This report examines how resource-constrained health care systems – small, rural, critical access, family clinics, skilled nursing facilities, FQHCs and many more across the country – are only marginally prepared for ongoing cyber threats to clinical care and operational liquidity, and recommends forms of support they would need against stiffer cybersecurity regulatory requirements.
The Health Sector Coordinating Council Cybersecurity Working Group (CWG) is a governmentrecognized critical infrastructure industry council of more than 490 healthcare providers, pharmaceutical and medical technology companies, payers, health IT entities and government agencies. We partner to identify and mitigate cyber threats to health data and research, systems, manufacturing and most importantly patient care. The CWG membership collaboratively develops and publishes free healthcare cybersecurity leading practices and policy recommendations, and we produce outreach and communications emphasizing the imperative that cyber safety is patient safety.
Washington, DC – April 1, 2025– The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) today recommended in a 2025 Policy Statement that the Trump Administration initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that all healthcare stakeholders can be held accountable to.
Cyber threats to the healthcare sector are a well-documented reality of modern healthcare delivery. Ransomware attacks against members of the ecosystem including hospitals, insurance providers, third-party service providers, and other healthcare delivery organizations (HDOs) routinely deny access to patient care, records, billing systems, and other digital technologies deployed throughout modern healthcare environments. Vulnerabilities discovered in the digital infrastructure relied upon by modern healthcare delivery organizations (HDOs) to deliver quality care pose patient safety and privacy risks that include delay or denial of treatment, data loss, manipulation or corruption of necessary treatment or other digital healthcare data, and the risk of intentionally or unintentionally tampered software, among other potential risks.
The Health Sector Coordinating Council Cybersecurity Working Group offers recommendations for how our industry and the Trump Administration should collaborate toward an updated healthcare cybersecurity policy structure that combines regulation and voluntary commitments for the healthcare industry to protect itself from cyber threats that jeopardize patient care and operational continuity. Specifically, we propose that the Trump Administration and the healthcare industry initiate a structured series of consultations and workshops to forge consensus on a modernized policy for healthcare cybersecurity resiliency, responsibility and accountability.
This checklist aims to raise awareness about critical considerations for informed and swift executive decision-making during and after a cybersecurity incident. These considerations are categorized into Incident Response, Business Continuity, and Communication sections below. By familiarizing themselves with these strategic concerns in advance, healthcare executives can enhance their preparedness to ask the right questions and make effective decisions during a crisis.
The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has worked with HHS, CISA and other federal agencies over the past several years to develop leading cybersecurity practices that are provided to all health organizations in the ecosystem. Today’s release of the HPH Cyber Performance Goals (CPGs) is the next iteration of that partnership. The CPGs amplify the recognition among health providers – large, medium and small – that cyber safety is patient safety, and that focused investment and accountability are imperative to inoculate our data, systems and patients against the rising epidemic of cyber-attacks on the sector. This accountability in turn must be supplemented with government and industry assistance to those under-resourced health systems that accept their cybersecurity responsibility for protecting patient safety as a national imperative but are financially and operationally constrained.
HIC-STAT identifies cyber risks and best practices associated with the use of telehealth and telemedicine, and summarizes the policy and regulatory underpinnings for telehealth/telemedicine cyber risk management. It is targeted for senior executives in healthcare and IT, telehealth service and product companies, and regulators.
MVCT is a toolkit written to provide specific tools to medical device manufacturers and software developers for creating cybersecurity vulnerability communications related to their products or services. This toolkit focuses on vulnerability communications directed to non-security professionals, including clinicians, patients, users, and other readers not familiar with cybersecurity and connected technologies. It is intended to help medical device manufacturers formulate and communicate vulnerability disclosures that all affected audiences, including nontechnical stakeholders, can understand.
The HIC-PIC is a white paper with guidance for how healthcare organizations can protect trade secrets, medical research and other innovation capital from cyber theft.
