Senate HELP hearing spotlights health‑care cybersecurity risks; witnesses urge HIPAA update and federal privacy law

The Senate Health, Education, Labor, and Pensions Committee held a hearing focused on cybersecurity risks to the U.S. health system, where witnesses warned that ransomware and breaches can disrupt patient care, delay payments and threaten hospital solvency — particularly at rural providers.

Greg Garcia, executive director of the Health Care and Public Health Sector Coordinating Council, summarized sector concerns and framed cybersecurity as a patient‑safety issue: "cybersecurity is patient safety." He said sustained ransomware and other cyberattacks force hospitals to divert or turn away patients, freeze claims processing, and can stop manufacturing of medical products. Garcia told the committee that the CPAC advisory framework — which allowed sensitive private‑public exchanges — was canceled earlier in the year and urged its reinstatement or a similar mechanism to restore coordinated information sharing.

Renee Quashie, vice president for digital health at the Consumer Technology Association, said the current privacy framework is "outdated and incomplete" and that non‑HIPAA devices and apps often handle sensitive health information without clear protections. Quashie recommended a uniform federal privacy law that preempts state laws, provides stronger enforcement through a designated federal agency, and avoids a private right of action to reduce litigation burdens on innovators.

Linda Stevenson, chief information officer at Fisher Titus, a rural acute care hospital in Norwalk, Ohio, described practical hurdles: many rural hospitals cannot afford dedicated cybersecurity staff, face vendor‑vetting burdens that duplicate work across providers, and operate on narrow margins that make long‑term cybersecurity investments difficult. She asked for federal tools, financial assistance, emergency liquidity support after breaches, and a vetted list of third‑party vendor products that meet baseline privacy and security standards.

Robert Weisman of Public Citizen argued that corporate concentration and the centrality of a few third‑party firms increase systemic risk, pointing to the Change Healthcare breach as an example. He opposed proposals that would immunize large technology firms from liability, and called instead for stronger standards and enforcement for large companies that operate critical services.

Dr. Lisonbee Galvani, a professor at Yale, presented modeling work showing that projected losses of health coverage under recently passed reconciliation legislation (17 million people losing insurance, per the CBO) could lead to an estimated 51,000 excess deaths annually and large increases in untreated chronic conditions. Several senators, including Senator Sanders and Senator Hassan, tied concerns about cybersecurity to broader worries about the reconciliation bill's impacts on rural hospitals, nursing homes and community health centers.

In questioning, senators pressed witnesses on workforce development, vendor certification, and regulatory approaches. Suggestions included adopting a FedRAMP‑style certification for vendors that connect to patient systems, temporary leniency on breach‑reporting deadlines to allow recovery efforts, emergency payments or loan terms that do not impose unfair conditions on affected rural hospitals, and incentives in reimbursement to reward providers meeting cybersecurity standards.

Witnesses and senators converged on several policy options: reinstate a protected public‑private advisory forum for sharing threat information (or a functional equivalent); modernize the HIPAA security rule in close consultation with sector stakeholders; consider a federal privacy law covering consumer health data from wearables and apps; develop baseline vendor certification to reduce duplicate vetting; and provide targeted federal resources and workforce pipelines for rural hospitals.

The committee closed the hearing and invited additional questions for the record.