The Healthcare Cybersecurity Act of 2025 may address a significant issue in the healthcare industry.
Ransomware attacks delay diagnoses, cancel surgeries, and compromise patient safety. For healthcare leaders, cybersecurity is a top concern.
The Healthcare Cybersecurity Act of 2025 (H.R. 3841 / S. 1851) proposes a new support structure for providers. Sponsored by Representatives Jason Crow (D-Colo.) and Brian Fitzpatrick (R-Pa.), and Senators Jacky Rosen (D-Nev.) and Todd Young (R-Ind.), the bill focuses on coordination, training, and sector-wide resilience.
But here’s the point healthcare leaders need to hear: this legislation is the baseline, not the finish line. The bill offers support, not enforcement. That puts the responsibility back on providers to take the lead.
Here’s what the act means for healthcare professionals.
Key Takeaways: Healthcare Cybersecurity Act of 2025
- Cyberattacks on healthcare are accelerating fast. Between 2018 and 2022, reported breaches grew by 93%, with 626 incidents in 2022 alone affecting more than 42 million individuals. This surge highlights the urgent need for coordinated federal support.
- CISA will play a central support role in healthcare cybersecurity. The Healthcare Cybersecurity Act strengthens coordination between CISA and HHS to help protect critical systems in the healthcare and public health sector.
- CISA will not regulate providers. The Act does not create new mandates for healthcare organizations. Instead, it focuses on making tools, training, and threat intelligence more accessible.
- A dedicated CISA liaison will work with HHS. This individual will coordinate threat response efforts, support sector-wide planning, and improve communication between federal agencies and healthcare organizations.
- Federal cybersecurity resources will be easier to access. Providers can work with CISA’s Cybersecurity Advisors and State Coordinators to improve readiness, assess risk, and strengthen defenses.
Why the Healthcare Cybersecurity Act of 2025 Matters Now
According to the Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022 from the OCR, cyberattacks are accelerating.
This report found that cyberattacks have increased by 93% between 2018 and 2022. In 2022 alone, 626 data breach incidents involving at least 500 individuals impacted over 42 million individuals.
These incidents increase the costs of healthcare delivery and potentially harm patient health outcomes. Additionally, organizations with these large breaches may land on the OCR Wall of Shame.
According to a report by IBM and the Ponemon Institute, the average cost of a healthcare data breach in 2024 was $9.8 million. Beyond fines and lawsuits, organizations lose revenue from canceled procedures, delayed billing, and reputational damage.
Examples of major cybersecurity incidents from recent years include:
1. CommonSpirit Health
A ransomware attack on CommonSpirit Health disrupted clinical operations across more than 100 hospitals in multiple states. The incident forced systems offline, delayed patient care, and led to the exposure of protected health information (PHI) for over 623,700 patients. Recovery took weeks, and costs exceeded $160 million.
2. Scripps Health
Scripps Health, a nonprofit hospital system, experienced a major system outage after a cyberattack that compromised the data of more than 150,000 individuals. The breach led to an estimated total financial impact exceeding $112.7 million, including lost revenue and remediation costs.
3. Change Healthcare (2024)
The Change Healthcare ransomware incident is the largest healthcare data breach in U.S. history. The breach disrupted pharmacy services, payment platforms, and billing operations for thousands of providers. Reports indicate that data belonging to up to 190 million individuals may have been exposed, and the cost of this attack is in the billions.
Key Definitions from the Healthcare Cybersecurity Act of 2025
- Agency: the Cybersecurity and Infrastructure Security Agency (CISA)
- Covered Asset: a Healthcare and Public Health Sector asset, including technologies, services, and utilities
- Cybersecurity State Coordinator: a Cybersecurity State Coordinator appointed under section 2217(a) of the Homeland Security Act of 2002 (6 U.S.C. 665c(a))
- Department: the Department of Health and Human Services (HHS)
- Director: the Director of the Cybersecurity and Infrastructure Security Agency
- Healthcare and Public Health Sector: the critical infrastructure sector identified in the National Security Memorandum on Critical Infrastructure and Resilience (NSM–22), issued April 30, 2024
- Information Sharing and Analysis Organizations (ISAOs): organizations defined under section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650)
- Plan: the Healthcare and Public Health Sector-specific Risk Management Plan
- Secretary: the Secretary of Health and Human Services
What the Healthcare Cybersecurity Act Proposes
The Act is designed to strengthen the cybersecurity posture of the healthcare sector without introducing new regulatory burdens. Instead, it offers federal support, strategic coordination, and sector-wide infrastructure updates.
Below is a breakdown of each core provision included in the proposed legislation.
Appointment of a Cybersecurity Liaison to Improve Coordination Between HHS and CISA
The Healthcare Cybersecurity Act of 2025 calls for the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate directly with the Department of Health and Human Services (HHS) to improve cybersecurity across the Healthcare and Public Health Sector.
A key provision requires the Director of CISA to appoint a liaison to the Department with the appropriate cybersecurity qualifications. The liaison reports directly to the Director and plays a central role in unifying cyber operations between the two agencies.
The liaison’s responsibilities include:
- Serving as the primary point of contact for cybersecurity coordination between CISA and HHS
- Supporting the implementation of the Healthcare and Public Health Sector-specific Risk Management Plan and assisting in its updates
- Facilitating the sharing of cyber threat intelligence to strengthen awareness of risks and improve incident response readiness
- Assisting in the rollout of cybersecurity training to healthcare organizations
- Coordinating agency efforts during cyber incidents that impact the sector
- Performing additional duties assigned by the Secretary of HHS to enhance sector-wide cybersecurity posture
Reporting Requirements:
Within 18 months of enactment, the Secretary, in consultation with the Director, must submit a report to Congress detailing efforts to improve cybersecurity coordination between HHS and CISA. The report will be submitted to relevant committees in both the Senate and House of Representatives.
This report must include:
- A summary of the liaison’s activities
- Any challenges that limited the effectiveness of the liaison
- A feasibility study on establishing a broader agreement to improve cybersecurity across the healthcare public sector
Federal Resource Coordination
CISA will work closely with key sector partners to improve access to cybersecurity resources and information.
The Agency will coordinate with and make resources available to:
- Information Sharing and Analysis Organizations (ISAOs)
- Information Sharing and Analysis Centers (ISACs)
- Sector Coordinating Councils
- Non-federal entities receiving information through Department-managed programs
CISA’s coordination will cover:
- Developing tailored cybersecurity products that meet the specific needs of healthcare and public health sector entities
- Sharing actionable intelligence, including cyber threat indicators and recommended defensive measures
Sector-Specific Risk Management Plan
Within one year of the Act’s enactment, the Secretary of Health and Human Services, in coordination with the Director of CISA, must update the Healthcare and Public Health Sector-specific Risk Management Plan.
The updated Plan must include:
1. Analysis of Cybersecurity Risks
An analysis of how identified cybersecurity risks specifically impact covered assets. This includes consideration of how those risks affect rural, small, and medium-sized organizations.
2. Evaluation of Challenges Faced by Providers
A detailed evaluation of the challenges owners and operators of covered assets face in:
- Securing critical systems, including:
- Updated information systems
- Medical devices and equipment, with analysis of threat landscape and known vulnerabilities
- Sensitive patient health information and electronic health records
- Updated information systems
- Implementing cybersecurity protocols
- Responding to cyber incidents, including how breaches impact:
- Access to care
- Quality of patient care
- Timeliness of healthcare delivery
- Health outcomes
- Access to care
3. Best Practices for Using Federal Resources
An evaluation of best practices for how providers can utilize CISA resources, such as Cybersecurity State Coordinators and Cybersecurity Advisors, before, during, and after cyberattacks.
4. Assessment of Cybersecurity Workforce Shortages
An assessment of workforce shortages in the sector, including:
- Training, recruitment, and retention challenges
- Recommendations for addressing these issues, especially at rural and small- to mid-sized organizations
5. Communication Strategy
An evaluation of how CISA and HHS can most effectively and quickly communicate cybersecurity tools and recommendations to covered asset owners and operators.
Congressional Briefing Requirement of the Healthcare Cybersecurity Act of 2025
No later than 120 days after the Act is enacted, the Secretary, consulting with the Director, must brief the following committees on the Plan’s update:
- Senate: Committee on Health, Education, Labor, and Pensions; Committee on Finance; Committee on Homeland Security and Governmental Affairs
- House: Committee on Energy and Commerce; Committee on Ways and Means; Committee on Homeland Security
Designation of High-Risk Covered Assets
To better prioritize cybersecurity support, the Secretary of Health and Human Services may define objective criteria to identify specific healthcare systems as “high-risk covered assets.”
These criteria must be consistent with critical infrastructure guidance under the Critical Infrastructures Protection Act of 2001 and align with the Director’s risk assessments.
Creating and Maintaining a High-Risk Asset List
The Secretary may create a list of covered assets determined to be high-risk based on the established criteria and must notify the owners and operators of any assets added to or removed from the list.
This list must be reviewed and updated at least twice per year. The Secretary must notify asset owners and relevant Senate and House representatives each time the List changes.
The high-risk asset list enables HHS to prioritize resource allocation to the most vulnerable systems and strengthen cybersecurity resilience where it’s most urgently needed.
Formal Reporting to Congress on Cybersecurity Progress
Under the Healthcare Cybersecurity Act of 2025, two key reports must be submitted to Congress.
First, within 120 days of enactment, CISA must provide a report detailing the agency-wide support and activities it has delivered to help the healthcare and public health sector proactively prepare for and respond to cyber threats.
Second, within 18 months, the Comptroller General of the United States must submit a report on the federal resources available for critical infrastructure within the healthcare sector. This includes resources in place as of the Act’s passage and any stemming from collaboration between the Secretary of HHS and the Director of CISA.
If the Healthcare Cybersecurity Act of 2025 Passes, What Happens Next?
Once enacted, the bill sets specific implementation deadlines:
| Provision | Timeline |
| Risk Management Plan update | Within 1 year |
| Congressional briefing by HHS and CISA | Within 120 days |
| Report on sector support from CISA | Within 120 days |
| GAO infrastructure resource report | Within 18 months |
| High-risk asset list review | Every 6 months |
How the Healthcare Cybersecurity Act of 2025 Supports HIPAA
The Healthcare Cybersecurity Act complements existing HIPAA requirements.
HIPAA’s Security Rule calls for administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). Many healthcare entities struggle with implementation due to staffing shortages, lack of expertise, or budget constraints.
This Act provides support in those areas. It offers training to help teams better understand and apply cyber risk controls. It encourages sector-specific risk planning aligned with HIPAA’s requirements for periodic evaluation and mitigation. And it promotes interagency collaboration that strengthens breach response capabilities.
By aligning federal cybersecurity infrastructure with HIPAA’s foundational goals, the Act helps healthcare providers close the gap between regulatory requirements and operational readiness.
Why Baseline HIPAA Compliance Isn’t Enough
This bill will not require new actions from providers, but that doesn’t mean nothing changes. The expectations of payers, regulators, and patients are shifting. Cybersecurity has moved beyond checkbox compliance.
Here’s what modern cybersecurity maturity looks like:
Level 1: Reactive
Issues are escalated only after a problem. Incident response is minimal. Cybersecurity is isolated within IT.
Level 2: Compliance-Oriented
Basic HIPAA requirements are followed. Risk assessments occur but are rarely actionable. Few ties to clinical or executive leadership.
Level 3: Cyber-Mature
Cybersecurity is embedded into organizational governance. The board tracks risk exposure. Incident response plans are tested and cross-functional. The organization engages with federal cyber programs and shares threat intelligence with peers.
Because cybersecurity directly affects care delivery, it’s critical that healthcare leaders aim to achieve level 3 maturity.
When systems fail, patients face canceled appointments, delayed procedures, and interrupted treatment. Clinical teams lose access to medical histories, test results, and diagnostic tools. Every system tied to patient information plays a role in the care experience. Weak security undermines that foundation.
The Healthcare Cybersecurity Act recognizes this connection by requiring federal agencies to evaluate how cyber incidents impact access, quality, and patient outcomes. Protecting systems and data is part of protecting patients.
How Providers Can Lead: Planning and Strategy
Strategic planning is essential. If the Act passes, providers will gain access to federal coordination, resources, and training. To take full advantage of this support, organizations should prepare now.
Start by aligning cybersecurity governance with executive leadership and board oversight. Refresh your incident response plan to include roles from compliance, IT, clinical operations, and legal. Identify which systems, devices, or platforms are most critical and assess whether they may fall under high-risk designations.
It’s also important to monitor updates from CISA, HHS, and congressional committees. Staying engaged ensures that your organization is ready to act on new guidance or funding opportunities.
Now is the time to build a stronger cybersecurity foundation. Start with the following steps:
1. Participate in Training
Train staff on ransomware identification, phishing defense, and credential management. Make cyber hygiene and social engineering awareness part of everyday operations.
2. Review and Align with the Risk Plan
Assess your EHR systems, device connectivity, and third-party tools. Evaluate business associates and vendors under your BAA for security posture and breach history.
3. Build a Response Culture
Establish a living incident response plan. Include compliance, clinical, legal, and IT leaders in tabletop exercises. Document lessons learned and apply them to protocols.
Strengthen Medical Record Security
The Healthcare Cybersecurity Act of 2025 offers guidance, but the responsibility to lead falls on each provider. Better support from federal agencies is only part of the solution. The rest comes from building an internal culture that treats cybersecurity as essential to patient care.
ChartRequest helps healthcare organizations reduce exposure by modernizing how they manage medical record requests. With secure access controls, detailed audit logs, and built-in encryption, our platform supports compliance while improving efficiency.
Providers that act now will be better equipped to protect patients, meet stakeholder expectations, and lead with confidence in an increasingly connected healthcare environment.
Discover purpose-built solution for medical record exchange or schedule a personalized consultation to learn how we can help your practice keep patient data safe.
