The Cybersecurity Reporting System That Healthcare Still Doesn’t Use

The federal government has built a voluntary cybersecurity reporting system for critical infrastructure sectors, including healthcare. It is robust, centralized, and designed to improve threat visibility across providers, payers, and vendors. But in practice, few organizations use it, and no one is required to.

This underutilized system, operated by the Health Sector Cybersecurity Coordination Center (HC3) and the Cybersecurity and Infrastructure Security Agency (CISA), represents a paradox. It is one of the most comprehensive tools available for sharing real-time cyber intelligence. Yet it remains optional, fragmented, and peripheral to most breach response workflows.

Voluntary Participation Limits Systemic Visibility

The HC3 platform allows organizations to report cyber incidents, suspicious activity, and indicators of compromise. CISA’s broader reporting framework extends across all sectors, encouraging information sharing to identify cross-industry threats. These tools are supported by threat analysts, technical bulletins, and coordination teams.

Despite this, reporting remains sparse. In 2024, fewer than 10 percent of large health systems submitted incident reports to HC3. Most health sector cyber incidents are disclosed only to OCR under HIPAA breach rules, which focus on patient notification rather than national threat detection.

Without consistent reporting, threat intelligence is incomplete. This prevents federal agencies from identifying attack patterns early, coordinating responses, or alerting others to similar vulnerabilities.

No Mandate, No Incentive, No Habit

One reason for the gap is regulatory inconsistency. HIPAA requires disclosure to affected individuals and OCR, but not to HC3 or CISA. This creates a parallel track where entities fulfill compliance obligations without contributing to shared cybersecurity defense.

Another barrier is operational inertia. In many health systems, cyber response processes are built around legal and public relations protocols, not intelligence sharing. Reporting to HC3 is not embedded in most incident response plans, and many staff are unfamiliar with its purpose or mechanisms.

There is also no direct incentive. Unlike regulatory compliance, participation in voluntary reporting offers no financial relief, liability protection, or reputational benefit. The return on investment is indirect, yielding better sector-wide defense but no guaranteed advantage for the reporting organization.

A Missed Opportunity for Collective Defense

As ransomware and supply chain attacks proliferate, the lack of centralized reporting weakens the entire healthcare sector. Threat actors reuse tactics, target similar vulnerabilities, and exploit gaps between siloed organizations. Voluntary reporting could help preempt these attacks by identifying patterns early.

Federal agencies have taken steps to encourage participation. CISA launched the Ransomware Vulnerability Warning Pilot (RVWP) and the Joint Cyber Defense Collaborative (JCDC) to provide tailored alerts and shared resources. HC3 regularly publishes sector-specific threat briefings. But these efforts depend on incoming data.

Without broad participation, public-private coordination cannot scale. The lessons from aviation, finance, and energy, which are sectors with more mature threat-sharing practices, have yet to take hold in healthcare.

Steps Toward a More Functional Reporting Ecosystem

Improving healthcare’s cyber resilience will require a shift in both policy and culture:

• Federal regulators should explore phased mandates for high-risk entities to report to HC3 or CISA.
• Incentives such as liability protection, compliance credits, or grant prioritization could drive participation.
• Health systems should embed cyber intelligence sharing into their incident response playbooks.
• Technical assistance and training must be expanded to normalize reporting and lower barriers.

From Optional to Essential

The current framework treats voluntary reporting as a bonus. But in a sector as interconnected and high-risk as healthcare, shared defense cannot be optional. It must be operationalized.

Each unreported incident is a lost opportunity to prevent the next. Until threat visibility becomes a core part of cyber response, healthcare will remain reactive, isolated, and vulnerable by design.