Healthcare Cybersecurity Act of 2025
The Healthcare Cybersecurity Act of 2025 aims to strengthen cyberdefense in the Healthcare and Public Health Sector by tightening coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS). The bill would establish a dedicated liaison, require an updated sector-specific risk management plan within a year, expand training for healthcare owners/operators, and create a process to identify and prioritize high-risk assets. It also authorizes information sharing efforts with sector partners and imposes reporting requirements to Congress. Notably, the bill authorizes no new funds, relying instead on existing resources for implementation. Overall, the measure seeks to reduce cyber threats to healthcare delivery, protect sensitive health data, and improve resilience and incident response in the sector—especially for rural and small- to medium-sized providers—through enhanced coordination, planning, training, and targeted resource prioritization.
Key Points
- 1Enhanced agency coordination and a dedicated liaison: The Agency (CISA) will coordinate with HHS to improve sector cybersecurity. A liaison with cybersecurity qualifications will be appointed to work directly with the Director of the Agency and report to them, serving as the main point of contact between the Department and CISA.
- 2Updated sector-specific risk management plan within 1 year: The Secretary (of HHS), with the Director, must update the Healthcare and Public Health Sector Risk Management Plan. The update must analyze how cybersecurity risks affect covered assets (including rural and smaller providers), evaluate challenges to securing systems and medical devices, assess patient data security, and examine workforce shortages and how to address them. It also requires evaluating how to communicate and deploy cybersecurity recommendations.
- 3Identification and prioritization of high-risk assets: The Secretary, with input from the Director and sector operators, can establish objective criteria to designate high-risk covered assets. A list of high-risk assets may be created and biannually updated, with Congress notified of the initial list and each update. The list can be used to prioritize federal resources to bolster cyber resilience.
- 4Training for healthcare owners/operators: The Agency must provide training on cybersecurity risks specific to the Healthcare and Public Health Sector and on ways to mitigate those risks.
- 5Reporting requirements: The Act requires a briefing to Congress within 120 days on updating the Plan, and a report within 120 days on the Agency’s sector-wide assistance. It also requires a GAO review within 18 months of enactment to assess federal resources available for the sector. In addition, the Act states that no new funds are authorized by this bill.