The Senate Committee on Health, Education, Labor and Pensions convened a hearing on cybersecurity in the health sector that brought testimony from industry, provider and consumer-advocacy witnesses about cyber risks to patient care, data exposures and gaps in law and resources.

Greg Garcia, executive director of the Health Care and Public Health Sector Coordinating Council, said the sector faces ‘‘critical threats and disruptions’’ across clinical, administrative and manufacturing systems and emphasized that "cybersecurity is patient safety." He described work by the sector coordinating council to produce voluntary best practices and policy advisories and urged reinstating a protected advisory forum (CPAC) and reauthorizing the Cybersecurity Information Sharing Act of 2015 so industry and government can share sensitive threat information.

Renee Quashie, vice president for digital health at the Consumer Technology Association, told the committee the current federal privacy framework is fragmented and urged a comprehensive, preemptive federal privacy law to cover non‑HIPAA entities and consumer-facing devices. "Many consumer-facing digital manufacturers and deployers are not considered covered entities under HIPAA," Quashie said, and as a result consumers "have few legal protections and control over their health information captured by devices."

Linda Stevenson, chief information officer at rural Fisher Titus Regional Medical Center in Norwalk, Ohio, described the practical constraints faced by small hospitals: cybersecurity is expensive; recruiting and retaining skilled staff is difficult; many rural hospitals operate at a loss; and third‑party vendor vetting places a heavy administrative burden on under-resourced providers. Stevenson said she performs both CIO and CSO roles at her hospital and recommended a vetted list of vendor products that meet baseline privacy and security standards to reduce duplicative assessments.

Robert Weisman, co‑president of Public Citizen, and other witnesses raised concerns about corporate concentration and the need for stronger accountability for large companies that manage critical health-sector functions. Panelists repeatedly referenced last year’s Change Healthcare disruption; Chairman Cassidy and witnesses said that attack exposed sensitive data at scale and caused major operational disruptions.

During questioning, senators and witnesses discussed the proposed January update to the HIPAA security rule. Industry witnesses said the proposed rule contained useful elements but also described it as potentially onerous, vague and costly for small providers. Witnesses proposed negotiating a modernized, enforceable security standard that draws on existing sector best practices and includes clear rules for third‑party service providers and software vendors. Several witnesses pointed to a federal ‘seal’ or certification (analogous to FedRAMP for cloud services) or industry-developed ‘‘cyber trust mark’’ to help rural providers select vetted vendors.

Multiple senators — led by Ranking Member Bernie Sanders and supported by some witnesses — also raised concerns that recent congressional budget legislation will cut Medicaid and other programs, citing nonpartisan estimates and academic modeling that such cuts could reduce coverage and strain rural hospitals. Dr. Lisonbee Galvani of Yale, appearing as a witness on research about coverage losses, summarized modeling concluding that a CBO estimate of 17 million people losing coverage could be associated with increased mortality and treatment gaps.

No formal committee votes were taken on cybersecurity legislation at the hearing. Senators and witnesses requested follow-up materials and announced questions for the record due by July 23. The committee closed the hearing after additional questions and witness exchanges.