The next several years are shaping up to be a busy time for US based healthcare security professionals who are responsible for ensuring their organizations’ compliance with security related regulatory frameworks. The Occupational Health and Safety Administration (OSHA) has announced that it plans to release a draft standard for workplace violence prevention in the healthcare and social service agencies, which will likely go into effect in late 2025 and as currently written require healthcare organizations to implement a number of measures aimed at reducing the risk of violence to their employees. The Department of Health and Human Services recently published draft language for changes to the Health Information Portability and Accountability Act (HIPAA) that will go into effect later in 2025 and will require organizations to implement specific cyber and physical security measures to protect their information systems. The National Fire Protection Association has announced that its 2027 revision of NFPA 99, Health Care Facilities Code will include a new chapter addressing cybersecurity requirements for healthcare facilities, while it is likely that at the federal level the Centers for Medicare & Medicaid Services (CMS) may take a similar stance on this new chapter as they have on NFPA 99, Chapter 13 detailing Physical Security requirements and not adopt it into law there will still be compliance mandates for healthcare facilities in states that adopt NFPA 99 in its entirety.

In addition to the potential new federal requirements in the US, we anticipate 2025 to continue the trend we saw in 2024 of States implementing their own legislative measures in attempts to combat violence in healthcare and other industries. In 2024 California implemented sweeping new workplace violence prevention legislation requiring specific measures be taken by all employers with more than ten employees and also passed legislation that will require all hospitals to install weapons detection technology by 2027. A North Carolina law went into effect requiring hospitals to ensure that a police officer is present in their emergency departments. Ohio passed legislation requiring hospitals to establish violence prevention teams, mandated a reporting process, and provided enhanced training for healthcare security personnel. These are just some of the recent State based measures and we expect additional states to introduce and implement healthcare violence prevention legislation as 2025 progresses.

The slate of legislative updates for healthcare security professionals is not unique to the US. In the UK the Terrorism (Protection of Premises) Bill 2024-25, known as ‘Martyn’s Law’, is making its way through the legislative process and as currently written will require healthcare and other organizations to adopt a number of protective measures. Changes have been introduced to Australia's Work Health and Safety laws that would include more stringent reporting requirements for incidents involving workplace violence and suicide. In January, The European Union issued an “action plan on the cybersecurity of hospitals and healthcare providers” which will primarily provide EU wide resources to combat cybersecurity threats but also calls on member states to strengthen requirements for healthcare providers themselves. In the wake of recent incidents groups are pressing Indian, South African, and Canadian governments to take up additional legislation to help combat what is seen as significant increases in violence against healthcare staff in those countries.

As these initiatives progress COSECURE and our Healthcare team will continue to provide updates and are available to assist your organization in implementing measures to improve your physical sand cybersecurity preparedness.