⚡️ NIMITZ HEALTH NEWS FLASH ⚡️ 

“Securing the Future of Health Care: Enhancing Cybersecurity and Protecting Americans’ Privacy”

Senate HELP Committee

July 9th, 2025 (recording linked here)

WITNESS & TESTIMONY

• Mr. Greg Garcia: Executive Director, Healthcare and Public Health Sector Coordinating Council

• Mr. René Quashie: Vice President for Digital Health, Consumer Technology Association

• Ms. Linda Stevenson: Chief Information Officer, Fisher-Titus

• Mr. Robert Weissman: President, Public Citizen

• Dr. Alison Galvani: Professor, Yale School of Public Health

HEARING HIGHLIGHTS

MEMBER OPENING STATEMENTS

• Chair Cassidy (R-LA) highlighted how modern technology has dramatically improved patient care, citing the shift from exploratory surgeries to advanced diagnostics like CT scans. He emphasized that while the federal government has invested heavily in technology like electronic health records and AI, cybersecurity threats pose serious risks. Cassidy referenced the Change Healthcare breach, which affected over 190 million Americans, delayed care and billing, and threatened provider solvency. He advocated for bipartisan legislation to improve cybersecurity resiliency, modernize HIPAA to address non-covered data like wearables, and protect Americans from foreign data misuse.

• Ranking Member Sanders (I-VT) criticized the focus of the hearing, arguing that the pressing issue is not cybersecurity but the devastating effects of the recently passed reconciliation bill, which he said slashes Medicaid and the ACA to fund tax cuts for billionaires. He warned that the legislation would result in 17 million people losing insurance and an estimated 50,000 unnecessary deaths per year. Sanders outlined how rural hospitals, nursing homes, and community health centers will face closures or severe cutbacks, particularly in underserved areas. He argued that the bill amounts to a “death sentence” for low-income Americans and urged the committee to confront this more urgent crisis.

WITNESS OPENING STATEMENTS

• Mr. Garcia described escalating cyber threats that compromise patient care, insurance data, and pharmaceutical operations. He emphasized that the health sector lacks sufficient support without government collaboration, especially after the cancellation of the CPAC framework. Garcia criticized the proposed HIPAA Security Rule update as vague and burdensome and called for reauthorization of the Cybersecurity Information Sharing Act.

• Mr. Quashie highlighted how AI and digital tools are revolutionizing healthcare but warned that adoption hinges on trust in data privacy. He noted that HIPAA doesn't cover many modern health apps, creating regulatory gaps and consumer confusion. Quashie called for a comprehensive, innovation-friendly federal privacy law to replace the fragmented state-by-state approach.

• Ms. Stevenson explained that rural hospitals face rising cyber threats but lack funding and staff to defend against them. She said most rural facilities operate at a loss and cannot afford full-time cybersecurity leaders or costly vendor evaluations. Stevenson asked Congress to streamline regulations, support vetted vendor lists, and shift away from punitive approaches toward empowering healthcare providers.

• Mr. Weissman stated that cybersecurity risks are growing due to corporate concentration, underinvestment, and regulatory rollbacks. He warned that recent Medicaid cuts will worsen hospitals' cybersecurity readiness and reduce access to care. He criticized big tech efforts to evade accountability and argued for systemic reforms like ending drug price gouging and privatized Medicare. Weissman concluded that Medicare for All would lower costs, protect data, and expand care more effectively than current policies.

• Dr. Galvani presented research showing that the reconciliation bill could lead to over 51,000 unnecessary deaths annually due to insurance loss. She estimated that chronic conditions like diabetes and hypertension will go untreated, reducing quality of life and increasing hospital strain. Galvani explained that Medicaid reporting rules often cost more than they save and lead to harmful coverage losses. She argued that a single-payer system would save lives and money while improving cybersecurity through data consolidation.

QUESTION AND ANSWER SUMMARY

• Sen. Husted (R-OH) submitted a letter from Ohio rural hospitals supporting the recent legislation, stating it increased their reimbursements to 115% of Medicare rates. He asked how rural hospitals could build cybersecurity talent, citing Ohio’s use of career centers and cyber militias. Ms. Stevenson responded that her hospital actively partners with local educational institutions to cultivate talent and suggested reviving federal training initiatives similar to those used during the Meaningful Use era.

  Sen. Husted also inquired about proposals for a vetted list of third-party vendors. Ms. Stevenson explained that such a list would reduce redundant vendor security assessments and recommended organizations like CISA or Health-ISAC as potential stewards.

• Ranking Member Sanders asked how it was estimated that 51,000 annual deaths would result from the reconciliation bill. Dr. Galvani explained the methodology, based on loss of coverage and increased mortality among uninsured individuals. Mr. Weissman added that the legislation would devastate rural hospitals, eliminating essential services and community infrastructure.

  Ranking Member Sanders also raised concerns about nursing homes, citing closures and staff reductions from reduced Medicaid funding. Mr. Weissman confirmed that cuts to Medicaid would significantly harm nursing home residents and families.

• Chair Cassidy redirected focus to cybersecurity, asking whether a “seal of approval” for third-party vendors could be created to help providers. Mr. Garcia acknowledged the challenge but suggested a model like FedRAMP could work if supported by industry and government. Mr. Quashie noted CTA already operates a Cyber Trust Mark, although it hasn’t yet been applied to healthcare.

  Chair Cassidy criticized the patchwork of privacy laws and asked whether a unified federal standard should replace overlapping state laws. Mr. Garcia and Mr. Quashie agreed, emphasizing a new federal law with strong enforcement but without a private right of action.

  Chair Cassidy asked if anyone objected to extending HIPAA-like protections to wearable data; Mr. Quashie agreed on stronger protections but preferred a new law tailored to modern data realities rather than extending HIPAA directly.

• Sen. Hassan (D-NH) warned that the reconciliation bill’s Medicaid and ACA cuts would severely harm rural hospitals, where 80% of patients rely on public insurance. Ms. Stevenson said these cuts could force staffing reductions and service closures.

  Sen. Hassan then asked how to improve accountability after the Change Healthcare breach. Mr. Garcia explained that his council is working to identify and manage risks from critical third-party vendors.

  Sen. Hassan discussed federal support during breaches, with Ms. Stevenson recommending flexibility on reporting, claim deadlines, emergency funding, and reduced liability to ease recovery for small hospitals.

• Sen. Hawley (R-MO) asked what lessons from the Volt Typhoon attack could apply to rural hospitals. Mr. Garcia emphasized that small providers cannot defend against nation-state cyberattacks and need workforce support and funding. He recommended tying CMS reimbursement to cybersecurity best practices and leveraging National Guard cyber units. Mr. Weissman added that large corporations like UnitedHealth must be held accountable and that litigation and stronger standards are necessary to drive private-sector investment in cybersecurity.

• Sen. Hickenlooper (D-CO) asked how federal data-sharing standards could build on Colorado’s cybersecurity training programs. Ms. Stevenson supported standardization but warned that some proposed HIPAA updates would overburden rural providers.

  Sen. Hickenlooper then asked how to protect data from wearable devices not covered by HIPAA. Mr. Quashie called for a preemptive federal privacy law with centralized enforcement, arguing that state-by-state frameworks are unsustainable in a digital economy.