LegisTrack
Back to all bills
HR 3841119th CongressIn Committee

Healthcare Cybersecurity Act of 2025

Introduced: Jun 9, 2025
HealthcareTechnology & Innovation
View on Congress.gov
Standard Summary
Comprehensive overview in 1-2 paragraphs

The Healthcare Cybersecurity Act of 2025 aims to strengthen cybersecurity across the Healthcare and Public Health Sector by boosting coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS). Key elements include designating a dedicated liaison between the Agency and the Department, updating and implementing a sector-specific Risk Management Plan, providing cybersecurity training to healthcare asset owners/operators, and establishing criteria and a list for high-risk assets to prioritize protection and resources. The bill also calls for regular briefings and reports to Congress on coordination, resources, and the sector’s cyber risks and resilience. Overall, the bill seeks to improve threat information sharing, risk assessment, and incident response in healthcare, with particular attention to rural and smaller providers, medical devices, and patient data. It does not authorize new funding but relies on existing authorities and resources to advance sector-specific cyber resilience.

Key Points

  • 1Agency-Department coordination and a dedicated liaison: The Act requires a designated cybersecurity liaison between CISA (the Agency) and HHS to coordinate issues, share threat information, support the Sector-Specific Risk Management Plan, and assist during incidents in the Healthcare and Public Health Sector.
  • 2Sector-Specific Risk Management Plan updates: Within one year, the Secretary of HHS and the Director of CISA must update the sector plan to analyze risks to covered assets (including rural and small/medium entities), evaluate challenges in securing systems and medical devices, assess data breach impacts on patient care, and outline best practices and resource use to support asset owners.
  • 3Training for asset owners/operators: The Agency must provide training on cybersecurity risks and mitigation strategies specific to Healthcare and Public Health Sector assets.
  • 4Identification of high-risk assets: The Secretary, with input from the Director and sector stakeholders, can designate high-risk covered assets, maintain a biannual updated list, notify Congress of additions/removals, and use the list to prioritize resource allocation.
  • 5Reporting and oversight: The Act requires a report within 120 days on sector-wide assistance and a later Comptroller General report on federal resources available to the sector. It also mandates a Congressional briefing within 120 days of enactment regarding the Plan update.
  • 6Protections and funding constraints: Provisions clarify that actions must follow existing law, protect constitutional rights, and do not authorize new funds for implementing the Act.

Impact Areas

Primary group/area affected- Healthcare and Public Health Sector entities (hospitals, clinics, health systems, long-term care facilities, medical device makers, health IT vendors, and other covered assets) that would receive coordination, training, risk assessments, and potential prioritization of resources for high-risk assets.Secondary group/area affected- Federal agencies involved in cybersecurity and health security (CISA and HHS), including the new liaison role and interagency workflows.- Information Sharing and Analysis Organizations (ISACs), sector coordinating councils, and other non-Federal entities participating in cyber threat information sharing.Additional impacts- Patients and healthcare delivery: Improved resilience against cyber threats could reduce disruption to care, safeguard patient data, and affect access, quality, and timeliness of care during incidents.- Workforce considerations: The plan and reporting emphasize cybersecurity workforce shortages in the sector, particularly at rural and small/medium providers, potentially informing training and recruitment needs.- Policy and oversight: Regular reporting to Congress and a biannual high-risk asset list could influence federal resource allocation and future legislation, with no new funding authorized by the Act itself (funding would come from existing authorities).- Civil liberties and rights: The bill contains protections against constitutional rights violations and unauthorized surveillance, clarifying that actions must stay within existing law and respect rights.
Generated by gpt-5-nano on Oct 7, 2025