* [Blog](https://www.paloaltonetworks.com/blog)
* [Network Security](https://www.paloaltonetworks.com/blog/network-security/)
* [Healthcare](https://www.paloaltonetworks.com/blog/category/healthcare/)
* The New Health Law and It...

# The New Health Law and Its Implications for Securing Healthcare Organizations

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fhitech-and-iot%2F)  
[](https://twitter.com/share?text=The+New+Health+Law+and+Its+Implications+for+Securing+Healthcare+Organizations&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fhitech-and-iot%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fhitech-and-iot%2F&title=The+New+Health+Law+and+Its+Implications+for+Securing+Healthcare+Organizations&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/network-security/hitech-and-iot/&ts=markdown)  
\[\](mailto:?subject=The New Health Law and Its Implications for Securing Healthcare Organizations)  
Link copied  
By [Anand Oswal](https://www.paloaltonetworks.com/blog/author/anand-oswal/?ts=markdown "Posts by Anand Oswal")  
Feb 19, 2021  
5 minutes  
[Healthcare](https://www.paloaltonetworks.com/blog/category/healthcare/?ts=markdown)  
[IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown)

Earlier this year, [H.R. 7898](https://www.congress.gov/bill/116th-congress/house-bill/7898/text?r=24&s=1)was signed into Public Law No 116-321 amending the Health Information Technology for Economic and Clinical Health (HITECH) Act. The new statute requires that the U.S. Department of Health and Human Services (HHS) considers the extent to which HIPAA-covered entities and their business associates are prioritizing cybersecurity and implementing "recognized security practices" when HHS is assessing fines or penalties related to enforcement of the HIPAA Security Rule.

While the full scope of what officially constitutes a "recognized security practice" is still yet to be defined, the new law does explicitly identify two established industry standards and practices---including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and "the approaches promulgated Section 405(d) Cybersecurity Act of 2015 (CSA)".

These approaches are a clear reference to the [CSA 405(d) Task Group](https://www.phe.gov/Preparedness/planning/405d/Pages/default.aspx), established through HHS's existing Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. Starting in 2017, the group convened with a mission to develop a common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use to enhance cybersecurity. In 2018, the Task Group published ["Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients"](https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx). Though published as voluntary practices, entities hoping to avoid HIPAA penalties will likely have a new reason to voluntarily adopt these if and when H.R. 7898 is fully implemented.

#### *We helped shape cybersecurity best practices that the new law advocates for.*

Palo Alto Networks and former Zingbox (acquired by Palo Alto Networks in September, 2019) security experts were honored to partner with both security standard-setting parties highlighted in the bill.

We have been intimately involved in the CSA 405(d) Task Group best practice development effort since its beginning. During the development of the HICP standards, we offered our expertise on cyber threat prevention in the healthcare sector, with a focus on best practices in medical device security. Based on our years of research and real world monitoring and protection of millions of medical devices, we worked with the CSA 405(d) Task Group members to identify unique cybersecurity challenges, and lay out vendor agnostic guidance to identify, monitor and secure the Internet of Medical Things (IoMT).

Palo Alto Networks involvement in the HICP development effort is just one example in our broader company commitment to shaping global security standards to reflect industry-leading capabilities. Beyond HICP, Palo Alto Networks also partnered with NIST and the National Cybersecurity Center of Excellence to produce [Securing Picture Archiving and Communications Systems](https://www.nccoe.nist.gov/projects/use-cases/health-it/pacs) (PACS), a reference architecture demonstrating how Palo Alto Networks technologies can help healthcare organizations with asset management, access control, data security, continuous security monitoring and more for PACS systems. We're also active partners with NIST and other standards organizations helping to define Zero Trust Architecture, 5G security, cloud, mobile device security and other security use cases relevant to healthcare organizations and across multiple other sectors.

#### *Palo Alto Networks provides industry leading IoT Security capabilities that meet those standards.*

This new law could not come at a more opportune time as the number of connected medical devices are increasing dramatically in healthcare organizations. The current pandemic with increased telehealth and remote patient services has also brought about new risks in the healthcare sector. IoMT devices are becoming an increasing threat vector in the most targeted industry for cyber attacks. The need to up-level adopting IoT security best practices could not be emphasized enough.

Palo Alto Networks has been at the forefront of identifying, monitoring and protecting both IT and IoT devices. Our latest [Unit 42 2020 IoT Threat Report](https://start.paloaltonetworks.com/unit-42-iot-threat-report) is based on two years of research into over 1.2 million IoT devices. The report highlighted a wide range of insights for security in healthcare environments, such as:

* 98% of IoT traffic is not encrypted
* 57% of IoT devices are vulnerable to medium- or high-severity attacks
* 83% of medical imaging devices run on unsupported operating systems

These numbers are alarming knowing that many of these devices are in critical operations, which can mean life or death in healthcare. These devices bring in increasing challenges in cybersecurity, with large quantities, large variety, lack of self-protection, large risk surface, and long equipment life cycle. Many traditional IT security technologies can't be applied to IoT directly or don't work effectively on IoT, such as installing an agent on each device, scanning, etc.

In addition to technical challenges, there are also organizational challenges. It is usually the biomedical team in charge of purchasing, managing, and maintaining medical devices with special expertise. IT and security teams are the ones with security expertise, but they often are not even allowed to touch these special-purposed medical devices.

Therefore, it is extremely important for healthcare providers to develop a systematic process with intelligent, integrated, and easy to use tools to automatically identify, monitor, and protect these devices 24 X 7. They should enable partnership among all stakeholders in the organization including biomedical, IT, security, procurement, finance teams and even facility or any other team that can bring in IoT devices.

Palo Alto Networks has developed a vendor-agnostic practical guide that can be quickly embedded in your IoT security planning process. Read the complete practical guide [here](https://start.paloaltonetworks.com/5-must-haves-iot-security.html) to learn about the five must-haves for securing IoT devices, as shown in Figure 1.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/02/Screen-Shot-2021-02-18-at-2.48.46-PM.png)

The new law encourages cybersecurity best practices in healthcare and Palo Alto Networks can help as we are the leader in partnering with health providers. We offer the most comprehensive IoT security solution, integrating IT with IoT, providing visibility and enforcement on a single platform, and yet easy to deploy and use. We are here to work with you to secure your entire organization which ultimately means better patient services and safety in healthcare.

[Register to watch](https://register.paloaltonetworks.com/iomt-security-launch-event) our webcast on how you can **"Protect Every Medical Device in Your Network"**.

*[Anand Oswal](https://www.paloaltonetworks.com/blog/2020/04/anand-oswal/?ts=markdown) serves as Senior Vice President and General Manager at cyber security leader Palo Alto Networks where he leads the company's Firewall as a Platform efforts.*

*** ** * ** ***

## Related Blogs

### [Healthcare](https://www.paloaltonetworks.com/blog/category/healthcare/?ts=markdown), [IoT](https://www.paloaltonetworks.com/blog/category/iot/?ts=markdown), [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown)

[#### MDS2: A Treasure Trove for Internet of Medical Things (IoMT) Security](https://www.paloaltonetworks.com/blog/network-security/treasure-trove-for-iomt-device-security/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Converged Secure Connectivity For Critical Private Infrastructure](https://www.paloaltonetworks.com/blog/network-security/converged-secure-connectivity-for-critical-private-infrastructure/)

### [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### 2025 Report Exposes Widespread Device Security Risks](https://www.paloaltonetworks.com/blog/network-security/2025-report-exposes-widespread-device-security-risks/)

### [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### The Modern Firewall for the Enterprise of Connected Devices](https://www.paloaltonetworks.com/blog/network-security/the-modern-firewall-for-the-enterprise-of-connected-devices/)

### [5G Security](https://www.paloaltonetworks.com/blog/network-security/category/5g-security/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown)

[#### Protecting the Utility Grid's Digital Ecosystem, from Core to Edge to AI](https://www.paloaltonetworks.com/blog/network-security/protecting-the-utility-grid-digital-ecosystem-from-core-to-edge-to-ai/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [IoT](https://www.paloaltonetworks.com/blog/category/iot/?ts=markdown), [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Announcing Device Security: Supercharging Proactive Device Protection](https://www.paloaltonetworks.com/blog/network-security/announcing-device-security-supercharging-proactive-device-protection/)

### Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language