Skip to main content
govconCyber
Analysis

The Federal Push on Healthcare Cybersecurity: What Health-Sector Contractors Should Know

After the Change Healthcare attack, the federal government leaned hard into health-sector cyber. Here's what the effort means for contractors handling health data.

Brandon Hancock, J.D., CMMC-RPPublished June 10, 2024Updated June 8, 20266 min read

On June 10, 2024, the White House issued a fact sheet detailing a federal push to strengthen healthcare cybersecurity — released in the shadow of attacks that had paralyzed parts of the U.S. health system. For any contractor that handles health data or sells into the health sector, the direction of travel matters. (This summarizes a policy statement from the prior administration; treat the specific initiatives as historical context and confirm current program status.)

Why the Urgency

The numbers told the story. The fact sheet noted that cyberattacks against the U.S. healthcare system rose 128% from 2022 to 2023. Then, in February–March 2024, a major attack on a key payment system disrupted claims processing so severely that, by providers' accounts, roughly one in three U.S. health care claims were affected — choking payments to providers and, in some cases, forcing hospitals to redirect care. Health-sector cyber stopped being abstract.

What the Government Did

The effort emphasized public-private partnership, since much of the health system is privately owned. Key threads included:

  • An HHS healthcare cybersecurity gateway (launched January 2024) to centralize sector-specific cyber resources.
  • Voluntary Healthcare and Public Health Cybersecurity Performance Goals (CPGs) to help institutions prioritize high-impact practices.
  • Executive engagement — the White House convened CISOs and senior leaders from across care delivery, medical technology, and industry associations to improve threat-intelligence sharing and push secure-by-design adoption.

The throughline: start with voluntary performance goals and partnership, while signaling that mandatory requirements could follow for parts of the sector.

What This Means for Contractors

  • Health data raises the stakes. If you hold electronic protected health information (ePHI) under a federal contract, you likely sit at the intersection of HIPAA's Security Rule and federal frameworks like FISMA / NIST. See the Healthcare industry page.
  • "Voluntary" goals become benchmarks. CPGs have a way of hardening into expectations — in contract terms, in customer due diligence, and eventually in rules. Adopting them early is cheaper than retrofitting.
  • Sector momentum is bipartisan and durable. Related legislative efforts — like the Healthcare Cybersecurity Act — point the same way.

What to Do Now

  • Confirm your ePHI footprint and map HIPAA Security Rule duties against any federal-contract cyber requirements.
  • Benchmark against the HCP Cybersecurity Performance Goals, even where they are voluntary.
  • Prioritize resilience basics: offline backups, tested recovery, network segmentation, and an incident-response plan — the controls that blunt the attacks that hurt this sector most.

Key Takeaways

  • A 128% surge in healthcare attacks and the 2024 payment-system disruption drove a major federal cyber push.
  • The strategy mixed voluntary performance goals and partnership with the prospect of future requirements.
  • Health-sector contractors should align with HIPAA + federal frameworks and treat the CPGs as benchmarks now.

Dive into sector specifics on the Healthcare industry page, or confirm your obligations with Find My Requirements.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Analysis"CMMC for AI": What the NDAA's New AI Security Framework Means for Defense ContractorsThe FY2026 defense law directs DoD to build a security framework for the AI it buys and wire it into DFARS and CMMC. A status report to Congress is due June 16, 2026.June 7, 2026 · 6 min readAnalysisState Cybersecurity Laws Government Contractors Often OverlookFederal rules aren't the whole story. State breach-notification and privacy laws can apply based on whose data you hold.April 29, 2026 · 6 min readAnalysisTwo Weeks Offline: Incident-Response Lessons from the Kansas Court CyberattackA 'security incident' kept most Kansas courts offline for two weeks. The disruption is a case study in why resilience — not just prevention — wins.October 25, 2023 · 5 min read