As Congress Examines Escalating Cyber Threats to U.S. Patients, New HLC Report Calls for Joint Public-Private Defense

Report aims to “spark substantive dialogue and drive the public-private coordination that’s urgently needed”

As life-threatening and financially crippling cyberattacks increase, a new report from the Healthcare Leadership Council (HLC)—an association of CEOs and C-suite executives from all sectors of healthcare—and HLC’s Confidentiality Coalition, proposes a collaborative public-private framework to safeguard the healthcare system. Co-authored by Manatt, Phelps & Phillips, LLP, a multidisciplinary, integrated professional services firm, this report outlines private sector commitments and proposes public sector actions to improve our nation’s healthcare cybersecurity infrastructure.

“Hackers are increasingly putting lives at risk. Cyberattacks and resulting data breaches have caused nationwide harm to our health system, and when access to care is compromised, patients are vulnerable,” said Maria Ghazal, HLC President and CEO. “With 92 percent of healthcare organizations experiencing a cyberattack last year, this report is intended to spark substantive dialogue and drive the public-private coordination that’s urgently needed.”

The report, which is being sent to leaders on Capitol Hill, highlights opportunities to build on existing actions many leading healthcare organizations are already deploying to protect our nation’s critical infrastructure through the stages of prevention, response, and recovery. Additionally, it urges the public sector to recognize current industry standards and provide incentives and assistance to strengthen our collective cyber defenses.

Private sector commitments include:

PREVENTION:

• Maintain an Information Security Program based on an Established Industry Framework
• Conduct Regular Risk Assessments based on an Established Industry Framework
• Implement an Incident Response Plan based on an Established Industry Framework

RESPONSE:

• Investigate and Report Breaches in a Timely Manner
• Promptly Restore Critical and Essential Systems

RECOVERY:

• Update Stakeholders
• Reconnect Efficiently with Trusted Partners
• Embed Lessons Learned in Security Planning

Public sector recommendations include:

PREVENTION:

• Promote Law Enforcement and Information-Sharing as International Priorities
• Bolster Public-Private Collaboration over Cybersecurity Prevention Measures
• Enhance Public-Private Information-Sharing

RESPONSE:

• Harmonize Breach Reporting Requirements
• Improve Real-Time Information-Sharing

RECOVERY:

• Streamline Recovery Approvals
• Mitigate Liability and Reward Responsible Action
• Fund and Incentivize Cybersecurity Improvements

The release of the report is part of an ongoing effort by HLC and the Confidentiality Coalition to spur public sector action on healthcare cybersecurity. In May, the groups hosted a briefing on Capitol Hill where experts from HLC and Coalition member companies shared real-world experiences and outlined where best practices could be improved through cooperation. The release also coincides with efforts by the Senate Committee on Health, Education, Labor, and Pensions focused on enhancing cybersecurity and protecting Americans’ privacy.

“Cybersecurity is fundamentally a patient safety issue,” said Rishi Tripathi, MBA, CISSP, Senior Vice President, Chief Information Security Officer & Chief Technology Officer, Mount Sinai Health System. “While healthcare organizations are doing their part—investing in innovative, robust security measures to protect patients and systems—attacks are growing in frequency and sophistication. The public and private sectors must align with meaningful incentives and strategic collaboration to enhance protections for patients.”

“Healthcare companies and public sector entities have a simple shared responsibility—to make sure cyber threats do not compromise patient care,” said Ben Schwering Chief Information Officer, Premier, Inc. “This report outlines how federal authorities and resources can be a force multiplier for hospitals and healthcare, moving us away from checklist compliance and toward meaningful security.”

“We’re pleased to contribute to this timely and important report, which underscores cybersecurity as a pillar of healthcare,” said Paul Luehr, a Privacy and Data Security Partner at Manatt, Phelps & Phillips, LLP. “Because cyberattacks and regulatory demands continue to grow, we need new public-private collaborations working on practical and creative solutions, like those offered in the report, to protect patient safety.”

The complete report can be found here.

Published July 9, 2025