The Senate Health, Education, Labor, and Pensions (HELP) Committee recently held a hearing entitled “Securing the Future of Health Care: Enhancing Cybersecurity and Protecting Americans’ Privacy.” The discussion focused on the benefits of modern health technologies like artificial intelligence, electronic health records, wearables, and remote monitoring devices. The hearing also highlighted the growing risks of cyberattacks and data breaches in health care. Lawmakers and witnesses agreed that while these innovations can improve patient care and operational efficiency, they have significantly increased the number of potential vulnerabilities across the health care system.
Modernizing health data privacy laws
A major topic was the need to modernize health care privacy laws to address the large volume of data now generated outside traditional clinical settings. Senators discussed how HIPAA has successfully protected clinical data for decades but is struggling to keep pace with technological advances and the growth of consumer health products. Many expressed interest in either updating HIPAA or creating a separate federal privacy law to cover data from devices like wearables and other consumer-focused tools that fall outside HIPAA’s scope. There is concern that without federal action, states will continue to implement a patchwork of privacy laws. This will lead to inconsistent protections and operational challenges for health care organizations.
Proposed HIPAA Security Rule update
The Senate hearing also highlighted uncertainty around the proposed update to the HIPAA Security Rule. Witnesses voiced concern over the lack of clarity from the administration on whether the changes will move forward, be revised, or delayed.
While advisors to HHS Secretary Robert F. Kennedy Jr. have said they are evaluating possible updates, no specific details have been released.
Earlier this year, the ACAAI Advocacy Council submitted a comment letter urging reconsideration of the proposal. The College expressed concern that the changes, while well-intentioned in response to rising cyberattacks like the Change Healthcare breach, would place a heavy financial and administrative burden on small and rural practices.
Loss of Critical Infrastructure Advisory Council
Several operational and regulatory challenges were raised during the hearing, including the termination of the Critical Infrastructure Partnership Advisory Council (CIPAC). This council had served as a key forum for government and health sector collaboration on cybersecurity policy before being abruptly ended in March 2025. Stakeholders worry that losing CIPAC has reduced opportunities for meaningful engagement with federal agencies on cybersecurity threats.
Cybersecurity Information Act expiration
Another significant issue is the potential expiration of the Cybersecurity Information Sharing Act of 2015, which is set to lapse on September 30 unless Congress acts. The law provides liability protections and a framework for health care entities to share cybersecurity threat information with the government and with one another. Witnesses stressed that letting this legislation expire could discourage the health sector from sharing vital threat intelligence with the necessary bodies.
Cybersecurity challenges facing rural and underserved hospitals
Financial pressures, particularly for rural and under-resourced hospitals, were also a major focus of the hearing. Witnesses highlighted how cybersecurity remains costly and that smaller hospitals often cannot recruit or retain IT and cybersecurity professionals. The shift toward remote work has further exacerbated hiring difficulties in this competitive field. Making matters more complicated, recent Medicaid cuts included in the One Big Beautiful Bill Act could further limit funds available for cybersecurity investments. Leaders from rural health systems testified that any funding cuts, including those from Medicaid, force hospitals to choose between patient care and critical cybersecurity upgrades. This could potentially leave systems more vulnerable to cyberattacks.
Conclusion
The hearing reiterated that cybersecurity remains an urgent priority for the health sector, with significant implications for allergists. The potential update to the HIPAA Security Rule, possible new federal privacy legislation, funding challenges for cybersecurity investments, and ongoing threats from sophisticated cyberattacks are all critical issues to watch. Allergists should anticipate evolving regulatory requirements and prepare for continued scrutiny regarding how health data is protected both inside and outside traditional clinical settings.
