On March 9, 2026, Texas Governor Greg Abbott released a letter announcing that he had directed state health agencies and state-owned medical facilities to address possible cybersecurity risks linked to medical equipment made in China.
What happened
The directive entreats the Texas Health and Human Services Commission, the Department of State Health Services, and public university systems. Abbott’s letter tells those entities to review their cybersecurity and procurement policies to help protect Texans’ medical information and critical medical infrastructure.
Abbott framed the issue as both a privacy and national security concern, arguing that state-owned medical facilities must have safeguards in place to prevent foreign espionage and data breaches involving sensitive health information. The announcement also places the directive within a broader set of Texas actions aimed at hostile foreign adversaries.
In the know
The move follows notices issued earlier this year by the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration. Those notices described security vulnerabilities in Chinese-manufactured patient monitoring devices and warned that unauthorized actors could potentially access protected health information remotely.
Other 2025 incidents show why officials remain focused on Chinese cyber activity in the US. In January 2025, CISA warned that the PRC-linked Volt Typhoon campaign had prepositioned itself in U.S. infrastructure for potential disruptive attacks. In March 2025, the U.S. Department of Justice also announced charges against 12 Chinese contract hackers and law enforcement officers tied to a global hacking campaign, and separately charged 10 Chinese nationals in an i-Soon-linked operation that targeted victims including US entities and a state legislative body.
What was said
According to the letter, “These FDA and CISA notices underscore the need for state agencies and state-owned medical facilities to ensure they are continually operating safe and secure environments as even FDA-regulated devices can introduce operational and cybersecurity risks if they are not carefully assessed and monitored.”
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
What is the power of the state HHS department?
The state HHS department generally has the power to administer public health and human services programs, regulate and license certain providers and facilities, and issue rules that implement state and federal law within its jurisdiction.
Does federal jurisdiction trump state level powers?
Federal jurisdiction does not erase state power, but when valid federal and state law directly conflict, federal law generally takes precedence under the Supremacy Clause.
Why are legacy systems a risk to healthcare organizations?
Legacy systems are a risk to healthcare organizations because older or unsupported technology often cannot receive modern security protections or updates.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Mara Ellis
