The Cybersecurity Working Group (CWG) within the U.S. Healthcare and Public Health Sector Coordinating Council (HSCC) recommended in a 2025 Policy Statement that the federal administration initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that healthcare stakeholders can be held accountable to. It also proposes that the administration and the healthcare industry initiate a structured series of workshops to forge consensus on a modernized policy for healthcare cybersecurity resiliency, responsibility, and accountability.
The HIPAA Security Rule Notice of Proposed Rule Making (NPRM) released last December either dismisses these important developments or mischaracterizes their potential for measurable improvement. A considerable number of the 52 CWG member industry associations that submitted comments representing their constituent members have made their concerns clear in their submissions to HHS about the cost and complexity of implementing the rule and the dubious effectiveness that compliance could achieve at improving security.
“Given extensively critical feedback submitted by sector stakeholders about the NPRM, the Health Sector Coordinating Council Cybersecurity Working Group advises that the Administration suspend any further consideration of the NPRM as written and initiate a structured series of consultations and workshops with the HSCC CWG and other owners and operators of our national critical healthcare infrastructure to forge consensus on a modernized policy for healthcare cybersecurity resiliency, responsibility and accountability,” according to the Statement on Healthcare Cybersecurity Policy. “Such an approach would operationalize the aforementioned executive orders on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and Achieving Efficiency Through State and Local Preparedness.”
It added that precedent for this approach to cybersecurity policy is in the development of the National Institute of Standards and Technology (NIST) Cybersecurity Framework as directed in Executive Order 13636 of 2013 on ‘Improving Critical Infrastructure Cybersecurity.’ The EO directed the NIST to serve as a convening authority for the private sector to drive the development of the Cybersecurity Framework (CSF) for critical infrastructure protection, guided by NIST workshop processes over the prescribed course of one year.
This resulted in good policy operationalized. The CSF has grown organically over the past ten years as the guiding reference for essential cybersecurity practices. It establishes ‘the What’ – expected objectives and measurable outcomes, leaving the owners and operators of critical infrastructure to implement ‘the How’ – specific technical, operational, and managerial controls tailored for accountability to those promulgated objectives. The approach replaces static one-size-fits-all regulations with guidance that is relevant and scalable to unique sector imperatives, flexible to meet ever-evolving threats and disruptive technology, cost-efficient, and effective at measurably improving cybersecurity outcomes.
The HSCC statement detailed that the public-private partnership model that engages all critical infrastructure sector coordinating councils has progressed over 25 years, built on a foundation of presidential executive orders and statutes, notably Executive Order 13800 ‘Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,’ signed by President Donald Trump in 2017. He recently signed on Mar. 19, 2025, Executive Order on ‘Achieving Efficiency Through State and Local Preparedness.’ These policies institutionalize joint industry and government identification and mitigation of systemic threats to the nation’s critical infrastructure, with sustained policy and practices that support the sector’s security and resiliency.
The statement also observed that the HICP (Health Industry Cybersecurity Practices) can serve as a starting point for identifying priority practices that can be mandated as baseline controls, and the ‘Recommendations for Government Policy and Programs’ document presents principles and programmatic ideas which can supplement discussions toward joint commitments for a higher level of community security and accountability.
Additionally, when applied specifically to healthcare and its supporting infrastructure, the approach would represent a contract between the healthcare industry and government for an accountable and effective healthcare cybersecurity policy.
“As HICP, the HPH Cyber Performance Goals and other leading practices developed by the CWG were designed to map in various degrees to the NIST CSF, we propose that the HSCC Cybersecurity Working Group and other leaders in the industry convene with government to design a healthcare-specific policy, programmatic and regulatory framework that maps to CSF for interconnected owners/operators and their supporting infrastructure in the healthcare ecosystem,” according to the policy statement. “The framework would be informed in part by the methodologies and findings of the Hospital Landscape Analysis and the HSCC Prioritized Recognized Cybersecurity Practices.”
Additionally, the framework must also be applied to the currently unregulated technology and service providers that interact with healthcare; it should not be the sole responsibility of covered entities to independently confirm their third-party alignment with cybersecurity controls.
Earlier this week, the HSCC proposed in congressional testimony to the House Energy and Commerce Committee that any technology and service providers supporting critical healthcare infrastructure should be held to higher standards of cybersecurity. Healthcare is considered critical infrastructure for a reason because lives are at stake, and the protection of lives through the hardening of digital healthcare infrastructure and its inputs should not be optional.
The policy statement added that the results of this consultative process would enable us to prioritize those most critical cybersecurity controls that should be made mandatory – staggered over a phased period – and which should be allowed to evolve through incentives and support for needs-based, resource-constrained health providers, practices, and clinics in rural, urban and other hard-working communities across America.
In a written testimony before the House Energy and Commerce Subcommittee on Oversight and Investigations, Greg Garcia, HSCC CWG, also detailed that “The healthcare industry is now targeted by more cyber attacks than any other industry sector. If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission.”
Garcia recommended the initiation of a consultative process between the health sector and the government that starts with the developed best practices – by the sector for the sector and jointly with HHS. “This process would supplant one-way government regulation that presumes the best way to do things, with a more deliberative pathway toward eventual requirements for minimum cybersecurity accountability.”
He added that such discussions could include recommendations that CMS review bundled payments to more thoroughly account for the expense of medical devices and the need to keep devices patched and up to date against cyber threats.
It can also cover the development and enforcement of higher standards of ‘secure by design and secure by default’ for otherwise unregulated third-party technology and service providers that sell into critical healthcare infrastructure and medical device manufacturers. The recommendation involves a national effort to diagram essential medical workflows supported by critical third-party services and functions that can cause systemic risk and cascading damage to patient care and operational resiliency if they are disrupted. Such disrupted workflows can include medical device imaging, diagnostics, and therapeutic services.
Finally, mobilization of a more reflexive government and industry intelligence, preparedness, and rapid response capability is essential for cyber events at the federal, state, regional, and local levels, particularly against resource-constrained health systems and connected medical devices.
Garcia further noted in his testimony that as “we continue to improve on implementation and effectiveness of those practices across the health sector, pressures will remain on resource prioritization among both communities, whether it be manufacturer considerations about costs associated with re-engineering, retooling, global third-party component sourcing and security, regulatory delay and time to market, or hospital concerns about cybersecurity costs and complexity, attracting and retaining clinical staff, physical facility upkeep, and regulatory compliance, and reduced reimbursement pressures.”
“Given this distressed dynamic, we cannot pursue an imbalanced strategy on just one element or subsector in a broader healthcare ecosystem subject to systemic cyber risk,” Garcia highlighted. “With multiple healthcare subsectors – providers, payers, medtech, pharma and labs, and health information technology – all subject to varying business models, risk profiles and regulatory requirements, the task before us must be holistic, comprehensive and cross-sector.”
In a recent Presidential document, President Trump announced the extension of the national emergency concerning ongoing malicious cyber activities against the country for another year. The national emergency was first issued in April 2015 to deal with the unusual and extraordinary threat to the national security, foreign policy, and economy of the U.S., constituted by the increasing prevalence and severity of malicious cyber-enabled activities originating from or directed by persons located, in whole or in substantial part, outside the country.
