Health Care Cybersecurity and Resiliency Act of 2025
Sponsors
Legislative Progress
In CommitteeMr. Cassidy (for himself, Ms. Hassan, Mr. Cornyn, and Mr. …
Summary
What This Bill Does
The Health Care Cybersecurity and Resiliency Act of 2025 strengthens cybersecurity protections for the healthcare sector by requiring the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to work together on cyber defenses. It mandates new minimum security standards for all healthcare entities handling patient data, including required use of multifactor authentication and encryption.
Who Benefits and How
Cybersecurity firms and IT consultants benefit significantly, as healthcare providers will need their services to meet new security requirements like penetration testing and MFA implementation. Healthcare entities including hospitals, rural clinics, and community health centers can receive federal grants (authorized for 2025-2030) to upgrade their cybersecurity infrastructure and hire security personnel. Healthcare consumers benefit from stronger protections for their medical data.
Who Bears the Burden and How
HIPAA-covered entities (hospitals, clinics, insurers) and their business associates face increased compliance costs from mandatory multifactor authentication, encryption, penetration testing, and other new security standards. Small healthcare practices will be particularly affected by implementation costs. Healthcare organizations that experience data breaches face increased reputational risk as the bill requires public disclosure of corrective actions and whether they followed recognized security practices. Federal taxpayers fund the grant programs.
Key Provisions
- Requires HHS to develop a cybersecurity incident response plan within 1 year
- Mandates multifactor authentication and encryption for all systems with protected health information
- Creates grant program for healthcare entities to adopt cybersecurity best practices (FY 2025-2030)
- Enhances breach reporting requirements to include number of individuals affected and corrective actions
- Provides special cybersecurity guidance for rural healthcare facilities
- Allows consideration of security investments when HHS determines HIPAA violation fines
- Requires workforce development plan to address healthcare cybersecurity skills gap
Evidence Chain:
This summary is derived from the structured analysis below. See "Detailed Analysis" for per-title beneficiaries/burden bearers with clause-level evidence links.
Primary Purpose
To improve cybersecurity in the Healthcare and Public Health Sector by establishing coordination between HHS and CISA, mandating incident response plans, requiring enhanced breach reporting, setting minimum cybersecurity standards, and providing grants for healthcare entities to adopt cybersecurity best practices.
Policy Domains
Legislative Strategy
"Strengthen healthcare sector cybersecurity through mandatory standards, enhanced coordination between HHS and CISA, incident response planning, and financial support for healthcare entities to improve their cyber defenses"
Likely Beneficiaries
- Cybersecurity firms and consultants serving healthcare sector
- Healthcare IT vendors and cloud service providers
- Cybersecurity workforce training providers
- Information Sharing and Analysis Organizations (ISAOs)
- Healthcare facilities receiving grants for cybersecurity upgrades
Likely Burden Bearers
- Hospitals and health systems (compliance with new cybersecurity standards)
- Covered entities under HIPAA (enhanced breach reporting requirements)
- Business associates under HIPAA (new security practice requirements)
- Rural healthcare providers (implementing new cybersecurity measures)
- Federal taxpayers (funding grants and program implementation)
Bill Structure & Actor Mappings
Who is "The Secretary" in each section?
- "the_director"
- → Director of the Cybersecurity and Infrastructure Security Agency (CISA)
- "the_secretary"
- → Secretary of Health and Human Services
- "the_administrator"
- → Administrator of the Health Resources and Services Administration
Key Definitions
Terms defined in this bill
The Cybersecurity and Infrastructure Security Agency (CISA)
Has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650)
Has the meaning given such term by the Health Resources and Services Administration
The Director of the Cybersecurity and Infrastructure Security Agency
The Secretary of Health and Human Services
Has the meaning given such term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)
Has the meaning given the term 'incident' in section 3552 of title 44, United States Code
A Cybersecurity State Coordinator appointed under section 2217(a) of the Homeland Security Act of 2002 (6 U.S.C. 665c(a))
The Healthcare and Public Health sector, as identified in Presidential Policy Directive 21 (February 12, 2013; relating to critical infrastructure security and resilience)
We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.
Learn more about our methodology