H-ISAC’s Englert Says Device Inventory and PHI Mapping Will Be the Heaviest Lifts When New HIPAA Drops

The Health‑ISAC’s Phil Englert warned that the upcoming HIPAA security rule, expected by early summer, will turn many best‑practice recommendations into mandatory controls. Healthcare CISOs must now produce a complete inventory of every medical device, OT asset, and clinical application, then trace protected health information (PHI) from creation on those devices through storage and transmission. This dual requirement—full asset visibility and PHI mapping—creates a compliance deadline that many organizations are unprepared for, especially smaller clinics lacking dedicated cyber teams. Failure to meet the rule could trigger enforcement actions and jeopardize patient safety.

Building that inventory is the hardest lift. Legacy devices often run unsupported operating systems, and passive network‑monitoring platforms have become essential for automatically discovering both medical and OT equipment. These tools can fingerprint firmware versions, flag default passwords, and feed data into risk‑assessment workflows. At the same time, the rule pushes zero‑trust basics—multi‑factor authentication and regular penetration testing—into environments that were never designed for them. Health systems are responding by embedding cyber‑security clauses into RFPs, demanding that manufacturers prove ongoing patchability and secure‑by‑design development before a contract is awarded.

Looking ahead, artificial‑intelligence security scanners such as Anthropic’s Mythos or OpenAI’s GPT‑5.5 Cyber could become a new tier of vendor vetting, separating providers who have been AI‑tested from those who have not. This emerging landscape reinforces the board’s growing accountability for cyber risk as a business‑critical issue. CISOs must act as strategic advisors, translating technical controls into cost‑benefit analyses that align with clinical outcomes and long‑term device lifecycles—often ten to twelve years. By partnering with manufacturers committed to continuous security updates, health systems can avoid legacy lock‑in and protect both patient data and care delivery for decades to come.