This Act establishes coordination between federal agencies and mandates risk management planning, training, and identification of high-risk assets to enhance cybersecurity across the Healthcare and Public Health Sector.
Jason Crow
Representative
CO-6
The Healthcare Cybersecurity Act of 2025 aims to bolster the security of the nation's critical health infrastructure against rising cyber threats. It mandates increased coordination between CISA and HHS to implement a sector-specific risk management plan and provide necessary training to healthcare operators. The bill also establishes a process for identifying and prioritizing "high-risk" healthcare assets requiring focused federal resources.
Healthcare Cybersecurity Act Mandates New Training and Risk Plans, But Without New Funding
The new Healthcare Cybersecurity Act of 2025 is Congress’s attempt to stop the bleeding from massive cyberattacks on hospitals and clinics. The goal is simple: beef up the digital defenses of the entire Healthcare and Public Health Sector—from the smallest rural clinic to the largest urban hospital system—which has seen major attacks jump 93% between 2018 and 2022. This Act is all about coordination, training, and creating a new plan to manage the risk, but it comes with a big catch: no new money is authorized to pay for it.
Your Data is the Target
The core problem this bill addresses is the fact that your health data—your electronic health records (EHRs) and other sensitive information—has become a prime target, with nearly 42 million people having their data compromised in 2022 alone. The bill mandates that the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) stop working in silos. They must appoint a dedicated liaison (SEC. 4) who will act as the go-between, ensuring that cyber threat information flows smoothly between the security experts and the health experts. For you, the patient, this is good news: better federal coordination means a faster, more effective response when a hospital system gets hit, hopefully preventing long delays in care or data theft.
Rolling Out the New Playbook
Within one year of the law passing, the Secretary of HHS must update the sector-specific Risk Management Plan (SEC. 6). This isn't just bureaucratic paperwork; this plan directly affects how secure your local doctor’s office is. Crucially, the updated plan must specifically analyze how cyber risks affect smaller businesses and those in rural areas. For those living outside major metro areas, this means the federal government must finally focus on the unique challenges faced by small practices that often lack dedicated IT staff. The plan also requires an assessment of the challenges surrounding securing medical devices—think of all the networked imaging machines and monitors in a hospital—and how attacks affect patient care access and quality.
Who Gets the Lifeline? The 'High-Risk' List
One of the most practical changes involves creating a priority list. The Act allows the Secretary to establish objective standards to designate certain “covered assets”—critical health infrastructure—as “high-risk” (SEC. 7). Once identified, these high-risk entities will be prioritized for federal resources, like CISA’s Cyber Security Advisors. If you work at a major regional hospital or a facility that handles massive amounts of sensitive data, your employer might land on this list, meaning they get first dibs on federal help to upgrade their security. The bill also mandates that CISA provide specific training to the owners and operators of these assets, teaching them how to reduce risks specific to the healthcare sector (SEC. 5).
The Cost of Doing Business: The Funding Gap
Here’s where the rubber meets the road for healthcare providers and taxpayers. While the Act mandates new coordination, new training, and a massive new plan, Section 9 explicitly states that the law does not authorize any new funding. This is a major practical challenge. If you run a small community hospital, you are now required to dedicate staff time for new training and implement the recommendations from the updated risk plan, but the federal government isn't providing a dedicated pot of money to cover the compliance costs or the necessary security upgrades. These costs will likely be absorbed by the healthcare providers themselves, potentially leading to higher operating costs or the reallocation of funds from other areas, which is a common hurdle for unfunded federal mandates.
Finally, the Act includes important language (SEC. 9) protecting constitutional rights, ensuring that this new push for cybersecurity can't be used by the government to infringe on protected speech or conduct surveillance without proper authorization. It’s a necessary safeguard, confirming that even when we’re securing critical infrastructure, the government’s powers remain checked.