Report on Patient 25, no. 8 (August, 2025)
At the very top of Fisher-Titus Medical Center’s website is a link to the Change Healthcare HIPAA notice informing visitors of the last day to register for credit monitoring related to the world’s largest breach, which exposed the protected health information of 190 million people. The Norwalk, Ohio, rural hospital dates back to 1917, but as the notice implies, it is not immune to present cyber dangers in the interconnected health care universe.
Linda Stevenson, who does double-duty as the 99-bed hospital’s chief information officer and its chief information security officer, knows this only too well. And she needs help.
“While we’re doing our best to establish a robust cybersecurity program, health care providers are too often punished rather than being treated as victims,” Stevenson said. “Every day we are on the front lines fending off increasingly complex and relentless intrusion attempts. We’re up against well-funded criminals that have greater resources than most of our U.S. hospitals.”[1]
Testifying during a recent hearing on cybersecurity before the Senate Health, Education, Labor and Pensions (HELP) Committee, Stevenson added that, “without the funds and access to [an adequate] cybersecurity workforce, rural hospitals will continue to struggle.”
Stevenson was not the only one making a plea for assistance. Greg Garcia, executive director of the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, alerted the committee during the Securing the Future of Health Care: Enhancing Cybersecurity and Protecting Americans’ Privacy hearing to the worrying development that the government has stopped meeting with the working group.
Urgent Call to Replace CIPAC
“Until recently, we have been collaborating with government” under the Critical Infrastructure Partnership Advisory Council (CIPAC), a valued framework that “allows the government to meet with us and all critical infrastructure councils in a protected environment to share sensitive information and consider strategic policy options. But the CIPAC framework was canceled earlier this year for reasons that are puzzling to us,” Garcia said.
“We hope that CIPAC or some revised version of it will be reinstated STAT,” he told the committee.
Another speaker during the hearing also called for new legislation that encompasses organizations that today fall outside of HIPAA.
During her testimony, Stevenson noted that “cybersecurity is costly and recruiting and retaining, qualified IT and cybersecurity professionals remains a challenge for small, rural and under-resourced hospitals. The switch to remote work has only exacerbated that…and we are competing for talent with much larger, better resourced organizations across the country. Most rural hospitals cannot afford a full-time cybersecurity leader of any kind.”
With regard to regulatory burden, “the impact of complying with multiple overlapping and burdensome health care mandates can be debilitating,” she said. Regardless of its size, her hospital “must meet the same standards as all of the larger organizations but lack[s] the staff and the infrastructure to do that efficiently,” Stevenson said.
“Any efforts to reduce or streamline regulatory burdens and improve operational efficiency would be appreciated. Rural hospitals like Fisher-Titus are actively making improvements to improve our cybersecurity posture, but we cannot do it alone,” Stevenson said. “Ongoing support for federal tools is needed.”
Stevenson is as involved as she can be, serving as a board member for the College of Healthcare Information Management Executives and participating in other industry organizations, such as the Health Information Sharing and Analysis Center, known as H-ISAC, to obtain threat and compliance information, but she noted membership is costly.
Relief From ‘Burdensome’ Vetting of Vendors Sought
Without providing specifics, Stevenson said, “we must chip away from punitive approaches. These only worsen the burden and divert resources from patient care. Instead, we need to support policies that empower health care providers to strengthen their cybersecurity defenses.”
In particular, providers “wrestle with significant vulnerabilities brought on by third-party partners. Managing the security of hundreds of external partners is resource intensive for all hospitals, but especially for rural health care providers,” Stevenson said.
“One of the challenges we have as we partner with…whether it’s a vendor or an external consultant or any organization…is ensuring that they have as much protection around the data that we do. So, I need to submit system assessments to a particular vendor, ensure that they complete the information and they have a robust program before I can even contract with them to do the work. And that is very burdensome for us to have to do that,” Stevenson said, adding that, “every other health care organization in the area has to do the same thing.”
What would be “incredibly helpful” is to have an “approved list of vendor products that have already been vetted and that meet a baseline set of standards of privacy and security,” she said. “This would bring efficiency to the marketplace and help under-resourced providers purchase third party services with greater confidence.”
As noted earlier, Garcia sounded similar themes for government help. Like the H-ISAC, HSCC is part of the same private-public partnership developing and sharing resources for hospitals like Stevenson’s; to date, it has produced 26 documents and 15 policy advisories. In February 2024, HSCC developed a five-year cybersecurity strategic plan, a “call to action for organizations throughout the healthcare ecosystem to implement foundational cybersecurity programs that address the operational, technological, and governance challenges posed by significant healthcare industry trends over the next five years.” RPP will report on the strategic plan in a future story.
Feds ‘Should Be at the Table’
HSCC is one of 17 designated critical infrastructure councils that “partner with government under a national policy framework to identify and mitigate cyber threats to the health care system,” Garcia said. “Our sector faces a number of critical threats in disruptions that involve health data and research, administrative, financial and operational systems, medical product, manufacturing, and most importantly, patient care.”
The groups all came together under the CIPAC but no longer. On Jan. 20—the day President Donald Trump took office—the acting Department of Homeland Security (DHS) secretary announced the termination of “all current memberships on advisory committees within DHS, effective immediately,” a move taken “in alignment” with DHS’ “commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security.”
On March 13, DHS identified in a Federal Register notice all eight advisory councils it terminated, now stating the action was done “in accordance with” Trump’s executive order, “Commencing the Reduction of the Federal Bureaucracy.” CIPAC’s charter was renewed in October. It was created in June 2006. DHS also shut down the Cyber Investigations Advisory Board and Data Privacy and Integrity Advisory Committee.
Dismantling CIPAC “leaves government out of the discussions that can help us collectively counter the adversary,” Garcia said. The health care private sector accepts that “it is our responsibility to ensure its security and resiliency. But the government should be at the table with us, and they should be able to promote to the broader community our effective cybersecurity resources that we have spent so much time and energy on and that we can hold ourselves accountable to.”
He added that Congress needs to reauthorize the 2015 Cybersecurity Information Sharing Act, which expires Sept. 30, the end of this fiscal year. This law “supports industry’s ability to voluntarily share sensitive information, threat and vulnerability information with the government without fear of regulatory jeopardy or public disclosure,” Garcia said.
He also said the working group does not support the proposed Security Rule changes, calling them “cumbersome, vague, costly, fairly unrealistic and questionable for actually improving cybersecurity.”
Instead, the government should “organize a series of consultations with leaders in the health sector to negotiate a modernized policy for health care cybersecurity,” Garcia said. “We’ve not yet received a response from the administration to this proposal, but we stand ready to work with them when and if they are organized for this challenge.”
Federal Law Should Preempt State Patchwork
During his testimony, Rene Quashie, vice president for digital health for the Consumer Technology Association (CTA), advocated for national legislation.
CTA “believes guidelines and industry standards play an important role. We recognize the need for a comprehensive preemptive federal data law that protects consumers and promotes innovation without incentivizing frivolous lawsuits and creating a patchwork of state privacy laws on that point,” Quashie said. “Currently, 20 states have privacy laws for businesses, especially small businesses and startups. Complying with that many laws stifles innovation and creates unnecessary barriers to entry. Navigating conflicting or inconsistent requirements increases legal risk, drives up operational costs, and makes it harder to build uniform products and services that meet consumer expectation for consumers. It makes little sense why one person located in one state might have differing rights than another in a different state, even if they’re using the same product.”
What’s needed, Quashie said, is a “uniform risk-based and innovation-friendly federal privacy law to achieve this balance” and that does not contain a private right of action.
But it’s not clear how or when the HELP Committee might act—few senators directly addressed any of the concerns speakers raised, and no new bills were discussed at the hearing. Some Democratic HELP members expressed concerns that Medicaid cuts in the recent reconciliation bill will hurt small and rural hospitals’ security compliance. Stevenson responded that her hospital did not know yet what the impact would be.
HELP Committee Chair Bill Cassidy, R-La., introduced a bipartisan cybersecurity bill last November that would provide training to health entities on cybersecurity best practices and improve coordination between federal agencies, among other goals. Now that there is a new session of Congress, it will have to be reintroduced.
“Congress must work with health care entities to improve resiliency against cyberattacks,” Cassidy said during the hearing. He added that he looks forward “to working with President Trump and my colleagues to advance this legislation through Congress and get [it] signed into law,” but provided no timeline.” As of RPP’s deadline, the bill has not been reintroduced.
Wyden, Warner Push OCR on Staffing, Data
But his was not the only recent cybersecurity legislation. Last year, Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., also introduced a cybersecurity bill that removed penalty caps for HIPAA violations, among other changes. A spokesperson for Wyden on the Finance Committee, where he is the ranking member, told RPP on Aug. 1 there was no timeline for a reintroduction of their bill.
However, Wyden and Warner have been pushing in other ways. Last month, they posed six cybersecurity-related questions, some with multiple parts, to HHS Secretary Robert F. Kennedy Jr. and Mehmet Oz, administrator of the Centers for Medicaid & Medicare Services.
Their letter was timed to passage of the reconciliation bill and sought details of a new Rural Health Transformation Program. But it also expressed broad concerns about OCR and asked about HHS’ plans for proposed revisions to the Security Rule.
The senators warned that “extensive health care cuts” contained in the reconciliation law may result in “degrading cyber resiliency, which may increase cyberattacks that will shut down the ability of hospitals to provide patients with lifesaving care.”[2]
They said the administration had already “chosen to gut cybersecurity operations at HHS,” per the agency’s March “formal plan to reorganize the agency and centralize IT functions, reducing the staff who were responsible for protecting sensitive patient data from cybersecurity breaches by contractors and other third parties.”
Senators to OCR: Are You Doing Your Job?
Wyden and Warner said OCR, “charged with investigating hacks and protecting privacy, has shifted its limited resources away from investigating cybersecurity breaches, further undermining its minimal oversight functions. The lack of federal oversight and resources, coupled with historic cuts to Medicaid and the Affordable Care Act (ACA), only serve to increase rural and small hospitals’ cybersecurity vulnerabilities.”
The letter sought details on OCR’s funding and operations, pointedly asking, “Does OCR continue to investigate cybersecurity breaches at health care facilities, including rural hospitals and small hospitals?”
The senators added that it is their “understanding that OCR has lacked sufficient funding to investigate cybersecurity breaches at health care facilities. Does OCR now have sufficient funding to carry out these functions? If so, then how has the funding for OCR to complete these functions changed over the past year? If not, which operating division within HHS is responsible for these investigations?” they asked.
They also sought a “breakdown of how much federal funding and how many [full-time equivalents] at HHS are dedicated to cybersecurity breach investigations.”
Regarding the Security Rule, Wyden and Warner said the regulation hadn’t been “meaningfully updated since 2003. What is the status of the proposed rule? Does HHS intend to finalize this rule?” they asked.
As of Aug. 1, Wyden and Warner were still waiting for a response, the spokesperson told RPP.
Both the House and Senate are now out of session for their August recess. When they return in September, their first order of business will be passing appropriations legislation to fund the government past Sept. 30 to avoid a partial shutdown. The reconciliation law is a 10-year spending plan that must be implemented through specific appropriations bills. They’d also have to act quickly if they want to reauthorize the information sharing law.
1 United States Senate Committee on Health, Education, Labor and Pensions, “Securing the Future of Health Care: Enhancing Cybersecurity and Protecting Americans’ Privacy,” full committee hearing, July 9, 2025, https://bit.ly/3UNRnu4.
2 U.S. Senator Ron Wyden, U.S. Senator Mark Warner, hospital cybersecurity letter to Health and Human Services Secretary Robert F. Kennedy Jr., Centers for Medicare & Medicaid Services Administrator Mehmet Oz, July 18, 2025, https://bit.ly/4l7NSJI.
[View source.]
