Mandatory MFA, Encryption, and Grants: New Bill Demands Security Upgrades for All US Healthcare Providers

The Health Care Cybersecurity and Resiliency Act of 2025 is essentially a massive, mandatory security upgrade for the entire U.S. healthcare system. It’s built on the premise that our medical data—from your latest blood test to your entire medical history—is a prime target for hackers, and the current security setup isn't cutting it. The bill mandates coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) and, crucially, sets hard, new technical security standards for every covered healthcare entity and their business partners.

The New Rules: Mandatory MFA and Encryption

If you’ve ever used multi-factor authentication (MFA) to log into your work email or bank account, you know it’s a pain—but it works. Section 9 is the game-changer here, requiring HHS to update regulations and mandate that covered healthcare entities adopt specific cybersecurity practices. This isn’t optional guidance; it’s a requirement. Specifically, every entity that handles your protected health information (PHI) must implement multifactor authentication and apply encryption safeguards to your data. They must also conduct regular audits, including penetration testing, to keep their systems secure. For patients, this means your medical records should be significantly harder for hackers to steal. For hospitals and clinics, especially smaller ones, this means a mandatory investment in new technology and training to meet these non-negotiable security baselines.

Who Pays for the Upgrade?

Mandates are great for security, but they cost money. Recognizing that a small rural clinic can’t afford the same security team as a major city hospital, Section 11 establishes a new grant program. This program allows public and nonprofit health centers, hospitals, rural health clinics, and others to apply for federal funding to cover these upgrade costs. Grant money can be used for hiring and training cybersecurity staff, updating electronic systems (like moving to the cloud), and reducing the use of outdated legacy systems. The catch? The success of this safety net depends entirely on Congress appropriating the “necessary funds” for the program from 2025 through 2030. If the money doesn’t flow, the mandates still stand, leaving smaller providers to shoulder the compliance burden.

More Transparency After a Breach

Ever wonder what happens after a major hospital data breach is reported? Section 6 and 7 aim to provide more transparency. The Secretary of HHS is required to update the public breach reporting portal to show not only how many individuals were affected by a breach but also what corrective action was taken against the entity that got hacked. Furthermore, the portal will now track whether the entity had “recognized security practices” in place—a detail that can influence fines. This means when a breach hits the news, the public will get a clearer picture of whether the entity was following best practices or if they were penalized for lax security. This new level of public scrutiny creates a strong incentive for providers to stay ahead of the curve.

Better Coordination and Rural Support

The bill also cleans up the federal side of things. Section 3 and 4 mandate better coordination between HHS and CISA, ensuring that the health sector’s incident response is unified. Crucially, Section 10 requires HHS to issue specialized guidance for rural entities on improving their cybersecurity readiness. This targeted support recognizes that rural providers often lack the IT infrastructure and staff of their urban counterparts. The bill also mandates a strategic plan to grow the healthcare cybersecurity workforce (Section 12), acknowledging that you can’t secure the system without the people trained to do the job.