Greg Garcia, Executive Director, Health Sector Coordinating Council Cybersecurity Working Group
Industry and government must act now to stabilize healthcare cybersecurity by 2029, leaders say
The Healthcare and Public Health Sector Coordinating Council (HSCC) on Tuesday issued a call for urgent reforms in the nation’s healthcare cybersecurity policy, testifying before the U.S. Senate Committee on Health, Education, Labor and Pensions (HELP) with a suite of recommendations aimed at addressing the sector’s increasing vulnerability to cyberattacks.
Speaking on behalf of the HSCC Cybersecurity Working Group (CWG), Executive Director Greg Garcia outlined a multi-part plan that seeks to realign government policy, infrastructure planning, and private-sector accountability to better safeguard healthcare systems and patient data.
Calling for a Pause on HIPAA Security Rule Updates
Garcia began by urging the federal government to halt further movement on proposed updates to the HIPAA Security Rule, initially published for public comment in January. Instead, he called for the launch of a structured consultation process—led by the HSCC in coordination with public and private stakeholders—to develop a modernized cybersecurity policy framework.
Mapping Critical Infrastructure and Enhancing Risk Visibility
Garcia’s second recommendation focused on completing a systemic infrastructure mapping and risk assessment across the healthcare sector. The goal is to provide a detailed understanding of interdependencies—such as utilities, data services, and vendor systems—whose failure could trigger widespread disruption.
Restoring and Reauthorizing Cybersecurity Collaboration Channels
To improve coordination between public and private sectors, the HSCC urged the reinstatement of the Critical Infrastructure Partnership Advisory Council (CIPAC) framework through the Department of Homeland Security. In tandem, Garcia called for immediate reauthorization of the Cybersecurity Information Sharing Act of 2015, which is set to expire this September. The law enables trusted, two-way threat intelligence communication between government and industry partners.
Raising the Bar for Vendors and Third-Party Providers
Garcia also proposed that third-party vendors and business associates be held to a higher standard for cybersecurity. Specifically, he recommended a “secure by design and by default” approach to technology products and services that interact with clinical and operational systems.
Investing in Rapid Response and a Cyber Safety Net
Two related recommendations emphasized proactive defense: first, the creation of a government-industry rapid response capability to contain and mitigate cyber incidents; and second, targeted investments in a “cyber safety net” for underserved providers, which would include both funding and accountability mechanisms.
Aligning with the 5-Year Strategic Plan
Garcia closed with a broader appeal to implement the HSCC’s 5-Year Health Industry Cybersecurity Strategic Plan, released earlier this year. The plan outlines 10 cybersecurity goals and 12 implementation objectives, with a target year of 2029 for achieving a secure and resilient healthcare ecosystem.
Among the strategic priorities:
- Making cybersecurity easier for clinicians and patients;
- Sharing responsibility for secure technology deployment;
- Embedding cybersecurity in enterprise risk planning;
- Ensuring equitable support across all provider types;
- Training the healthcare workforce in cyber hygiene; and
- Establishing a continuous, national-level cyber incident response capability—described by Garcia as a “911 cyber civil defense” system.
The HSCC Cybersecurity Working Group’s full testimony and strategic plan are available here. For more information: https://healthsectorcouncil.org/contact/
Share Your Thoughts
You must be logged in to post a comment.