The ongoing federal government shutdown is putting healthcare cybersecurity at serious risk, experts warn. As key agencies like the U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) operate with reduced staff, hospitals and healthcare providers are becoming increasingly vulnerable to cyber threats.
According to cybersecurity experts, the longer the shutdown continues, the greater the danger of ransomware attacks, delayed cyber alerts, and disrupted HIPAA investigations — all of which could endanger patient safety and the healthcare system’s ability to deliver life-saving services.
Federal Shutdown Weakens Cyber Defenses
The HHS Office for Civil Rights (OCR), responsible for enforcing HIPAA, is still conducting investigations during the shutdown. However, experts caution that staff shortages will cause backlogs and slow the resolution of cases.
Privacy attorney Adam Greene from Davis Wright Tremaine noted that the shutdown “will delay the resolution of investigations or audits,” and will likely push back the timeline for key rulemaking initiatives.
HHS had originally planned to finalize proposed changes to the HIPAA Privacy and Security Rules in 2026. Greene predicts that these timelines will now be further delayed, impacting healthcare providers and business associates awaiting updated compliance guidance.
HIPAA Enforcement and Rulemaking on Hold
Errol Weiss, Chief Security Officer at the Health Information Sharing and Analysis Center (Health-ISAC), warned that adversaries could exploit the shutdown to launch “high-impact cyber incidents causing prolonged disruptions in the health sector.”
“When there’s a disruption like this, human lives are at stake,” Weiss said. “Health-ISAC has been tracking ransomware incidents since 2020, and for 2025, we expect a record-breaking number of ransomware attacks.”
Earlier workforce reductions at HHS and CISA have already stretched cybersecurity resources thin. Now, with a significant portion of employees furloughed, the shutdown is further crippling coordination and response capabilities.
HHS confirmed that about 41% of its workforce is furloughed. Only staff deemed “mission critical” — those essential to human safety or property protection — remain active. While emergency breach response and HIPAA investigations continue, other essential cybersecurity and compliance activities are delayed.
Critical Cybersecurity Work Stalls
According to HHS’s contingency plan, only roles directly tied to life and property protection remain active. Jackie Mattingly, Senior Director of Consulting at Clearwater and a former healthcare CISO, explained:
“Urgent, life-and-death work continues — like responding to major breaches that directly threaten patient care — but other important areas slow down or pause. That includes long-term HIPAA audits, lower-priority investigations, and proactive cybersecurity projects.”
This selective staffing means that proactive cybersecurity measures, such as training, threat analysis, and interagency coordination, are largely frozen. As a result, healthcare providers may not receive timely guidance or support when new vulnerabilities emerge.
CISA’s Reduced Role Amplifies Risk
Beyond HHS, the Cybersecurity and Infrastructure Security Agency (CISA) — a vital resource for the healthcare sector — has also been hit hard. Of its 2,540 employees, only about 35% remain active during the shutdown.
CISA typically provides critical alerts, vulnerability updates, and defense recommendations for healthcare systems. With limited staffing, these services are delayed or reduced.
Mattingly emphasized that this loss of “coordinated, trusted awareness” comes at the worst possible time.
“Just in the past few weeks, we’ve seen critical vulnerabilities in Cisco, SonicWall, and Citrix — technologies that hospitals rely on. CISA usually provides detailed indicators of compromise and detection rules that hospitals use to protect themselves. That support is now limited.”
CISA also plays a key role in safeguarding industrial control systems that manage power, HVAC, and other infrastructure essential to hospital operations. With its reduced capacity, healthcare organizations lose a vital early-warning system.
Smaller Healthcare Providers Face Heightened Threats
Smaller hospitals and clinics, which often depend on free federal cybersecurity services, are among the hardest hit. Weiss noted that these organizations typically rely on CISA’s Cyber Hygiene scanning service and other tools to monitor threats.
Without these federal supports, smaller healthcare providers face an elevated risk of ransomware attacks and data breaches. Many lack the budget and staff to fill the gap left by federal agencies.
Medical device manufacturers and health IT vendors are also impacted. They depend on federal guidance and vulnerability disclosures to ensure device and software security — and any delay in those updates increases the risk of exploitation.
Maintaining Situational Awareness Amid the Shutdown
Lee Kim, Senior Principal of Cybersecurity and Privacy at the Healthcare Information and Management Systems Society (HIMSS), emphasized that “situational awareness is everything in cybersecurity.”
She advises healthcare organizations to:
- Rely on Health-ISAC and other industry sharing networks for real-time intelligence.
- Partner closely with vendors and security partners for patch updates.
- Collaborate regionally with peers to share resources and best practices.
Health-ISAC continues to provide uninterrupted support to its members during the shutdown. “Our role becomes even more critical now,” said Weiss. “We’re ensuring that the healthcare sector maintains resilience even when federal coordination slows.”
Conclusion: Strengthening Cyber Resilience Together
The federal shutdown underscores just how dependent healthcare cybersecurity is on coordinated public and private sector collaboration. As government support slows, hospitals, clinics, and vendors must step up their vigilance.
Experts urge healthcare leaders to strengthen internal security measures, maintain communication with ISACs, and invest in proactive cybersecurity resilience.
As HIMSS’ Lee Kim puts it:
“Now is the time for us to work together as a community to strengthen our security postures and resilience. We need to be strong for our patients and the well-being of our nation.”
Uncertainty Fuels Anxiety Across the Sector
Beyond immediate cyber risks, the prolonged shutdown has created an atmosphere of anxiety among healthcare leaders.
Mari Savickis of the College of Healthcare Information Management Executives (CHIME) said that many members feel uneasy about the uncertain regulatory and cybersecurity landscape. “Our members use many of CISA’s free tools, but with limited federal staff, there’s a lot of uncertainty if something happens or urgent guidance is needed,” she explained.
Even after the shutdown ends, experts predict it will take time for agencies like HHS and CISA to fully resume operations. The ongoing question of whether the CISA Act of 2015 will be renewed adds another layer of concern for healthcare organizations relying on national cyber defense coordination.
Frequently Asked Questions
How does the government shutdown affect healthcare cybersecurity?
The shutdown delays threat intelligence sharing, HIPAA enforcement, and cybersecurity rulemaking, leaving healthcare organizations more vulnerable to cyberattacks.
Which agencies play key roles in healthcare cybersecurity?
The Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) are primary federal bodies that support healthcare cybersecurity initiatives.
What can healthcare organizations do to stay protected during the shutdown?
They should collaborate with Health-ISAC, stay in touch with vendors, monitor emerging vulnerabilities, and strengthen internal cybersecurity protocols.
Don’t Miss These Healthcare Reads 👇
Stay connected—follow us on social media for more!
