How federal staffing cuts, government restructuring, and Medicaid policy shifts threaten the cybersecurity posture of our healthcare system.
In a recent set of Questions for the Record (QFRs), Senator Edward Markey highlighted growing vulnerabilities in the cybersecurity infrastructure supporting the U.S. healthcare system. These questions, submitted to the Senate HELP Committee, signal urgent concern over how policy and staffing decisions affect healthcare’s resilience to growing cyber threats, especially in rural and under-resourced settings.
In this month’s CISO Brief, I’ll break down each question and offer real-world implications through the lens of cybersecurity leadership.
Question 1: What Do HHS Layoffs Really Cost?
How would the layoff of 20,000 HHS employees impact healthcare cybersecurity?
Response Summary:
- HHS acts as the Sector Risk Management Agency (SRMA) for the Healthcare and Public Health (HPH) Sector
- Sub-agencies such as HC3, ASPR, OCR, and the 405(d) Program are essential for:
- Threat intelligence sharing
- Incident coordination
- Compliance guidance
- Resilience planning
- Layoffs would:
- Disrupt threat intelligence pipelines
- Fragment federal incident response
- Increase vulnerability for critical access and rural hospitals
CISO Commentary:
Layoffs at this scale could effectively dismantle or at least disrupt federal support for cyber readiness across the HPH sector. Smaller hospitals are already struggling with minimal IT resources and depend on HHS for guidance, warnings, and response, resulting in a readiness failure waiting to happen, not just a bureaucratic setback.
Question 2: Has DOGE Made Us Less Safe?
Have the Department of Government Efficiency’s actions jeopardized government cybersecurity and public health?
Response Summary:
- Yes. The removal of experienced cyber leaders and the de-prioritization of interagency coordination under DOGE have eroded national preparedness.
- These shifts come as nation-state threat actors increase the volume and sophistication of their attacks.
- Without strong federal leadership, healthcare organizations are left isolated and exposed.
CISO Commentary:
Effective cybersecurity requires continuity of leadership, not volatility. DOGE’s actions send the wrong message at the wrong time, when attackers are coordinated and opportunistic, leaving us with fragmented defenses. Public-private partnerships need a strong federal anchor to succeed.
Question 3: Are Medicaid Cuts a Cybersecurity Issue?
Will Medicaid funding cuts increase cybersecurity risks for rural and resource-constrained providers?
Response Summary:
Yes, unequivocally. Many Medicaid-reliant hospitals already operate on razor-thin margins.
Funding cuts would:
- Delay or prevent critical technology upgrades
- Further reduce staffing for IT and cybersecurity roles
- Force short-term outsourcing, often at the expense of quality and oversight
A 2023 HHS report found that Medicaid-dependent hospitals are:
- Slower to recover from ransomware
- Less likely to have dedicated cybersecurity personnel
CISO Commentary:
Cybersecurity isn’t just a tech problem—it’s a resourcing problem. Without the people and tools to protect critical systems, patient care suffers. Funding cuts will only deepen the divide between well-resourced systems and those left to fend for themselves.
My Recommendation
My suggested path forward? Build a healthcare cyber safety net. Here is how:
- Establish a federally funded cybersecurity “safety net,” similar to emergency public health funds
- Guarantee minimum protections for all Medicaid-dependent and critical access hospitals, including:
- Multi-factor authentication
- Endpoint protection
- Incident response plans
CISO Commentary:
We must meet healthcare providers where they are today. A one-size-fits-all approach won’t work, but neither is letting them fend for themselves. Federal investment in a cybersecurity baseline is no longer optional; it’s a national risk mitigation strategy.
Final Insights: The Real Answer Is Leadership
Leadership—at every level—is the lever that shifts policy from risk to resilience. The time for action is now and we cannot wait for the uncertainty for DC to clear. The cyber threats are real, but so are the solutions. What’s missing isn’t technology; it’s coordinated leadership, sustained funding, and an unwavering commitment to protecting patient care and sustaining resilience.
Now is the time to act, not after the next breach hits the headlines.
