COMMENTARY: The first week of April marked a pivotal moment in the evolution of healthcare cybersecurity. The House Energy and Commerce Oversight and Investigations Subcommittee hearing on April 1, 2025—featuring testimonies from Intermountain’s Erik Decker and the Healthcare Sector Coordinating Council's (HSCC’s) Greg Garcia—cast a spotlight on the cybersecurity vulnerabilities in legacy medical devices.
At the same time, sweeping layoffs within the Department of Health and Human Services (HHS), particularly across the Food and Drug Administration (FDA) and Centers for Disease Control (CDC), raised serious questions about the government’s capacity to oversee and support national cybersecurity.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
While the headlines understandably focus on the cuts—between 10,000 to 20,000 jobs under Secretary Robert F. Kennedy, Jr.’s federal restructuring initiatives, including 3,500 at the FDA and more than 2,400 at the CDC—it’s shortsighted to view these changes solely through the lens of lost headcount. Instead, this moment offers a broader opportunity to reconsider how we govern, support, and enforce cybersecurity standards across the healthcare industry—and, more importantly, who’s responsible.
Healthcare cybersecurity is not simply a federal issue. It’s a national priority—intertwining patient safety, economic stability, and critical infrastructure protection. And yet, as we face increasing threats from ransomware groups and nation-state actors, our approach remains fragmented.
In 2024, 92% of healthcare organizations reported experiencing cyberattacks, and 69% of these resulted in disruptions to patient care. Furthermore, the HSCC noted a substantial increase in ransomware attacks, impacting 141 hospitals in 2023 alone, with an average ransom demand of $1.5 million. These alarming figures underscore the urgency for robust public-private partnerships.
Historically, federal agencies like the FDA and HHS have played a central role in issuing guidelines, encouraging voluntary frameworks, and, when necessary, leveraging regulatory mechanisms to address cybersecurity concerns. However, these agencies are not security organizations—they are public health entities. Expecting them to lead the charge on all fronts of cyber defense is unrealistic, especially as resources shrink.
That’s why we must build the future of healthcare cybersecurity around stronger, more operationalized public-private partnerships, not just government mandates. The House subcommittee hearing, while focused on legacy devices, underscored this need. Erik Decker and Greg Garcia, both champions of collaborative cybersecurity efforts, emphasized the role of industry in defining and enforcing best practices. Their leadership within the HSCC exemplifies how industry can self-organize.
And it’s not to say that government has no role—quite the opposite. Federal agencies must continue to facilitate alignment, act as conveners of standards bodies, and enforce minimum safety requirements where risk justifies it. But they should also shift toward enablement and partnership models, delivering funding, intelligence, and shared infrastructure to amplify what the private sector already does.
Healthcare delivery organizations (HDOs), vendors, managed security service providers (MSSPs), and cybersecurity innovators should not operate in silos. With the right structure, a self-governing model of healthcare cybersecurity—supported by federal guardrails—could be more agile, more responsive to emerging threats, and more scalable than existing regulatory paradigms. This type of model would let industry leaders co-develop certification programs, define essential cyber hygiene standards, and influence enforcement priorities while adapting quickly to the constantly shifting threat landscape.
However, this vision requires a fundamental shift in mindset. It asks federal leaders to let go of centralized control and trust in the maturity of private-sector capabilities. It requires healthcare CISOs to engage in national dialogues, contribute to the development of shared frameworks, and ensure accountability among peers. And it requires cross-industry collaboration—with security vendors, MSSPs, device manufacturers, and even payers—to build a common cybersecurity fabric that supports resilience from the inside out.
The layoffs at HHS and the testimonies in Congress are not separate storylines. They are threads of the same narrative: the decentralization of cybersecurity leadership in healthcare. Whether by necessity or by design, the government plans to step back. So, can the private sector step up?
We cannot afford to wait for another wave of devastating ransomware attacks or nation-state intrusions to determine the answer. Now's the time for structural realignment. Not just to fill the gaps left by federal cuts, but to build a more sustainable, agile, and outcome-driven cybersecurity ecosystem that transcends traditional boundaries between the public and private sectors.
The healthcare industry has the ability to lead this transformation. Unlike many other critical infrastructure sectors, it touches every American, holds intensely personal data, and operates within complex care delivery and payment systems. If we can get cybersecurity right in healthcare, we can set a precedent for how public-private partnerships should operate in other domains as well.
As we look ahead, we should not debate about whether the federal government or the healthcare industry should lead cybersecurity efforts. We both have to lead — and together. But the model must evolve. And last week was potentially the inflection point that will force us to begin that evolution in earnest.
Russell Teague, chief strategy officer and CISO, Fortified Health Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
