A conversation with Greg Garcia
For much of the past decade, healthcare cybersecurity has been defined by reaction. Breaches exposed after the fact. Ransomware incidents that shut down operations overnight. Emergency funding and crisis communications layered on top of systems never designed for the level of digital dependence healthcare now carries.
>Watch the replay of the conversation
During Clearwater’s January Cyber Briefing, a fireside conversation between Greg Garcia, Executive Director of the Health Sector Coordinating Council, and Dave Bailey, Clearwater’s Vice President of Consulting Solutions and Strategy, made clear that the sector is entering a different phase.
Healthcare cybersecurity is no longer viewed solely as a technical problem or a compliance exercise. It is increasingly being treated as a matter of governance, public policy, and national resilience.
Garcia, who works closely with healthcare leaders, federal agencies, and policymakers to coordinate cybersecurity efforts across the sector, framed the moment stating,
“Healthcare is critical infrastructure, but for a long time, we haven’t treated it that way from a cybersecurity standpoint.”
That gap, between healthcare’s essential role and the maturity of the systems protecting it, is now driving a shift in how risk is discussed at the highest levels of government and industry.
From breach response to resilience
Healthcare has always been an attractive target for cybercriminals. Patient data carries long-term value. Operational disruption creates immediate pressure. The tolerance for downtime is minimal.
What has changed, Garcia explained, is not just the frequency of attacks, but the scope of their impact.
Today’s healthcare ecosystem is deeply interconnected. Cloud platforms, shared service providers, electronic health record vendors, and third-party technology partners mean a single compromise rarely stays contained.
“Cyber risk in healthcare isn’t isolated anymore. A single incident can ripple across providers, vendors, and patients far beyond one organization.”
Bailey reinforced this reality from the field. Many healthcare organizations still assess risk as if it exists within fixed organizational boundaries. Attackers do not operate that way. They move across identities, integrations, and shared infrastructure faster than many organizations can detect or respond.
This growing mismatch between how risk is modeled internally and how it manifests operationally is shaping how policymakers and regulators view healthcare cyber incidents.
Why voluntary guidance is no longer enough
Healthcare is not short on cybersecurity frameworks or best practice guidance. For years, organizations have relied on voluntary standards to shape programs and demonstrate due diligence.
Garcia was direct about the limits of that approach.
“We don’t have a framework problem in healthcare. We have an adoption and execution problem.”
Voluntary guidance helped establish a baseline. It did not ensure consistency. Cybersecurity maturity still varies widely across the sector, particularly between large, well- resourced systems and smaller or rural providers operating with limited staff and budgets.
That disparity has become increasingly difficult for policymakers to overlook.
According to Garcia, the conversation is shifting away from whether organizations can point to a framework and toward whether cybersecurity practices are actually reducing risk in measurable ways.
This represents a move away from check-the-box compliance and toward demonstrable outcomes.
Risk analysis moves to the center
Throughout the conversation, one theme surfaced repeatedly as a foundation for progress: risk analysis.
Not as a static document produced periodically, but as a living capability that informs decisions across the organization. Garcia stated,
“Risk analysis has to be more than a compliance document. It has to inform decisions, priorities, and governance.”
Garcia emphasized that without a clear understanding of where sensitive data resides, which systems are most critical to patient care, and how third-party relationships expand exposure, neither healthcare leaders nor regulators can meaningfully manage cyber risk.
Bailey echoed this from his work with healthcare organizations navigating active threats and regulatory scrutiny. Too often, risk assessments capture a single moment in time while environments continue to change. New systems are deployed. Vendors are integrated. Clinical workflows evolve.
Meanwhile, attackers exploit vulnerabilities continuously.
The gap between documented risk and real-world exposure continues to widen.
Policy pressure is building
The conversation also reflected a broader policy reality. Healthcare cybersecurity has become a recurring focus on Capitol Hill and within federal agencies, particularly as ransomware incidents increasingly disrupt patient care and regional health services.
Lawmakers are asking harder questions about accountability, preparedness, and whether voluntary approaches are sufficient for a sector so closely tied to public safety.
Federal agencies are sending similar signals. Across regulatory bodies, the emphasis is shifting toward outcomes over intent.
Rather than asking whether organizations intend to follow best practices, regulators are increasingly focused on whether organizations can demonstrate how risks are identified, prioritized, and reduced over time.
This shift helps explain the growing scrutiny around governance, documentation quality, and risk management practices in healthcare.
Systemic risk, not individual failure
One of the most important reframes offered during the fireside chat was the move away from viewing cyber incidents as isolated organizational failures.
Garcia pointed instead to systemic risk. Concentrated data. Shared platforms. Common vendors. Interdependencies that allow a single vulnerability to affect hundreds of downstream organizations.
“This isn’t about blaming individual hospitals. It’s about understanding concentration risk and interdependencies.”
That framing changes the conversation. It moves the focus from punishment to preparedness, and from enforcement alone to coordination and resilience across the healthcare ecosystem.
Cybersecurity, in this context, becomes a shared responsibility among providers, vendors, policymakers, and regulators.
Looking ahead to 2026: where HSCC is focusing next
As healthcare cybersecurity moves further into the realm of public policy and national resilience, Garcia emphasized that the Health Sector Coordinating Council is increasingly focused on what comes after awareness.
The next phase, he explained, is about execution at scale.
In 2026, Health Sector Coordinating Council is expected to continue prioritizing efforts that address systemic risk across the healthcare ecosystem rather than isolated organizational failures. That includes deeper attention to third party dependencies, shared infrastructure, and the concentration of risk created by common vendors and platforms.
Another area of focus is governance. Garcia pointed to the growing expectation that cybersecurity decisions be elevated beyond technical teams and embedded into executive and board level oversight. As regulatory scrutiny increases, organizations will be expected not only to manage cyber risk, but to demonstrate how leadership is informed, engaged, and accountable.
HSCC is also expected to maintain its emphasis on supporting under resourced providers. Smaller hospitals, rural systems, and safety net organizations continue to face disproportionate cyber risk with fewer tools and less staffing. Addressing that imbalance remains a central concern as policymakers look for ways to raise the security baseline across the sector without creating unrealistic mandates.
Finally, Garcia noted that future efforts will continue to focus on translating policy momentum into practical guidance that healthcare organizations can actually operationalize.
“The work ahead is about making this real,” he said. “Helping organizations understand what good looks like and how to get there in a way that reduces risk over time.”
Taken together, these priorities reflect a broader shift. Healthcare cybersecurity policy is moving away from one time compliance exercises and toward sustained risk reduction, shared responsibility, and measurable progress.
What healthcare leaders should take away now
Garcia and Bailey did not promise easy solutions. Instead, they pointed to a realistic path forward grounded in execution, visibility, and accountability.
Several implications stand out for healthcare leaders navigating the current landscape:
Cybersecurity is now a governance issue, not just a technical one
Risk analysis must become continuous rather than episodic
Regulatory expectations are moving toward proof, not promises
Third party and vendor risk must be treated as core operational risk
As Garcia summarized near the close of the discussion:
“The goal isn’t perfection, it’s progress and being able to demonstrate that you’re meaningfully reducing risk over time.”
For a sector balancing patient care, financial pressure, and accelerating digital dependence, that expectation is likely to define the next era of healthcare cybersecurity.
Moving from risk analysis to risk reduction requires more than documentation. Clearwater’s step-by-step one-pager shows how healthcare organizations can turn findings into action.
👉 Read more: Effective Strategies for Risk Reduction in Healthcare | Clearwater White Paper
