Arguably the first step in healthcare cybersecurity.

Requires that relevant entities maintain reasonable and appropriate safeguards for patient privacy in three different fields: administrative, physical, and technical [6, 47].

Cybersecurity is not explicitly named, but does have a strong basis in this federal law, and many future policies and guidelines were built off of this foundation.

Built upon the privacy and security provisions of HIPAA, but it primarily outlines penalties and enforcement of HIPAA rules by the US DHHS Office of Civil Rights [48].

• Data breaches >500 individuals must be reported within 60 days of discovery [9, 15].

• Fines ranged from $137 to $68,928 per violation of HIPAA. Maximum $2,067,813 per hospital per year in 2023 [49].

Does not add to HIPAA’s technical safeguards or encourage advancement in cybersecurity.

Set financial incentives for healthcare providers to establish “meaningful use” of an electronic medical record [6], and kick-started the mass conversion to digital record keeping.

EMRs do improve patient care [10]; however, the mass implementation of them also made patient data vulnerable through encouraging enormous patient databases with little to no cybersecurity guidance [9].

Falls under the umbrella of the US Department of Commerce

Hosts the National Vulnerabilities Database, a record of all governmentally known cyber vulnerabilities. This database can be accessed by both MDMs and IT departments to receive updated information on the latest threats they may need to patch [9].

Released the first Framework for Improving Critical Infrastructure Cybersecurity in 2014, based on Executive Order 13636 [50].

The framework outlined ways that industries could manage cybersecurity risk, without placing any regulatory requirements on those industries [51]. The framework was updated in 2017 and 2018 with better clarification for industries, though the implementation of the guidelines remained voluntary.

A subsection of the Department of Health & Human Services.

Generates pre- and post-market guidance for MDMs regarding cybersecurity. Updates these guidance documents every few years.

New pre-market guidance slated for 2025 to better define which devices are required to comply with cybersecurity regulations [36].

Similar to the NIST framework, pre- and post-market guidance is nonbinding and unenforceable, but could delay a product going to market if not taken into consideration.

The Food and Drug Omnibus Reform Act (FDORA) of 2022 mandated cybersecurity for any device that meets the definition of a “cyber device” (Table 3). Went into effect for any medical device seeking approval for market after March 29, 2023.

FDORA requires that MDMs plan to support cybersecurity updates throughout the lifecycle of the product, whenever risks, threats, and vulnerabilities are discovered that may affect the device. Patches must be available on a “reasonably justified regular cycle”.

FDORA also requires that all MDMs have a method of coordinated vulnerability disclosure, which often amounts to a location on their website for individuals to report cybersecurity vulnerabilities to the company, so that they may be addressed [36].

A part of the US Department of Homeland Security that oversees sixteen sectors that have been deemed critical infrastructure, including the Healthcare and Public Health sector.

Currently endeavoring to place the burden of cybersecurity on the tech providers and software developers rather than the consumers [52], but with an extended scope to help secure software supply lines and thus reduce risk for the economy and national security [52].

Works to smooth out information sharing between federal and private sectors, in line with a 2021 Executive Order on Improving the Nation’s Cybersecurity (EO14028) [53].

Defers to the US DHHS as its risk management agency. The DHHS has not updated the sector-specific plan since 2015 and defers back to NIST’s Framework.