Abstract
U.S. healthcare relies on digital infrastructure that now shapes clinical safety. However, the governing law remains a patchwork. The HIPAA Security and Breach Notification Rules, layered with uneven federal and state mandates and voluntary frameworks, do not yield a clear, enforceable floor of protection for small, rural hospitals which are institutions with thin budgets, legacy systems, limited vendor leverage, and scarce IT staff. This Article identifies the gap, namely that minimum safeguards are not articulated as testable outcomes that low-resource providers can implement and sustain, and offers a remedy. Using doctrinal analysis and comparative assessment of federal and state regimes alongside sector guidance (NIST CSF 2.0, HHS Cybersecurity Performance Goals, and HICP), it shows how compliance complexity, legacy technology, and workforce constraints translate into outages, data breaches, and disproportionate harm in rural and small settings. The Article proposes a uniform, outcomes-based federal baseline mapped to verifiable controls, targeted financing that purchases essential safeguards first, simplified, aligned reporting that reduces crisis-time burden, and regional hubs that deliver shared monitoring, response, and training so small entities can inherit enterprise-grade capabilities. The contribution is a legal and policy blueprint that links patient safety and equity to enforceable cybersecurity outcomes and explains how to operationalize those outcomes where resources are scarcest.
Recommended Citation
Erica Patterson,
Cybersecurity Disparities in U.S. Healthcare: Regulatory Gaps, Equity Failures, and Systemic Risks,
27
DePaul J. Health Care L.
(2026)
Available at:
https://via.library.depaul.edu/jhcl/vol27/iss1/4