Live from HIMSS25: Not Having an Incident Response Plan is Not an Option

At the HIMSS 2025 cybersecurity pre-conference forum on March 3, a panel discussed privacy standards for secure and interoperable health data. Hannah Galvin, CMIO with Cambridge Health, moderated the panel. Last year’s Change Healthcare breach quickly came up. This was a game changer, the panel indicated.

“That particular ransomware attack was as a result of a vulnerability on a very commonly used remote access tool,” Alex Enriquez, cybersecurity solution lead with Avanade, Inc., mentioned. “A lot of us, all of us, were impacted by COVID.” The question then was: How do we get people access to the organization while not traveling? That’s where MFA (multi-factor authorization) came in.

Erika Riethmiller, VP and chief privacy officer with UCHealth, noted that healthcare is such a target for attackers. “Not having an incident response plan on the privacy side of things is simply not acceptable anymore,” she cautioned. Riethmiller told the audience that her organization still feels the downstream effects of a 2023 attack.

We need requirements, Riethmiller reiterated about the new security rule notice of proposed rulemaking (NPRM) introduced in December by the Health Department of Human Services (HHS). “The amendment was hugely powerful from a privacy perspective. When we respond to HHS inquiries about breaches, infamous releases, and disclosures, we automatically submit a one-pager about how we comply with the NIST cybersecurity framework.