HHS Issues Final Rule Establishing Cyber Preparedness Requirements

HHS released a final rule requiring Medicare- and Medicaid-participating healthcare providers to “plan adequately” for a variety of disasters including cyber attacks. The new rule mandates risk assessment and emergency planning programs, but does not include specific requirements for cybersecurity. However, HHS urges healthcare facilities “to assess whether their specific facility can benefit from such plans.” “[The new rule] is aimed at strengthening the security and resilience of the United States through systematic preparation for the threats that pose the...