Over the past few years, I’ve watched as the number of ransomware attacks on healthcare organizations across America has continued to trend upwards – undermining patient care and exposing millions of medical records.
Since January alone: a cyber criminal copied the sensitive data of 5 million patients through IT vendor Episource; a hacker breached Connecticut Community Health Center’s systems accessing the medical records of 1 million patients; and a ransomware attack on Maryland’s Frederick Health affected over 900,000 records, disrupting IT systems and forcing a nearby hospital to take on more patients.
The common thread? Healthcare organizations’ cybersecurity investments are perfectly adequate – until the moment attackers prove otherwise.
With the proposed Healthcare Cybersecurity Act, Congress has recognized the truth healthcare security executives have known for years: our infrastructure is outdated, and patient data protection is not the #1 priority of any company. The bill calls for HHS and CISA to collaborate on a coordinated federal response to healthcare cybersecurity. It’s a good start, and we should pass it. But even if it passes (and that’s a big if – similar bills failed in 2022 and 2024), having a bulletproof federal cybersecurity strategy in place isn’t a panacea.
The reality is that we cannot afford to wait for Washington to solve this problem. The proposed timelines are sluggish. Reports are due in 120 days; the Risk Management plan must be “updated” within a year. Meanwhile, healthcare organizations face daily cyberattacks and patients don’t have the luxury of waiting this long for good data protection.
The infrastructure crisis hiding in plain sight
Having worked inside the biggest financial and healthcare organizations in the country, from CIO at Optum to CISO at UnitedHealth Group and VP of Engineering at American Express, I know that most organizations wouldn’t be able to implement a new cybersecurity strategy overnight.
The reason isn’t a lack of policy or will, but decades of siloed systems, fragmented integrations, and org charts that haven’t evolved with the risks.
One of the most basic questions a security leader should be able to answer is: “Where is the patient’s data?” In most healthcare organizations, that answer is unclear at best. For companies that regularly acquire other companies (common in healthcare) the problem is multiplied each time a new company is acquired. Most larger companies have no idea where patient data might be sitting, or if they do, it’s in dozens or hundreds of different systems. For example, an enterprise might have dozens of separate Electronic Health Record (EHR) instances managed by different teams under different contracts, forcing cross-team firefighting for even modest tasks like building a data inventory or responding to a privacy request.
Trying to integrate proactive threat intelligence on top of that unmanageable haystack of patient data only makes things more complicated. And throwing more tools at it to chase the regulatory obligations sometimes makes the picture more complex.
The bottom line: Companies are struggling to protect data that isn’t consistently stored, mapped and protected, and they are at risk of falling out of compliance with HIPAA, GDPR, and other emerging health data regulations.
Prevention works, but it requires organizational will
Real change has to start inside the enterprise, not in Congress. Healthcare organizations must first recognize their risks have roots in weak data visibility, and invest in modern, technical data infrastructure to mitigate this risk.
They must also stop treating security, privacy and engineering as separate domains when their underlying challenges are often the same. In my experience, the most secure organizations operate with tight alignment between these teams, because they recognize many of their problems are identical.
Privacy leaders say, “We can’t honor data rights unless we know where the data is.” Security teams say, “We can’t defend what we can’t find.” Engineering teams say, “We can’t solve your problem, unless we know where it started and can trace the data usage.” These teams don’t need more tools – they need shared infrastructure that integrates across data sources and breaks down organizational silos. Tools and teams need to work across systems, not around them.
Unfortunately, most healthcare organizations treat cybersecurity as a quarterly overhead line rather than an existential challenge that requires significant infrastructure investment, despite evidence that this approach repeatedly fails under pressure.
We can’t afford to wait for Congress
Healthcare leaders must start treating cybersecurity as a critical function that directly impacts patient care. That means auditing systems to understand where patient data actually lives, replacing duct-taped legacy tooling with modern architecture, and investing in automation where it matters most. It’s a huge undertaking, but the cost of inaction is severe.
For businesses, there are lawsuits, lost revenue and negative press. For patients, there are anxiety-inducing risks of privacy loss—and compromised data can lead to delayed treatments and poorer patient outcomes, eroded public trust and increased operational costs that are ultimately passed down to patients.
Despite America’s healthcare system generating $4.9 trillion in revenue (as of 2023), a 2025 HIMSS survey of nearly 300 healthcare cybersecurity professionals found that 20% of respondents had no specific cybersecurity carveout within their IT budgets. Comprehensive cybersecurity is only achievable if it’s a priority.
Yes, Congress should pass the Healthcare Cybersecurity Act. And if they really wanted to spur action, they’d start rating healthcare companies on their cybersecurity and privacy practices, and making those ratings public so consumers and employers could choose which healthcare companies to do business with based on their scores. Because policies won’t patch cloud vulnerabilities or stop ransomware. That requires giving security and privacy teams the tools and authority to operationalize data protections at scale. Washington may set the rules, but it’s up to healthcare organizations to protect their patients—and patients shouldn’t have to wait to feel like their data is safe.
About Aimee Cardwell, CISO in Residence, Transcend
Aimee Cardwell is a cybersecurity and technology leader with deep expertise across security, engineering, and compliance. She has held executive roles including CISO at UnitedHealth Group, CIO of Optum Financial Services, and VP of Engineering at American Express. Today, she serves as CISO in Residence at Transcend, where she’s helping companies reimagine how they unify compliance, security, and AI-readiness.
