This Act establishes coordination between CISA and HHS to enhance cybersecurity through planning, training, and identifying high-risk assets within the Healthcare and Public Health Sector.
Jacky Rosen
Senator
NV
The Healthcare Cybersecurity Act of 2025 aims to bolster cybersecurity across the nation's healthcare sector by enhancing coordination between CISA and HHS. This legislation mandates the creation of a sector-specific risk management plan, the identification of high-risk assets, and the provision of specialized training for healthcare owners and operators. Ultimately, the bill seeks to reduce the growing threat of cyberattacks targeting critical patient data and health services.
New Cybersecurity Act Requires CISA and HHS Team-Up to Protect Patient Data and Hospitals from Cyberattacks
If you’ve ever had a medical appointment canceled because the hospital’s computer systems were down, or if you’ve received a letter saying your health data was compromised, you already know why the Healthcare Cybersecurity Act of 2025 is happening. This bill is a direct response to the massive 93% jump in cyberattacks on healthcare facilities between 2018 and 2022, aiming to formalize how the federal government protects the Healthcare and Public Health Sector—what they call "Covered Assets." The core of the Act mandates close coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to share threat info, provide specific training, and create a roadmap for defense.
The New Federal Tag-Team: CISA Meets HHS
Section 4 of the Act is all about ending the silo effect. It requires CISA and HHS to appoint a dedicated, qualified cybersecurity liaison—a sort of permanent go-between—to coordinate efforts. This person’s job is to make sure threat information flows freely between the two agencies and to help implement the massive new sector-specific risk management plan. For you, the patient, this means that when a new, scary cyber threat emerges, the people protecting the hospitals and clinics should get the warning faster and with better context than before. It’s about making sure the left hand (HHS, the health experts) knows exactly what the right hand (CISA, the cyber defense experts) is doing.
Mandatory Training and a New Risk Roadmap
Section 5 tackles the human element. CISA is now required to create and offer specific cybersecurity training for the owners and operators of those "covered assets"—the people actually running the hospitals, clinics, and medical device companies. This isn't generic IT training; it focuses on the unique risks facing the healthcare sector, like securing medical devices and protecting sensitive patient data. Think of it as specialized defense training for a highly targeted industry.
Crucially, Section 6 requires HHS and CISA to update the Sector-specific Risk Management Plan within one year. This updated plan must specifically analyze the challenges faced by smaller and rural healthcare operations, which often lack the massive IT budgets of big city hospitals. It also needs to assess the security weaknesses in medical devices and, importantly, address the severe cybersecurity workforce shortage in the health sector. If you work in IT or security, this plan could lead to new, targeted training and hiring initiatives aimed at filling those gaps, especially outside major metropolitan areas.
Prioritizing the Most Vulnerable Systems
One of the most impactful provisions is Section 7, which establishes a process for identifying “high-risk covered assets.” HHS, working with CISA, can create objective rules to identify the most critical or vulnerable systems and technologies in healthcare. Once identified, the owners of these assets are notified, and the government uses this list to prioritize where to send its limited resources, like specialized security advisors. For example, if a specific type of widely used electronic health record (EHR) system is deemed high-risk due to known vulnerabilities, this Act directs federal resources to help those hospitals secure that system first. This is a smart approach to resource allocation, focusing on the biggest targets that could cause the most disruption to patient care.
The Cost of Doing Business (or Not Doing Business)
While this bill is overwhelmingly beneficial for system resilience and data protection, there are two practical challenges to note. First, Section 9 includes a rule of construction stating that the Act does not authorize or set aside any new funding. All the new coordination, training, planning, and resource prioritization must be paid for using money already appropriated to CISA and HHS. This means existing programs might need to stretch their budgets thin to cover these new mandates.
Second, while the training and resources are welcome, the owners and operators of healthcare facilities—from large hospital systems to smaller clinics—will likely face new administrative burdens and compliance costs associated with implementing the required training and meeting the standards set by the new risk management plan. For busy clinic managers, this means more time spent on compliance, even if the end result is a safer system. The hope is that the federal support offered will outweigh these new administrative hurdles, especially for smaller entities that need the help most. Ultimately, this bill is a necessary step toward treating healthcare infrastructure like the critical national security asset it is, ensuring your health data and access to care are protected from increasingly sophisticated digital threats.