Trump bill will have major impact on health care cybersecurity, experts warn Congress

At the outset of a Senate hearing Wednesday on cybersecurity in the health care sector, Sen. Bill Cassidy, R-La., took a moment to implore lawmakers and witnesses to stay focused on the topic at hand — and not veer off into discussions about the impact of cuts to the sector from Republicans’ One Big Beautiful Bill.

Cassidy, chairman of the Senate Health, Education, Labor and Pensions Committee, said  any attempts by ranking member Bernie Sanders, I-Vt., or witnesses to steer the hearing in that direction would be “a distraction,” and at one point the Louisiana Republican accused Sanders of spreading “half truths” about the bill’s impact, angrily banging the gavel.

“This is about cybersecurity,” Cassidy said. “Thank you for [all] those who actually talked about cybersecurity. I really appreciate that.”

But during the hearing, multiple witnesses warned that the Republican-passed law will have a devastating impact on cybersecurity and basic services in a health care sector that is already plagued by digital threats. Others decried what they see as a general pullback from the federal government in supporting health care and health care cybersecurity under the Trump administration.

Some witnesses painted a dire funding picture for rural and community hospitals that could only worsen as the GOP’s cuts — which include hundreds of billions of dollars to Medicaid and other health care programs along with an overall reduction of $1.23 billion in cybersecurity spending across the federal government — take effect.

Robert Weissman, co-president of the nonprofit government accountability group Public Citizen, said the cuts to Medicaid and other programs “will put pressure on rural or other institutions who do not have excess capacity for cybersecurity.”

According to Linda Stevenson, chief information officer for Fisher-Titus Medical Center in Ohio, when health care budgets tighten, cyber and IT are often the first priorities to go by the wayside.

A majority of smaller health care providers are already operating in the red and Stevenson — who doubles as Fisher-Titus’ chief information security officer — said many organizations do not have the money to hire even basic cybersecurity staff, or offer competitive salaries when they do.

“We are competing for talent with much larger, better-resourced organizations across the country,” she said. “When hospitals face budget constraints due to stagnant payment rates, they’re often forced to reprioritize spending, directing limited resources towards immediate operational needs and away from long-term spending, such as cybersecurity.”

Other groups, like the American Hospital Association, have said the cuts “will drive up uncompensated care for hospitals and health systems, which will affect their ability to serve all patients,” while forcing hospitals to cut staffing and other essential services to the bone.

Beyond the health care cuts, some witnesses pleaded with lawmakers for the return of federal bodies like the Critical Infrastructure Partnership Advisory Council (CIPAC), which served as an interface between the Department of Homeland Security and industry to coordinate on sensitive security matters and other topics. The council was one of many DHS advisory bodies summarily canceled by the Trump administration shortly after coming into office.  

Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council, said the Trump administration’s decision to disband CIPAC “for reasons that are puzzling to us” have left federal stakeholders on the outside of many of these conversations about how providers can counter bad actors in cyberspace.

“We are the private-sector owners and operators of the health system and it is our responsibility to ensure its security and resiliency, but the government should be at the table with us,” said Garcia, adding “we hope that CIPAC or some revised version of it will be reinstated, stat.”

The health care industry continues to deal with the fallout from the Change Healthcare hack last year. That hack, the biggest in health care history, ultimately impacted the personal data of more than 190 million people, while delaying health care payments and causing service disruptions across the U.S.

One thing the hack demonstrated is how large IT and billing providers like Change Healthcare are so widely relied upon in the health care sector that their disruption can cause widespread downstream impact on hospitals and medical providers. It also highlighted just how many different streams of health data companies like Change Healthcare collect and process.

Sen. Maggie Hassan, D-N.H., pointed out that some victims of the hack weren’t notified by Change Healthcare that their data was affected until a year after the incident.

Garcia didn’t have insight into why the company waited that long to notify some victims, but he and several other witnesses pointed to the dizzying constellation of third-party providers hospitals must rely on as a chief reason it can be so difficult to determine if someone’s data was or wasn’t swept up in the hack.

In the end, Garcia said his organization was working on mapping the entire health care sector to “find out where are those other critical services and utilities like Change Healthcare that could be chokepoints, that if severely disrupted could impact the entire sector.”Garcia’s idea mirrors a previous effort by the Cybersecurity and Infrastructure Security Agency under the Biden administration, pushed by former Rep. John Katko, R-N.Y., to identify “systemically important” critical infrastructure entities and prioritize them for federal assistance.