This week, Hacking Healthcare begins by breaking down cybersecurity and privacy legislation developments in the United States’ 118th Congress. Specifically, we look at the recent efforts to revive federal data privacy legislation, healthcare cybersecurity funding, and what we know so far about impending healthcare cybersecurity legislation. Next, we examine how the European Commission’s agenda to revise enforcement of the General Data Protection Regulation (GDPR) could impact the healthcare sector.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

PDF Version:

TLP WHITE - 3.2.2023 -- Hacking Healthcare


Text Version:


Welcome back to Hacking Healthcare.

Legislation Begins to Take Shape with 118th Congress 

After weeks of administrative procedures, party organization, and agenda setting, the United States’ two-year legislative cycle has begun shift toward regular legislative business. While it is still early days, Health-ISAC members can read about some of the issues staked out by congressional representatives that could have significant impact on healthcare sector cybersecurity.


Action & Analysis
**Included with Health-ISAC Membership** 


European Commission Eyes GDPR Enforcement 

Years of criticism over how big technology companies like Meta, Google, and Microsoft have gotten off easy when it comes to GDPR enforcement seem to have pushed the European Union into action. Between signaling it is interested in taking a more active oversight role, and the expectation of new GDPR-related regulations in Q2 of 2023, the European Union appears to have an eye on reinforcing its landmark data protection legislation. Depending on how the EU goes about it, there could be notable impacts on the healthcare sector.

At the center of this issue is dissatisfaction among some EU member states over how the Irish entity in charge of GDPR enforcement, the Data Protection Commission (DPC), has dealt with GDPR cases related to Big Tech. Because many of the Big Tech companies are established in Ireland, the Irish DPC has a leading role in enforcement actions even when potential violations occur outside Ireland’s borders. As a result of longstanding criticism, the European Commission appears ready to try to do something about it.

First, the European Commission has signaled its intent to receive more regular and detailed reports on the status of “large-scale cross-border investigations” that are carried out by all national supervisory data protection authorities.[vii] Second, the commission has signaled its intent to issue new GDPR-related regulations in Q2 of 2023.[viii] The Commission has suggested that the new regulation will touch on:[ix]

  • – Clarifying procedural steps in handling GDPR cases;
  • – Harmonizing administrative procedures in cross-border cases; and
  • – Smoothing the functioning of GDPR cooperation and dispute resolution mechanisms


Action & Analysis
**Included with Health-ISAC Membership**



Tuesday, February 28th:

– No relevant hearings


Wednesday, March 1st:

– House of Representatives: Committee on Energy and Commerce – Hearing: Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy


Thursday, March 2nd:

– No relevant hearings


International Hearings/Meetings

– No relevant meetings












Translate »