Health Care Is Getting a Cybersecurity Upgrade—Other Sectors Should Too

Cyber attacks on critical infrastructure are growing as adversaries increasingly target the digital systems that power essential services. Recognizing these risks, the Senate Health, Education, and Labor Committee advanced the Health Care Cybersecurity and Resiliency Act (S.3315) last month, marking an important step toward strengthening cybersecurity in one of America’s most critical sectors. Congress should pass the bill and replicate its sector‑specific approach across other critical infrastructure sectors to ensure organizations have the resources and guidance needed to defend against cyber threats and keep essential services running.

Health-care systems face increasing attacks from cyber criminals, ransomware gangs, and state‑sponsored actors. As hospitals and medical facilities digitize patient records, billing systems, and supply chains, their reliance on interconnected systems increases, and when cybersecurity investments fail to keep pace with that digital growth, health-care facilities’ exposure to cyber threats grows.

Recent incidents illustrate the scale of this challenge. The 2024 ransomware attack on Change Healthcare—a health-care technology provider—disrupted claims processing nationwide, compromised 193 million individuals’ medical data, and forced Change Healthcare to pay a $22 million ransom. More recently, in February 2026, the University of Mississippi Medical Center suffered a ransomware incident that forced seven hospitals and 35 clinics across the state to shut down while it restored operations.

The Health Care Cybersecurity and Resiliency Act responds to these risks by creating a structured grant program within the Department of Health and Human Services (HHS) to strengthen cybersecurity across the health sector. The program supports baseline cyber defenses, modernization of legacy systems, and workforce development, prioritizing rural and under‑resourced facilities that often lack the financial capacity to hire cybersecurity staff, deploy advanced tools, or modernize legacy systems. The Act also directs HHS to work closely with the Cybersecurity and Infrastructure Security Agency (CISA) to provide sector oversight and develop cybersecurity guidance tailored to rural providers, ensuring that threat intelligence, best practices, and cyber awareness reach these facilities.

This legislation represents meaningful progress and should also serve as a model for other critical infrastructure sectors. Comparable support exists for energy and education organizations, which face similar challenges—aging systems, limited budgets, and escalating cyber threats—but these are only three of the 16 critical infrastructure sectors in the United States.

The Rural and Municipal Utility Cybersecurity Act, H.R.7266, renewing legislation originally passed in 2021 under the Infrastructure and Jobs Act but expiring at the end of fiscal year 2026, aims to strengthen cybersecurity for small electric cooperatives and municipal utilities that power millions of rural homes but often operate with minimal cybersecurity staff. The original bill established a Department of Energy (DOE) program that provides advanced cybersecurity tools, technical assistance, and grant funding to help utilities protect, detect, respond to, and recover from cyber threats.

Likewise, the Federal Communications Commission’s (FCC) Schools and Libraries Cybersecurity Pilot Program invests in protecting school districts from ransomware and data breaches. The program provides up to three years of support from a $200 million fund to reimburse approved districts for advanced cybersecurity tools. However, the program is temporary and ends in 2028.

Moreover, because the pilot stretches the traditional boundaries of the E‑rate statute, which funds broadband access for schools and libraries, not cybersecurity, it faces legal risks that could leave schools and libraries without support after they make long‑term cybersecurity commitments. To avoid this uncertainty and ensure continuity of protection for students and public institutions, Congress should cement and authorize this program by amending its authorization of the E-rate program to explicitly include cybersecurity, as providing broadband access without adequate security leaves schools and libraries vulnerable.

Congress should renew and revamp these efforts, as well as those targeting other sectors that have already expired, such as the Chemical Facility Anti-Terrorism Standards (CFATS) program, which mandated strict cybersecurity standards for high-risk chemical facilities, and advance new measures like the Futureproofing Local Operations for Water Systems (FLOWS) Act, which would fund cybersecurity and modernization support for small and rural water systems. Other critical sectors—including emergency services, manufacturing, agriculture, and commercial facilities—could benefit from sector‑specific guidance, incentives, and support programs to boost cybersecurity practices.

CISA provides voluntary recommendations, risk frameworks, and technical guidance that any sector can use, and the State and Local Cybersecurity Grant Program (SLCGP) provides funding for state and local cyber measures as a whole. However, these broad mechanisms cannot provide the level of sustained, sector-specific investment needed to address each sector’s unique technologies and threat profiles. The SLCGP program also faces uncertainty, as it depends on reauthorization and has experienced fluctuating funding levels that limit long‑term planning.

These gaps highlight the importance of sector‑specific legislation—such as those supporting health care, education, water and waste management, and energy—not simply to increase funding, but to ensure that resources are tailored to each sector's distinct technologies, regulatory obligations, and threat environments. Operational realities vary widely between sectors, and sector‑specific legislation can address these nuances directly, ensuring funding and technical assistance align with real‑world needs rather than issuing generic requirements alone.

The Health Care Cybersecurity and Resiliency Act offers a strong blueprint for critical infrastructure sectors by pairing sector‑specific standards with targeted grants. Yet every critical infrastructure sector also needs dedicated funding, technical assistance, and workforce development tailored to its unique risks, and reinforcing this model beyond health care is central to a stronger national cybersecurity approach.