Healthcare Cybersecurity Act of 2025
- Bill Number
- H.R. 3841
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Health
- Status
- Introduced
- Latest Action
- 2025-06-10: Referred to the Subcommittee on Cybersecurity and Infrastructure Protection.
- Last Updated
- 2026-05-16T08:07:51Z
AI-Generated Summary
Purpose
The Healthcare Cybersecurity Act of 2025 aims to strengthen cybersecurity protections for the Healthcare and Public Health Sector by improving coordination between federal agencies, enhancing risk management, providing training, and identifying high-risk assets. This addresses the rising threats of cyberattacks that lead to data breaches, higher costs, and potential harm to patient care.
Key Provisions
- Definitions: Establishes terms such as "Agency" (referring to the Cybersecurity and Infrastructure Security Agency, or CISA), "covered assets" (healthcare technologies, services, and utilities), "Department" (Department of Health and Human Services, or HHS), and "Plan" (the Healthcare and Public Health Sector-specific Risk Management Plan).
- Findings: Highlights the growing problem of cyberattacks on healthcare, noting a 93% increase in large breaches from 2018 to 2022 and a 107% rise in breaches of protected health information since 2018, affecting millions of individuals.
- Agency Coordination with HHS (Section 4):
- Requires CISA to work with HHS to boost sector cybersecurity.
- Mandates appointment of a CISA liaison to HHS with cybersecurity expertise to handle coordination, threat sharing, training support, and incident response.
- Directs CISA to share resources and cyber threat information with sector groups like Information Sharing and Analysis Organizations (groups that facilitate cybersecurity info sharing among private entities).
- Requires a report to Congress within 18 months on coordination activities, challenges, and feasibility of public sector cybersecurity agreements.
- Training for Healthcare Owners and Operators (Section 5): CISA must provide training on cybersecurity risks to the sector and mitigation strategies for information systems.
- Sector-Specific Risk Management Plan Update (Section 6):
- HHS, with CISA input, must update the Plan within one year, including analyses of risks to assets (especially rural and small/medium-sized ones), challenges in securing systems/devices/health records, best practices for using CISA resources, workforce shortages, and communication methods for cybersecurity tools.
- Requires a congressional briefing within 120 days on the update process.
- Identifying High-Risk Covered Assets (Section 7): HHS may set criteria (aligned with CISA's critical infrastructure methods) to designate and notify high-risk assets, maintain a biannually updated list, inform Congress of changes, and use the list to prioritize resources for cyber resilience.
- Reports (Section 8):
- CISA must report to Congress within 120 days on its support for the sector in preparing for and responding to cyber threats.
- The Government Accountability Office (GAO) must report within 18 months on federal critical infrastructure resources available to the sector, including CISA-HHS collaborations.
- Rules of Construction (Section 9): Clarifies that the Act does not grant new authorities beyond what's specified, protects constitutional rights (e.g., no censorship or unauthorized surveillance), and authorizes no additional funding.
Significant Changes to Existing Law
- Introduces mandatory coordination and a dedicated liaison between CISA and HHS, which was not previously required at this level of specificity.
- Mandates updates to the existing Sector-Specific Risk Management Plan with new elements like rural asset focus, medical device vulnerability analysis, and workforce shortage assessments.
- Establishes a framework for identifying and prioritizing high-risk healthcare assets, building on but expanding CISA's critical infrastructure methodologies.
- Requires new reports and briefings to Congress on cybersecurity support and resources, enhancing oversight without altering core laws like the Homeland Security Act.
Potential Impacts
- Government Agencies: Increases workload for CISA and HHS through coordination, liaison duties, plan updates, and reporting, potentially improving inter-agency efficiency but straining resources without new funding. Could lead to better allocation of existing tools like CISA's Cyber Security Advisors.
- Citizens: Enhances protection of patient health data and care delivery by reducing cyber risks, potentially lowering breach-related costs and improving access to timely healthcare, especially in rural or small facilities.
- International Relations: Minimal direct impact, though stronger U.S. healthcare cybersecurity could indirectly bolster national resilience against global cyber threats from foreign actors.
Main Stakeholders Affected
- Healthcare Providers and Operators: Owners of hospitals, clinics, medical devices, and health records (including rural and small/medium-sized entities) benefit from training, resources, and prioritized support but face new notifications and potential risk designations.
- Federal Agencies: CISA (leads coordination and resource sharing) and HHS (oversees plan updates and high-risk identifications) are directly involved; Congress receives reports for oversight.
- Patients and the Public: Indirectly affected through safer health systems and reduced breach risks.
- Sector Groups: Information Sharing and Analysis Organizations and coordinating councils gain access to tailored cyber threat info and CISA resources.
Notable Legal, Constitutional, or Political Implications
- Legal: Aligns with existing frameworks like the Homeland Security Act and Critical Infrastructures Protection Act without expanding authorities, ensuring actions stay within current legal bounds. Emphasizes voluntary coordination and resource sharing to avoid mandates on private entities.
- Constitutional: Explicitly safeguards rights, prohibiting any interpretation that allows censorship of protected speech or unauthorized surveillance, reinforcing privacy protections under the Constitution.
- Political: Bipartisan introduction (by Reps. Crow and Fitzpatrick) signals broad support for cybersecurity in a critical sector; no new funding requirement may limit implementation scope but avoids budget debates. Enhances congressional oversight via reports and briefings, potentially influencing future appropriations or legislation on healthcare cyber threats.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (2)
Rep. Fitzpatrick, Brian K. [R-PA-1], Rep. Nunn, Zachary [R-IA-3]
Recent Actions
- 2025-06-10: Referred to the Subcommittee on Cybersecurity and Infrastructure Protection.
- 2025-06-09: Referred to the Committee on Homeland Security, and in addition to the Committee on Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-06-09: Referred to the Committee on Homeland Security, and in addition to the Committee on Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
- 2025-06-09: Introduced in House
- 2025-06-09: Introduced in House
Bill Versions
- Healthcare Cybersecurity Act of 2025 — issued 2025-06-09 — PDF (12 pages)