Bridging a Critical Gap in Healthcare Cybersecurity Coordination
The Cybersecurity and Infrastructure Security Agency (CISA) has officially launched the Alliance of National Councils for Homeland Operational Resilience – Critical Infrastructure (ANCHOR-CI), a new framework designed to restore and strengthen information sharing between the federal government and critical infrastructure owners. This initiative fills a void created when the previous framework, the Critical Infrastructure Partnership Advisory Council (CIPAC), was eliminated in March 2025. For over a year, legal protections that had enabled candid discussions about cyber threats were absent, causing some critical infrastructure sectors, including healthcare, to halt the sharing of cybersecurity data with federal agencies. ANCHOR-CI reinstates those legal safeguards and introduces a more flexible structure intended to broaden participation across sectors.
Impact on Healthcare and Public Health Sector Security
The framework is particularly significant for the Healthcare and Public Health (HPH) sector. The HHS Office of Cybersecurity and Infrastructure Protection (CIP) will work directly with DHS and CISA to ensure healthcare priorities are represented. ANCHOR-CI establishes four council types: sector councils, cross-sector councils, industry councils, and regional coordinating councils. These bodies will recruit members from critical infrastructure owners, government agencies, cybersecurity organizations, and private sector entities. For hospital CISOs and health system security teams, this framework reopens a protected channel to share threat intelligence about attacks targeting medical devices, EHR systems, and clinical operations without fear of regulatory exposure. The cross-sector nature of the councils also enables healthcare organizations to collaborate with interdependent sectors like water and communications, which is critical when ransomware attacks simultaneously disrupt clinical care and utility services.
Key Structural Changes and Considerations for Healthcare Participants
While ANCHOR-CI retains protections for sensitive discussions under the Federal Advisory Committee Act exemption, one notable change is the removal of liability protections for participants that existed under CIPAC. Under the previous framework, executives could discuss incidents in group settings without antitrust or regulatory exposure. In ANCHOR-CI, CISA will approve proposed council members and may appoint additional participants, shifting from the previous model where private sector councils selected their own representatives. Governance will be managed by DHS and CISA, with the agency providing funding and administrative support. Healthcare organizations considering participation should evaluate how these structural changes affect their willingness to share sensitive information about breaches, vulnerabilities in medical devices, or gaps in clinical security posture. The two-year initial term may also influence long-term planning for hospital threat intelligence programs.
Source: Hipaajournal
