Experts warn of Medicaid cuts’ ripple effect on healthcare cybersecurity

On Wednesday’s Senate hearing meant to tackle the growing threat of ransomware and data breaches in U.S. healthcare, the conversation repeatedly swerved to the far-reaching health-care cuts Congress approved last week, exposing a widening partisan rift over how best to safeguard both hospital networks and the patients who rely on them.

“This hearing is about cybersecurity,” declared Sen. Bill Cassidy, (R-LA) and the committee chairman, as he brought the session to order. Seconds later, Sen. Bernie Sanders (I-VT) of Vermont shot back, “This hearing is about health care in America, and I hope the witnesses will tell us the truth about what’s going on today.”

But it was difficult for the healthcare experts testifying before the Committee to separate the impending loss of revenue from sweeping Medicaid cuts from American hospitals’ ability to have robust and resilient cybersecurity measures, especially without Federal support. 

“When people lose coverage, they are more likely to delay care until conditions become acute, harder to treat, and more expensive–often resulting in emergency room visits that strain hospital capacity,” Alison Galvani, PhD, Director of the Center for Infectious Disease Modeling and Analysis (CIDMA) told the Committee. “More families will face crushing medical debt and diminished ability to remain in the workforce due to unmanaged illness. Meanwhile healthcare providers–especially in rural areas that disproportionately rely on Medicaid–are left absorbing uncompensated care.”

Linda Stevensen, CIO at a rural hospital in Norwalk, Ohio shared that in 2024 alone, 80% of the patients at her hospital had either Medicaid or Medicare insurance. 

“Most of us can’t even afford a full-time cybersecurity leader,” she added, sharing that half of rural hospitals operated at a loss last year, a 16% increase from the year before. 

When attacks succeed, and they increasingly do, the consequences ripple far beyond IT systems. “A catastrophic cyber attack can bring a hospital down for weeks or even months,” Stevenson warned. “If we’re forced to divert patients, the three nearest hospitals are about an hour away, and a community like ours, this can have a devastating and potentially life threatening impact on patient care.”

Yet rather than receiving support as victims of sophisticated criminal enterprises, hospitals often face punishment from regulators. “Healthcare providers are too often punished, rather than being treated as victims,” Stevenson testified. “Every day, we are on the front lines fending off increasingly complex and relentless intrusion attempts.”

Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council, echoed this frustration while painting a broader picture of federal abandonment. His organization, which represents more than 460 healthcare stakeholders, had been collaborating with government through an advisory framework, Critical Infrastructure Partnership Advisory Council (CIPAC) that “was canceled earlier this year for reasons that are puzzling to us,” under one of Trump’s many executive orders that were signed earlier this year. 

“This leaves the government out of the discussions that can help us collectively counter the adversary,” Garcia told the committee, describing how private sector defenders are increasingly isolated from federal cybersecurity efforts just as threats intensify.

The disconnect extends to expired authorities that industry leaders say are critical for information sharing. Garcia urged Congress to reauthorize the Cybersecurity Information Sharing Act of 2015, which expires in September and “supports industry’s ability to voluntarily share sensitive information, threat and vulnerability information, with the government without fear of regulatory jeopardy or public disclosure.” 

The regulatory burden itself has become part of the problem. René Quashie from the Consumer Technology Association highlighted how “20 states have privacy laws for businesses, especially small businesses and startups” creating a compliance nightmare that “stifles innovation and creates unnecessary barriers to entry.” For rural hospitals already struggling with staffing, this patchwork of overlapping requirements becomes insurmountable.

“The impact of complying with multiple overlapping and burdensome health care mandates can be debilitating for a real healthcare organization,” Stevenson testified. “We must meet the same standards as all of the larger organizations, but lack the staff and the infrastructure to do that efficiently.”

The hearing revealed particular frustration with third-party vendor management, where rural hospitals must independently vet hundreds of technology partners. “Managing the security of hundreds of external partners is resource intensive for all hospitals, but especially for rural healthcare providers,” Stevenson said, calling for federal certification programs similar to FedRAMP that would create “an approved list of vendor products that have already been vetted.”

Garcia supported this approach, noting that cyber vulnerabilities in third-party providers “are implicated in 50% of data breaches and cyber attacks on health care” yet these crucial partners “are not regulated” despite connecting directly to patient data systems.

The policy solutions witnesses outlined require exactly the kind of federal investment and coordination that recent budget cuts make less likely. Sen. Sanders noted estimates that “more than 300 rural hospitals are now at risk of closing down altogether or substantially reducing their services” as a result of the reconciliation bill, while witnesses called for increased federal funding for cybersecurity workforce development and direct financial support for security upgrades.

Robert Weissman from Public Citizen connected these dots explicitly, warning that Medicaid cuts “will put pressure on rural and other institutions who do not have excess capacity to deal with cybersecurity” at precisely the moment when sophisticated nation-state actors and criminal groups are intensifying their attacks on healthcare infrastructure.

Sen. Hawley (R-MO) noted, “More than 40% of the hospitals in Missouri, my state, are rural hospitals, and about half of those are critical access hospitals… They simply don’t have the personnel or the budget to deal with it.” Yet federal policy continues moving in the opposite direction from the support these facilities desperately need.

Quashie called for a federal regulatory framework “without a private right of action” to make things easier for medical device makers who currently have to manage disparate cybersecurity requirements by state. Stevenson asked for federal cybersecurity laws with the hope of taking the burden of vetting and enforcing cyber standards off of smaller and rural hospitals. 

Garcia called for federal incentives to bolster the cybersecurity workforce and funding for rural hospitals to implement cybersecurity best practices. 

Others called for even more federal support. 

“The ‘Future of Care’ in America is far less secure than it was before the reconciliation bill was passed. But it wasn’t secure before reconciliation, either. Medicare for All offers the best path to genuine health security for America,” Weissman said. 

“A unified system also offers advantages for privacy and cybersecurity. The current fragmented landscape–spread across hundreds of insurers and vendors–creates widespread vulnerabilities,” Galvani said. “A single-payer system would enable centralized governance, standardized protections, and accelerate threat response. Countries with national health systems show that integrated infrastructure can better safeguard patient data.”