惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
V2EX
爱范儿
爱范儿
Martin Fowler
Martin Fowler
T
The Blog of Author Tim Ferriss
B
Blog RSS Feed
博客园 - 聂微东
G
GRAHAM CLULEY
Engineering at Meta
Engineering at Meta
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
WordPress大学
WordPress大学
Scott Helme
Scott Helme
AI
AI
S
Security Affairs
T
Threat Research - Cisco Blogs
M
MIT News - Artificial intelligence
T
Troy Hunt's Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
人人都是产品经理
人人都是产品经理
AWS News Blog
AWS News Blog
T
Threatpost
Cyberwarzone
Cyberwarzone
www.infosecurity-magazine.com
www.infosecurity-magazine.com
U
Unit 42
V
Vulnerabilities – Threatpost
J
Java Code Geeks
博客园 - Franky
月光博客
月光博客
Blog — PlanetScale
Blog — PlanetScale
NISL@THU
NISL@THU
D
Docker
小众软件
小众软件
N
News and Events Feed by Topic
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
A
Arctic Wolf
D
DataBreaches.Net
云风的 BLOG
云风的 BLOG
Forbes - Security
Forbes - Security
量子位
PCI Perspectives
PCI Perspectives
美团技术团队
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
I
InfoQ
Security Archives - TechRepublic
Security Archives - TechRepublic
有赞技术团队
有赞技术团队
腾讯CDC
P
Proofpoint News Feed
S
Security @ Cisco Blogs
G
Google Developers Blog
C
Cisco Blogs

Citrix Blogs

What’s left for humans? – Citrix Blogs Why this moment feels different – Citrix Blogs Introducing Citrix Platform for Public Sector – Citrix Blogs how our partnership with Google has matured secure access for the browser era – Citrix Blogs When session recording stops scaling – Citrix Blogs A conversation with Cletis Earle – Citrix Blogs Imprivata Ready Certification validates Citrix Unicon: A practical guide for healthcare IT – Citrix Blogs Skills are all you need – Citrix Blogs UHMC customers now have expanded Citrix Secure Private Access entitlement – Citrix Blogs How CIOs turn post‑merger disorder into a synergy engine – Citrix Blogs why your AI strategy is focused on the wrong layer – Citrix Blogs Securing high privileged admin access doesn’t have to be complicated – Citrix Blogs What will knowledge work be in 18 months? Look at what AI is doing to coding right now. – Citrix Blogs Untangling spaghetti – Citrix Blogs Workers’ “second brains” break every assumption about how we secure knowledge work – Citrix Blogs Taming integration chaos (the core of M&A failure) – Citrix Blogs OpenClaw and Moltbook preview the changes needed with corporate AI governance – Citrix Blogs Three years. Five Use Cases. A Leader: Citrix – Citrix Blogs The hard truths about hospital consolidation: An M&A guide for IT leaders – Citrix Blogs Why Citrix is the most complete EUC platform – Citrix Blogs Sign in once, get more done: Why continuous identity is a strategic advantage – Citrix Blogs Everyone’s worried about the wrong AI security risk – Citrix Blogs Security by design, proven by action with Citrix NetScaler – Citrix Blogs The invisible 80%—what corporate-led AI transformations can’t see – Citrix Blogs Workers don’t want to build automations. They want to delegate. – Citrix Blogs speed vs. security – Citrix Blogs AI will be THE interface to knowledge work. Here’s how we’ll get there. – Citrix Blogs Why I joined Citrix — and what it means for healthcare leaders – Citrix Blogs How the most successful CIOs are building successful merger and acquisition approaches – Citrix Blogs IT admits workers control AI. Workers admit they use it to leave at 5. – Citrix Blogs One identity. Every app. Now inside Citrix sessions. – Citrix Blogs Built-in AI intelligence that keeps IT focused – Citrix Blogs Everyone wants to provide your AI. Nobody wants to help you manage it. – Citrix Blogs Certificate lifetimes are shrinking—your business continuity doesn’t have to: Automating SSL/TLS at scale with NetScaler – Citrix Blogs Advancing Zero Trust at the browser – Citrix Blogs Citrix is headed to Microsoft Ignite 2025 as a Partner of the Year Finalist, top sponsor, and more! – Citrix Blogs Three trends reshaping how work happens – Citrix Blogs Our vision for secure access in a browser-first world – Citrix Blogs Will AI need to operate your legacy desktop apps or is direct file manipulation enough? – Citrix Blogs an executive blueprint for streamlined app delivery – Citrix Blogs AI just created 10,000 accidental citizen developers in your company. Welcome to the post-application era! – Citrix Blogs Why healthcare IT leaders are embracing Unicon + Imprivata – Citrix Blogs Windows 10 & IGEL OS 11 end-of-life: How Unicon OS turns deadlines into competitive advantage – Citrix Blogs The bitter lesson of workplace AI: Stop engineering, start enabling – Citrix Blogs If AI is normal technology, boring infrastructure is your best strategy – Citrix Blogs Innovation, efficiency, and the future of licensing – Citrix Blogs Worker-led AI isn’t shadow IT. It’s shadow strategy. – Citrix Blogs Everyone’s wrong about why enterprise AI is failing – Citrix Blogs Citrix Virtual Apps and Desktops 2507 Long Term Service Release is now available: Get current, stay ahead – Citrix Blogs If AI progress stopped today, we can still transform the enterprise with what we have – Citrix Blogs AI agents are the new insider threat. Secure them like human workers. – Citrix Blogs How NetScaler helps prevent a silent data breach decades in the making – Citrix Blogs What happens when AI agents score 100% in computing using benchmarks? – Citrix Blogs Citrix DaaS for Amazon WorkSpaces Core Managed Instances – Citrix Blogs Why AI agents will use the same desktops and apps as human workers – Citrix Blogs Modern applications need modern networking — Here’s what that means for your business – Citrix Blogs Powering your present, readying your future, and now available for all workloads – Citrix Blogs To understand AI’s future impact, check out this playbook from 150 years ago – Citrix Blogs The 7-stage roadmap for human-AI collaboration in the workplace (2025 edition) – Citrix Blogs Secure your business with Citrix and Google Chrome Enterprise Premium – Citrix Blogs AI agents need a secure place to work. The Citrix workspace is ready. – Citrix Blogs What’s New and Next with Citrix: Q&A from our May 2025 webinar – Citrix Blogs What if your CEO never sends the AI-first memo? – Citrix Blogs Your CEO just sent a company-wide “AI-First” memo. Now what? – Citrix Blogs Citrix and Nutanix team up to simplify virtual desktop management – Citrix Blogs eLux + Imprivata coming soon for healthcare and beyond – Citrix Blogs Rising costs. Aging hardware. One smart solution. – Citrix Blogs The desktop has dissolved. Now where does work live in 2025? – Citrix Blogs Citrix Virtual Apps and Desktops 2503 is now generally available – Citrix Blogs What does “AI” mean at Citrix? – Citrix Blogs Making sense of AI in the workplace: A starting point for leaders – Citrix Blogs Control the endpoint, control the experience – Citrix Blogs Why I joined Citrix and what I’m excited about – Citrix Blogs Citrix’s approach to Secure by Design – Citrix Blogs Citrix and NVIDIA partner to deliver AI Virtual Workstations – Citrix Blogs Welcoming Google Chrome Enterprise Premium into the Citrix platform – Citrix Blogs Apple M4 chip delivers another significant performance boost to Citrix VDA for macOS! – Citrix Blogs Updated STIG guidance for highly secure environments – Citrix Blogs It’s time to upgrade your hypervisor to XenServer 8! – Citrix Blogs Furthering our investment in the Citrix platform with the strategic acquisition of Unicon – Citrix Blogs Faster logins, more productivity – Citrix Blogs New optimization for Microsoft Teams in Citrix environments – Citrix Blogs Password spraying attacks on NetScaler/NetScaler Gateway – December 2024 – Citrix Blogs Citrix Secure Private Access delivers ZTNA in hybrid mode – Citrix Blogs Citrix strengthens zero trust security posture with strategic acquisitions of deviceTRUST and Strong Network – Citrix Blogs Ease your virtual machine device management with MCS & Intune – Citrix Blogs Free uberAgent training is now available on Pluralsight – Citrix Blogs Improved security, admin interfaces, and user experiences across the Citrix solution portfolio – Citrix Blogs Citrix ranked highest for all 4 Use Cases in the Gartner® Critical Capabilities for Desktop as a Service Report – Citrix Blogs Join us at Microsoft Ignite – Citrix innovations for the modern workplace – Citrix Blogs Improve user experiences and reliability with new expanded uberAgent entitlements – Citrix Blogs Citrix Secure Private Access now supports multi-session VDI – Citrix Blogs The new Citrix platform experience – Citrix Blogs Citrix Secure Private Access for ZTNA now supports Linux – Citrix Blogs Citrix Workspace app – いつの間に?Citrixへの入口がこんなに進化しました – Citrix Blogs Launch right into your Citrix environment with Desktop Lock – Citrix Blogs Making Policy Management Smarter and Simpler with Citrix Policy Sets – Citrix Blogs Image and Power Management Support for Azure Sovereign Air-gap – Citrix Blogs Think you have what it takes to be a CTP or CTA? Apply today! – Citrix Blogs How Citrix supports financial contact centers 24/7 – Citrix Blogs
What hospital IT owns now that the compliance shortcut is gone – Citrix Blogs
Sarah Fink · 2026-06-24 · via Citrix Blogs

A common misconception about the current regulatory environment in healthcare is that deregulation signals reduced risk. It doesn’t. Cyberattacks on health systems are not declining as federal requirements ease. Healthcare remains the most targeted sector for ransomware, and hacking now accounts for 81% of all reported HIPAA breaches, up from 49% in 2019.

What deregulation changes is not the exposure. It is who owns it. Four federal initiatives in 2026 are collectively shifting accountability for security, governance, and technology management away from vendors and certification programs and onto hospital IT infrastructure teams. My intent is to provide clarity and understanding to each of these four regulatory initiatives and what each one demands in practice as the starting point for getting ahead of them.

1. Health data, technology and interoperability: ASTP/ONC deregulations to unleash prosperity (HTI-5) proposed rule

When the certification shortcut goes away

The Office of the National Coordinator for Health Information Technology (ONC) certification has served as a practical shortcut in healthcare IT procurement for years. A certified clinical system carried independent, verified assurance that it met a defined baseline for authentication, access control, and authorization, giving compliance teams a documentable basis for vendor security decisions. The HTI-5 proposed rule, which closed its comment period in February 2026 and is expected to finalize mid-to-late 2026, proposes to remove all 14 of those privacy and security criteria from the certification program. The stated rationale is that they duplicate existing HIPAA requirements.

A Health Affairs Forefront analysis of HTI-5 named the real consequence: removing those criteria does not remove the compliance obligations. It removes the mechanism health systems have used to document that vendors meet them.

Among the 14 criteria being removed is audit logging, the requirement that certified systems demonstrate they are recording who accessed ePHI, when, and what they did. That requirement was independent verification that the systems health organizations rely on are generating the audit trails that breach investigations and Office of Civil Rights (OCR) audits depend on. Without it, health systems can no longer assume a certified system maintains a defensible audit record. If a system is not logging access correctly and a breach occurs, the trail that would tell you who accessed what and when may simply not exist.

The burden of verifying that audit logging is in place, contractually requiring it from every vendor, and maintaining that documentation independently now falls to the health system. That accountability does not arrive with a compliance deadline. It shifts the moment the rule finalizes.

2. Trusted Exchange Framework and Common Agreement (TEFCA)

The interoperability network is operational and growing

TEFCA is not a framework in development. It is now an active national network. Approximately 10 million health records were exchanged through the Qualified Health Information Network infrastructure in January 2025. By February 2026, that figure was nearly 500 million. USCDI v3 data conformance has been required since January 2026. The Social Security Administration joined the network in early 2026, projecting cuts to disability claims processing time of more than 50%. The question of whether TEFCA would reach meaningful scale has now been answered.

What makes this consequential for hospital IT is where TEFCA intersects with M&A, which is where most health systems are already under the most pressure. As Cletis Earle wrote in a January 2026 blog about hospital consolidation, IT integration is the primary cause of M&A failure in healthcare. Bain and Company research puts the integration success rate at 14%, with 83% of practitioners citing IT challenges as the leading cause, and IT accounting for up to 70% of the synergies these transactions are supposed to generate.

Clinical staff at acquired facilities need cross-entity access to records and applications long before full EHR integration is complete. TEFCA formalizes that expectation from outside the organization. Fragmented credentials, inconsistent access governance, and staff using workarounds to bridge systems are not just integration friction. They are the conditions that create security exposure, and they are now a TEFCA compliance concern as well. For acute care hospitals, non-compliance with federal interoperability participation requirements carries financial penalties of up to 75% of the annual payment update, a consequence that does not wait for M&A integration to catch up.

3. Health Insurance Portability and Accountability Act (HIPAA) Security Rule

The first update since 2003

For 23 years, the “addressable” category in the HIPAA Security Rule gave health systems documented flexibility to defer or substitute certain controls. The proposed update, published January 2025 with a final rule expected in 2026, eliminates that category. Every control becomes mandatory. The controls most deferred under the addressable framework – specifically encryption of ePHI and multi-factor authentication – are also among the most commonly exploited vulnerabilities in healthcare ransomware attacks. Deferred controls are not compliance gaps in the abstract. They are open attack vectors. With hacking now accounting for 81% of all reported HIPAA breaches, the rule is removing a flexibility that the threat environment had already made untenable.

When systems go dark in a clinical environment, the consequences are not just operational. Clinical workflows halt, patient care decisions stall, and the exposure extends well beyond the IT team, as a March 2026 conversation with Citrix’s Healthcare, Field CTO, Cletis Earle on healthcare business resiliency documents.

The proposed 72-hour critical systems restoration requirement is not achievable through a security sprint. It requires infrastructure investment, disaster recovery planning, vendor coordination, and board-level commitment. The window to build that deliberately, before a deadline forces emergency remediation, is open now.

4. HHS AI strategy

Federal policy is pushing adoption into a governance gap

The HHS AI strategy, released December 2025 and followed by a Request for Information on accelerating clinical AI through regulatory and reimbursement policy, is not a binding rule. However, it is a clear signal of intent.

The federal government is designing conditions to push more AI into clinical care, and it intends to move quickly. The problem is that AI is already outpacing governance in most health systems before that acceleration has taken full effect. A February 2026 Healthcare Brew survey found that 57% of healthcare professionals had already used or encountered unauthorized AI tools at work. A 2025 IBM study found that 97% of organizations that experienced an AI-related security incident lacked proper AI access controls.

As Cletis Earle wrote in an April 2026 blog about AI governance in healthcare, “AI is already being used, sometimes officially, sometimes quietly, sometimes in ways leaders did not intend,” and critically: “policy without enforcement is not governance, it is intention.” When clinical staff route work through unreviewed AI tools, ePHI can reach models that were never assessed for security, creating breach risk that no policy document prevents.

In our response to the HHS Health Sector AI Request for Information, Citrix argued that the biggest barrier to safe, scalable AI in healthcare is not the model itself but the governance and delivery layers surrounding it. The organizations managing clinical AI well are not restricting adoption. They are building a sanctioned path with security review, ePHI classification, and role-based access built into the process, not retrofitted after an incident.

What this means for hospital IT

The thread connecting all four of these initiatives is auditability. Who accessed what, when, through which system, and under what authorization. That question sits at the center of every breach investigation, OCR audit, AI governance failure, and M&A integration gap. And in each area, the regulatory environment is shifting the responsibility for answering it from external frameworks onto hospital IT infrastructure directly.

HTI-5 removes the independent verification that clinical systems are generating defensible audit trails at all. The HIPAA Security Rule update makes encryption and MFA mandatory, the controls that determine whether access to ePHI can be traced and contained when something goes wrong. TEFCA requires cross-entity governance of access and data exchange across organizations that may not yet share systems or identity infrastructure with penalties for non-compliance. And shadow AI creates exactly the auditability gap that regulators will eventually require health systems to close: ePHI moving through tools that were never reviewed, never logged, and never governed.

None of this is a new strategic direction for hospital IT. It is the regulatory environment formalizing a single expectation that the threat landscape has already made non-negotiable: health systems need to know, at any point, who has access to patient data, through which systems, and under what controls. Without that audit capability, breaches go undetected longer, investigations stall without evidence, and the gap between what happened and what can be demonstrated grows. The organizations building toward that capability now are not just better positioned for the rules ahead. They are fundamentally harder to breach, and far better equipped to respond when it happens.

The deregulation environment described here does not reduce the security and governance obligations on health systems. It relocates them from vendor certification programs and external frameworks to the infrastructure health systems own and operate directly. The Citrix platform is built for that position. When ONC certification no longer provides that independent verification, the delivery layer becomes the audit layer. The Citrix platform creates that audit trail by generating an independent record of who accessed which application, when, and under what policy, without depending on whether any individual clinical application maintains a defensible audit trail. This is just one example of how Citrix is your partner in innovation and compliance – now and into the future.

For more information and details on how we can help you navigate these and other healthcare challenges, please contact your Citrix team for more information.