New Texas HHSC Cybersecurity Directive – What Hospitals Need to Do Now

On March 31, 2026, the Texas Health and Human Services Commission (HHSC) issued a directive to healthcare facilities across the state: review your connected medical devices, align with FDA cybersecurity guidance, and start mitigating risk – now.

For hospitals, health systems, and clinical engineering teams across Texas, operationalizing cybersecurity is no longer optional. But with Asimily’s purpose-built healthcare cybersecurity platform, here’s how healthcare organizations in Texas can meet the HHSC directive and improve their overall cybersecurity posture.

What HHSC Is Asking Facilities to Do

The directive lays out four expectations:

1. Review applicable FDA cybersecurity guidance for all medical devices in use.
2. Align operational policies and procedures – procurement, maintenance, and decommissioning – with that guidance.
3. Assess every device with a network function or remote access capability for cybersecurity risk.
4. Coordinate with manufacturers, vendors, and internal IT/security teams to identify and mitigate vulnerabilities.

Each of those steps sounds straightforward in a memo. In a hospital with thousands of connected devices across dozens of manufacturers, running on networks that were designed for availability rather than segmentation, the operational lift is significant.

Why This Is Hard Without Purpose-Built Tooling

Most healthcare organizations already struggle with basic device inventory accuracy. Medical devices like infusion pumps, imaging systems, patient monitors, IoT devices like IP cameras, printers, or OT devices like building management can hide in plain sight without purpose-built cybersecurity solutions designed for these diverse assets. Many connected devices were deployed years before cybersecurity was a procurement criterion. Most of them run outdated firmware, communicate over unencrypted protocols, and sit on flat network segments alongside IT systems and clinical workstations.

Manually cataloging these devices, assessing their vulnerabilities, and coordinating fixes with manufacturers is a resource problem that doesn’t scale. And the HHSC directive isn’t asking for a one-time audit. FDA guidance under Section 524B expects ongoing vulnerability monitoring, patch management, and coordinated disclosure – a continuous process, not a checkbox.

Where Asimily Fits

Asimily was built for exactly this kind of operational challenge. The platform addresses each of the four HHSC requirements directly:

Full Device Inventory and Categorization. Asimily’s deep packet inspection and protocol analysis passively discovers and classifies IoT, OT, IT, and IoMT assets across the network – building an accurate, de-duplicated inventory without disrupting clinical operations. That inventory becomes the foundation for everything else: vulnerability prioritization, compliance reporting, and risk reduction.

Vulnerability detection and prioritization. Rather than dumping a flat list of CVEs on an already-stretched security team, Asimily analyzes how each vulnerability could actually be exploited in a specific environment. Its patented Attack Vector Analysis cross-references device configuration, network context, and real-world exploitability data (including EPSS scores and MITRE ATT&CK mappings) to surface the vulnerabilities that represent genuine risk – and deprioritize the ones that don’t.

Targeted Risk Mitigation and Microsegmentation. For vulnerabilities that can’t wait for a manufacturer patch, Asimily offers over 180 targeted attack prevention techniques that neutralize specific exploit paths without taking a device offline. For broader protection, the platform generates tailored segmentation and microsegmentation policies that isolate vulnerable devices – policies that integrate directly with existing NAC and network infrastructure.

Ongoing Monitoring and Compliance Support. Asimily continuously monitors device traffic, detects anomalies and indicators of compromise, and captures configuration baselines, alerting teams when a device drifts from its known-good state. For facilities that need to demonstrate compliance with HIPAA, NIST, or FDA frameworks, this continuous visibility translates directly into audit-ready documentation.

Texas Today, Your State Tomorrow

Governor Abbott’s executive order and the HHSC directive are among the most explicit state-level actions tying medical device cybersecurity to regulatory compliance. But the underlying pressure is federal: the FDA’s Section 524B requirements, the updated QMSR aligned with ISO 13485, and HHS’s own January 2026 cybersecurity newsletter all point in the same direction. Other states and CMS itself are likely to follow with similar expectations. At the federal level, healthcare cybersecurity is gaining increased scrutiny across key regulatory bodies. HIPAA is expected to see a cybersecurity overhaul this year, with a proposed rule change likely going into effect in May.

Healthcare organizations that build medical device security programs now – with accurate inventory, risk-prioritized vulnerability management, and continuous monitoring – will be positioned to meet whatever comes next. Those who treat this as a one-off exercise will be starting over the next time a directive lands.

Asimily helps healthcare organizations move from reactive compliance to continuous medical device security. If the HHSC directive is on your radar – or if you want to get ahead of the next one – request a demo to see how the platform works in your environment.