Commentary: The first week of April marked a pivotal moment in the evolution of healthcare cybersecurity. Hearing of the House Energy and Commercial Oversight and Investigation Subcommittee on April 1, 2025 – Eating testimony from coordinating Eric Decker of Inter Mountain and Greg Garcia of HSCC (HSCC) highlighted the cybersecurity vulnerabilities of legacy medical habits. (FDA) and the Centers for Disease Control (CDC) have raised serious questions about the government's ability to oversee and support national cybersecurity (SC Media's perspective column is written by a trusted community of subject matter experts in SC Media Security. It's myopic to see these changes with 3,500 at the FDA and over 2,400 at the CDC, through the lens of lost personnel alone. Instead, this moment offers a broader opportunity to rethink how cybersecurity standards are managed, supported and implemented across the healthcare industry. More importantly, who is responsible. This is a national priority, such as patient safety, economic stability, and critical infrastructure protection. Still, Lancea In the face of an increase in threats from Muware groups and nation-state actors, our approach remains fragmented. In 2024, 92% of healthcare institutions reported experiencing cyberattacks, with 69% of these causing disruptions in patient care. Furthermore, HSCC noted a significant increase in ransomware attacks, affecting 141 hospitals in 2023 alone, with an average ransom demand of $1.5 million. These surprising figures are robust public-private partnerships. The urgency for the 2017 government has historically been central to exploiting regulatory mechanisms to issue guidelines, encourage voluntary frameworks, and address cybersecurity concerns where necessary. However, these agencies are not security organizations, but public health agencies. Expecting them to lead claims in all aspects of cyber defense is unrealistic, especially as resources are reduced. That is why healthcare cybersecurity must be built not only on government duties but on stronger and operational public-private partnerships. The House Subcommittee hearing highlighted this need while focusing on legacy devices. Both champions of joint cybersecurity efforts, Eric Decker and Greg Garcia highlighted the role of the industry in defining and implementing best practices. Their leadership within the HSCC illustrates how the industry can self-organize, and it does not mean that governments have no role. Federal agencies must continue to promote coordination, act as conveners of standards bodies, and implement minimum safety requirements that risk justify it. But they also shift to enablement and partnership models, providing funding, intelligence and shared infrastructure to amplify what the private sector is already doing. Healthcare delivery agencies (HDOs), vendors, managed security service providers (MSSPs), and cybersecurity innovators should not operate in silos. With proper structure, the self-government model of healthcare cybersecurity supported by federal guardrails is more agile, more sensitive and more scalable than the existing regulatory paradigms. This type of model allows industry leaders to co-develop certification programs, define critical cyber hygiene standards, and quickly adapt to ever-changing threat situations, while defining enforcement priorities. It calls on federal leaders to let go of centralized control and trust in the maturity of civilian capacity. This requires healthcare CISOs to engage in national dialogue, contribute to the development of shared frameworks, and ensure accountability among their peers. It also requires cross-industry collaboration with security vendors, MSSPs, device manufacturers and even payers, creating a popular cybersecurity fabric that supports resilience from within. HHS layoffs and Congressional testimony are not separate storylines. They are threads of the same story. The decentralization of cybersecurity leadership in healthcare. Whether inevitable or by design, the government is set to retreat. So can the private sector step up? We cannot afford to decide the answer to wait for another wave of catastrophic ransomware attacks or the invasion of nation-states. Now is the time to reorganize the structure. Not only to fill the gaps left by federal cuts, but to build a more sustainable, agile, outcome-driven cybersecurity ecosystem that transcends traditional boundaries between the public and private sectors. The healthcare industry has the capacity to lead this transformation. Unlike many other important infrastructure sectors, it touches all Americans, holds very personal data and operates within complex care delivery and payment systems. If you can get cybersecurity right in healthcare, you can set precedents on how public-private partnerships work in other domains. Looking ahead, there should not be a discussion about whether the federal government or the healthcare industry should lead cybersecurity efforts. We must both lead – and together. However, the model needs to evolve. And last week was a potential inflection point that forced us to begin to fully evolve. Russell Teague Chief Strategy Director and CISO's Enhanced Health Security Media Perspective is written by a trusted community of SC Media Cybersecurity subject matter experts. Each contribution has the goal of bringing a unique voice to key cybersecurity topics. We strive to ensure that our content is of the highest quality, objective and non-commercial.
