are delayed, and emergency rooms divert ambulances. The question isn’t whether healthcare cybersecurity needs dramatic improvement—everyone agrees it does.
The question is how.
The Uncomfortable Truth
Here’s what makes this debate so difficult: both sides have legitimate points.
The proposed rule would impose crushing burdens on already-struggling healthcare providers, potentially forcing some to close or dramatically curtailing services. The one-size-fits-all approach ignores the vast differences between healthcare organizations. The implementation timeline is unrealistic. And yes, the cost is staggering.
But also: healthcare cybersecurity is objectively terrible. Attackers are winning. The voluntary approach tried over the past several years hasn’t worked. Healthcare made 592 regulatory filings of reported hacks to OCR in 2024, impacting a record 259 million Americans. That’s not a cybersecurity posture; it’s a catastrophe.
The Change Healthcare breach demonstrated that consolidated healthcare systems create single points of failure threatening the entire U.S. healthcare infrastructure. The scale of disruption prompted lawmakers to question how a company as large as Change Healthcare could fail to implement multi-factor authentication—a fundamental protection that costs relatively little but prevents devastating breaches.
A Path Through the Impasse
The coalition letter offers a constructive path forward: develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden.
What might this look like in practice?
Risk-Based Requirements: Scale obligations to organizational size, resources, and risk profile. A critical access hospital shouldn’t face the same requirements as a major health system, but both should meet appropriate baseline protections.
Phased Implementation: Give organizations realistic timeframes for compliance, perhaps 2-3 years for full implementation with checkpoints along the way.
Federal Support: Follow the model of the Health Care Cybersecurity and Resiliency Act by coupling mandates with grants, particularly for rural and underserved providers.
Technical Flexibility: Specify security outcomes rather than prescriptive technical controls. Mandate that data must be protected, but allow organizations to choose from multiple approved approaches.
Shared Responsibility: Acknowledge that no security is perfect. Consider the HITECH Act’s provisions allowing HHS to consider organizations’ security practices when determining penalties after breaches.
Ongoing Collaboration: Create formal mechanisms for continuous dialogue between regulators and providers as threats evolve.
The Stakes Couldn’t Be Higher
As this regulatory battle unfolds, real-world consequences mount. Every day the standoff continues is another day vulnerable systems remain exposed. But rushing forward with unworkable regulations could destabilize healthcare delivery itself.
The Biden administration’s proposed HIPAA Security Rule update represented a sincere attempt to address a genuine crisis. The industry’s rejection reflects real concerns about operational and financial feasibility. Both perspectives deserve serious consideration.
What’s needed now is precisely what the coalition letter requests: genuine collaboration between regulators and regulated entities to develop cybersecurity standards that are both effective and implementable. Healthcare cybersecurity can’t continue on its current trajectory—the human cost is too high. But neither can we accept solutions that undermine healthcare delivery in the name of security.
The Trump administration’s HHS leadership faces a defining choice: double down on the proposed rule, withdraw it entirely, or chart a middle course that achieves meaningful security improvements without breaking healthcare providers. That decision will shape not just regulatory policy, but patient safety and data security for years to come.
For now, healthcare remains caught between escalating cyber threats and a regulatory framework that has failed to keep pace. The question isn’t whether change is needed—it’s whether that change will be forced through contentious regulation or achieved through genuine partnership.
The next chapter in this story will determine whether healthcare finally gets the cybersecurity framework it desperately needs, or whether the perfect becomes the enemy of the good, leaving everyone worse off than before.
