Healthcare Cybersecurity Act of 2025
Summary
What This Bill Does
The Healthcare Cybersecurity Act responds to rising cyberattacks on healthcare and public-health assets. Findings cite a 93 percent rise in large cyber breaches at healthcare facilities between 2018 and 2022, a 107 percent increase in unsecured protected health information breaches since 2018, and 626 large breaches affecting nearly 42 million people in 2022. CISA must coordinate with HHS to improve healthcare cybersecurity. The CISA Director, with the HHS Secretary, must appoint a qualified CISA employee or detailee to HHS's Administration for Strategic Preparedness and Response as a liaison who reports to the CISA Director, coordinates cybersecurity issues, supports the Healthcare and Public Health Sector-specific Risk Management Plan, shares threat information, helps implement training, coordinates during incidents, and performs other duties needed to improve sector cybersecurity. HHS and CISA must report within 18 months on coordination activities, liaison challenges, and feasibility of an agreement to improve public-sector healthcare cybersecurity. CISA must coordinate with information sharing organizations, information sharing and analysis centers, sector coordinating councils, and nonfederal entities receiving HHS-managed information, including healthcare-specific products and cyber threat indicators. CISA must make training available to owners and operators of covered healthcare assets. HHS, with CISA, must update the sector risk management plan within one year to analyze risks for rural and small or medium assets, medical devices, patient records, protocols, incident response, patient access, care quality, workforce shortages, CISA resources, and timely communication of tools. HHS may establish criteria and notify owners of high-risk covered assets, update the list biannually, and notify Congress. CISA must report within 120 days on support to the sector, and GAO must report within 18 months on federal critical-infrastructure resources. The bill does not authorize new funds and preserves existing legal and constitutional limits.
Who Benefits and How
Hospitals benefit from CISA-HHS coordination, training, threat information, and risk-management updates tailored to healthcare assets. Rural healthcare facilities benefit because the risk plan must analyze challenges for rural covered assets. Patients benefit if cybersecurity improvements reduce care disruption, data breaches, and threats to health outcomes. Healthcare information sharing organizations benefit from CISA coordination and sector-specific cyber products. Medical device operators benefit from plan analysis of device vulnerabilities and threat landscape.
Who Bears the Burden and How
CISA staff must appoint a liaison, provide training, share threat information, develop healthcare-specific products, and report to Congress. HHS preparedness staff must host or coordinate with the liaison, update the risk plan, identify high-risk assets, and notify Congress. Healthcare asset owners must engage with training, risk-plan expectations, and possible high-risk notifications. GAO must report on federal healthcare critical-infrastructure resources within 18 months. Congressional committees must review multiple briefings and reports without new appropriations.
Key Provisions
- Requires CISA to coordinate with HHS on Healthcare and Public Health Sector cybersecurity.
- Creates a qualified CISA liaison to HHS for threat sharing, risk-plan support, training, and incident coordination.
- Requires CISA healthcare-sector training for covered asset owners and operators.
- Requires HHS and CISA to update the sector-specific risk management plan within one year.
- Allows HHS to identify, notify, and biannually update high-risk covered healthcare assets.
- Requires CISA and GAO reports on healthcare cybersecurity support and federal resources.
- Preserves constitutional and existing-law limits and authorizes no additional funds.
Evidence Chain:
This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers with clause-level evidence links.
At a Glance
What This Bill Does
Requires CISA and HHS coordination on healthcare and public-health cybersecurity, creates a CISA-HHS liaison, requires healthcare-sector threat information sharing and tailored products, makes CISA training available to covered asset owners and operators, updates the sector-specific risk management plan within one year, allows HHS to identify and notify high-risk healthcare assets, requires CISA and GAO reports, preserves constitutional limits, and authorizes no additional funds.
Key Policy Areas
Cybersecurity, Health Care, Critical Infrastructure
Primary Purpose
Requires CISA and HHS coordination on healthcare and public-health cybersecurity, creates a CISA-HHS liaison, requires healthcare-sector threat information sharing and tailored products, makes CISA training available to covered asset owners and operators, updates the sector-specific risk management plan within one year, allows HHS to identify and notify high-risk healthcare assets, requires CISA and GAO reports, preserves constitutional limits, and authorizes no additional funds.
Policy Domains
Resolution provisions
Identified Gains
- Hospitals
- Rural healthcare facilities
- Patients
- Healthcare information sharing organizations
- Medical device operators
Identified Costs
- CISA staff
- HHS preparedness staff
- Healthcare asset owners
- GAO
- Congressional committees
Sponsors
Legislative Progress
In CommitteeReferred to the Subcommittee on Cybersecurity and Infrastructure Protection.
Mr. Crow (for himself and Mr. Fitzpatrick) introduced the following …
Referred to the Committee on Homeland Security, and in addition …
Introduced in House
Stakeholder Effects
cui bono?How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.
Healthcare asset owners, Hospitals
Positive-direction: Hospitals
Negative-direction: Healthcare asset owners
Bill Structure & Actor Mappings
Who is "The Secretary" in each section?
We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.
Learn more about our methodology