HR3841-119

In Committee

Healthcare Cybersecurity Act of 2025

119th Congress Introduced Jun 9, 2025

Summary

What This Bill Does

The Healthcare Cybersecurity Act responds to rising cyberattacks on healthcare and public-health assets. Findings cite a 93 percent rise in large cyber breaches at healthcare facilities between 2018 and 2022, a 107 percent increase in unsecured protected health information breaches since 2018, and 626 large breaches affecting nearly 42 million people in 2022. CISA must coordinate with HHS to improve healthcare cybersecurity. The CISA Director, with the HHS Secretary, must appoint a qualified CISA employee or detailee to HHS's Administration for Strategic Preparedness and Response as a liaison who reports to the CISA Director, coordinates cybersecurity issues, supports the Healthcare and Public Health Sector-specific Risk Management Plan, shares threat information, helps implement training, coordinates during incidents, and performs other duties needed to improve sector cybersecurity. HHS and CISA must report within 18 months on coordination activities, liaison challenges, and feasibility of an agreement to improve public-sector healthcare cybersecurity. CISA must coordinate with information sharing organizations, information sharing and analysis centers, sector coordinating councils, and nonfederal entities receiving HHS-managed information, including healthcare-specific products and cyber threat indicators. CISA must make training available to owners and operators of covered healthcare assets. HHS, with CISA, must update the sector risk management plan within one year to analyze risks for rural and small or medium assets, medical devices, patient records, protocols, incident response, patient access, care quality, workforce shortages, CISA resources, and timely communication of tools. HHS may establish criteria and notify owners of high-risk covered assets, update the list biannually, and notify Congress. CISA must report within 120 days on support to the sector, and GAO must report within 18 months on federal critical-infrastructure resources. The bill does not authorize new funds and preserves existing legal and constitutional limits.

Who Benefits and How

Hospitals benefit from CISA-HHS coordination, training, threat information, and risk-management updates tailored to healthcare assets. Rural healthcare facilities benefit because the risk plan must analyze challenges for rural covered assets. Patients benefit if cybersecurity improvements reduce care disruption, data breaches, and threats to health outcomes. Healthcare information sharing organizations benefit from CISA coordination and sector-specific cyber products. Medical device operators benefit from plan analysis of device vulnerabilities and threat landscape.

Who Bears the Burden and How

CISA staff must appoint a liaison, provide training, share threat information, develop healthcare-specific products, and report to Congress. HHS preparedness staff must host or coordinate with the liaison, update the risk plan, identify high-risk assets, and notify Congress. Healthcare asset owners must engage with training, risk-plan expectations, and possible high-risk notifications. GAO must report on federal healthcare critical-infrastructure resources within 18 months. Congressional committees must review multiple briefings and reports without new appropriations.

Key Provisions

  • Requires CISA to coordinate with HHS on Healthcare and Public Health Sector cybersecurity.
  • Creates a qualified CISA liaison to HHS for threat sharing, risk-plan support, training, and incident coordination.
  • Requires CISA healthcare-sector training for covered asset owners and operators.
  • Requires HHS and CISA to update the sector-specific risk management plan within one year.
  • Allows HHS to identify, notify, and biannually update high-risk covered healthcare assets.
  • Requires CISA and GAO reports on healthcare cybersecurity support and federal resources.
  • Preserves constitutional and existing-law limits and authorizes no additional funds.

Evidence Chain:

This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers with clause-level evidence links.

At a Glance

What This Bill Does

Requires CISA and HHS coordination on healthcare and public-health cybersecurity, creates a CISA-HHS liaison, requires healthcare-sector threat information sharing and tailored products, makes CISA training available to covered asset owners and operators, updates the sector-specific risk management plan within one year, allows HHS to identify and notify high-risk healthcare assets, requires CISA and GAO reports, preserves constitutional limits, and authorizes no additional funds.

Key Policy Areas

Cybersecurity, Health Care, Critical Infrastructure

Primary Purpose

Requires CISA and HHS coordination on healthcare and public-health cybersecurity, creates a CISA-HHS liaison, requires healthcare-sector threat information sharing and tailored products, makes CISA training available to covered asset owners and operators, updates the sector-specific risk management plan within one year, allows HHS to identify and notify high-risk healthcare assets, requires CISA and GAO reports, preserves constitutional limits, and authorizes no additional funds.

Policy Domains

Cybersecurity Health Care Critical Infrastructure

Resolution provisions

Identified Gains
  • Hospitals
  • Rural healthcare facilities
  • Patients
  • Healthcare information sharing organizations
  • Medical device operators
Model: codex-gpt-5 | Version: bill_summary_v2 | Source: ih
Patients: , , , ,
Hospitals: , , , ,
Medical device operators: , , , ,
Rural healthcare facilities: , , , ,
Healthcare information sharing organizations: , , , ,
Identified Costs
  • CISA staff
  • HHS preparedness staff
  • Healthcare asset owners
  • GAO
  • Congressional committees
Model: codex-gpt-5 | Version: bill_summary_v2 | Source: ih
GAO: , , , ,
CISA staff: , , , ,
HHS preparedness staff: , , , ,
Healthcare asset owners: , , , ,
Congressional committees: , , , ,

Legislative Progress

In Committee
Introduced Committee Passed
Jun 10, 2025

Referred to the Subcommittee on Cybersecurity and Infrastructure Protection.

Jun 9, 2025

Mr. Crow (for himself and Mr. Fitzpatrick) introduced the following …

Jun 9, 2025

Referred to the Committee on Homeland Security, and in addition …

Jun 9, 2025

Introduced in House

Stakeholder Effects

cui bono?

How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.

Government
15 mentions across 5 clauses
-15 negative

CISA staff, GAO, HHS preparedness staff

Health Care Providers
10 mentions across 5 clauses
+5 positive -5 negative

Healthcare asset owners, Hospitals

Positive-direction: Hospitals

Negative-direction: Healthcare asset owners

Rural Communities
5 mentions across 5 clauses
+5 positive

Rural healthcare facilities

Healthcare Beneficiaries
5 mentions across 5 clauses
+5 positive

Patients

Technology
5 mentions across 5 clauses
?5 uncertain

Healthcare information sharing organizations

Healthcare
5 mentions across 5 clauses
+5 positive

Medical device operators

5/9
sections analyzed
Full impact breakdown

Bill Structure & Actor Mappings

Who is "The Secretary" in each section?

Domains
Cybersecurity Health Care Critical Infrastructure

We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.

Learn more about our methodology