By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts.
Preferences
DenyAccept
Close this modal.
Close this modal.
Privacy Preference Center
When you visit websites, they may store or retrieve data in your browser. This storage is often necessary for the basic functionality of the website. The storage may be used for marketing, analytics, and personalization of the site, such as storing your preferences. Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website.
Reject all cookiesAllow all cookies
Manage Consent Preferences by Category
Essential
Always Active
These items are required to enable basic website functionality.
Marketing
These items are used to deliver advertising that is more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the website operator’s permission.
Personalization
These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. For example, a website may provide you with local weather reports or traffic news by storing data about your current location.
Analytics
These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues. This storage type usually doesn’t collect information that identifies a visitor.
Confirm my preferences and close
Insights
HealthTech

2025 Cybersecurity Rules: What Digital Health Startups Need to Know

July 2025

How did cybersecurity become a front-line issue for digital health?

By 2024, healthcare had become one of the most targeted sectors for cyberattacks, with ransomware incidents hitting hospitals, payers, and infrastructure providers. High-profile breaches disrupted claims processing, forced hospitals back to paper workflows, and exposed sensitive health data affecting tens of millions of people.

For digital health startups, this changed the conversation. Security stopped being a “we’ll harden it later” item and became a gating factor for enterprise deals, partnerships, and regulatory comfort. In 2025, regulators are pushing even harder.

What has actually changed in the regulatory landscape?

Three big shifts are shaping expectations for startups:

  1. Healthcare-specific Cybersecurity Performance Goals (CPGs)
    The U.S. Department of Health and Human Services (HHS) has published cybersecurity performance goals specifically for the healthcare and public health sector. These goals are designed to help organizations prioritize high-impact practices—things like multi-factor authentication, network segmentation, timely patching, and incident response planning.
  2. Proposed updates to HIPAA and related rules
    Draft changes and policy proposals aim to tighten safeguards for electronic protected health information (ePHI), potentially making some practices that were “best effort” effectively mandatory—such as encryption at rest and in transit, enhanced logging, and more detailed risk assessments.
  3. Buyer expectations leaping ahead of regulations
    Health systems, payers, and large employers have raised their bar. Vendor security questionnaires now dig into your architecture, third-party risk management, and incident response readiness. Even if some measures remain “voluntary” on paper, they’re becoming de facto requirements to win contracts.

What does this mean for early-stage digital health founders?

For startups, the message is clear: security can’t wait for Series C. The earlier you embed it into your product and processes, the less painful (and expensive) it will be.

Concretely, that means:

  • Designing your system as if a security review is inevitable—because it is.
  • Avoiding shortcuts like hard-coded secrets, unmanaged admin backdoors, and unvetted third-party components.
  • Treating security as a product feature that buyers care about, not just an IT concern.

Which cybersecurity practices should startups prioritize?

You don’t need a 50-person security team, but you do need a focused set of high-leverage controls. For most digital health startups, priorities include:

  • Multi-factor authentication (MFA) for admin, support, and high-privilege roles.
  • Secure-by-default architectures – principle of least privilege, network segmentation, no shared logins.
  • Robust encryption for data in transit (TLS everywhere) and at rest.
  • Vendor and third-party risk management – understanding what your cloud, analytics, or comms providers can see, and how they secure it.
  • Regular vulnerability scanning and patching – for both infrastructure and dependencies.
  • Incident response planning – even a lightweight playbook for detection, containment, communication, and recovery.

These map closely to the healthcare Cybersecurity Performance Goals regulators are encouraging the sector to adopt.

How can you integrate security into product design rather than bolting it on?

A few practical strategies:

  • Make privacy and security part of your discovery work
    When mapping user journeys, also map data flows: what’s captured, where it goes, who sees it, how long it persists.
  • Involve security in design reviews
    Even if “security” is one person wearing many hats, give them a voice when designing new features or integrations.
  • Use secure defaults, not optional add-ons
    Strong passwords, MFA, sensible session timeouts, and safe logging should be built-in, not “enterprise-only” toggles.
  • Design for least privilege
    UX and permissions design should go hand-in-hand: users should only see and do what their role requires.

How do you talk about security with buyers without overpromising?

Enterprise customers don’t expect startups to be perfect—but they do expect seriousness and transparency.

Be ready to:

  • Describe your security architecture at a high level.
  • Share a summary of your security policies (access control, incident response, backups).
  • Provide recent penetration test or vulnerability scan summaries when you’re further along.
  • Be honest about what you’re still improving—and show a roadmap.

In 2025, cybersecurity isn’t a compliance tax you reluctantly pay. It’s a trust signal and a commercial differentiator. Digital health startups that treat it as a first-class design concern will find enterprise doors much easier to open.

Like this?

More

HealthTech

insights

Woman looking out over a canyon scene

Febuary 2024

How Personalised Medicine Improves Patient Care and Treatment

Martin Sandhu

Martin Sandhu

Validating a HealthTech MVP: How to Test for Market Fit

Martin Sandhu

Martin Sandhu

IEC 62366 Explained – Usability Engineering for Medical Devices

Martin Sandhu

Martin Sandhu

View more insights

Contact us

Let’s talk

We create human-centered solutions that drive positive outcomes for users and organisations. Let’s collaborate.

See our work
nuom
Typically replies in a few hours
nuom
Hi there!
How can we help you today?
Start Whatsapp Chat
WhatsApp icon