Health care facilities this year should prepare for new cybersecurity compliance goals from regulators—likely requiring additional investments and posing greater enforcement risks.

The concern is driven in part by a “concept paper” issued last month by the Department of Health and Human Services that paints a broad picture of how regulators could deal with cybersecurity risks in the near future.