Healthcare Cybersecurity Act of 2025
- Bill Number
- S. 1851
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 1
- Policy Area
- Health
- Status
- Introduced
- Latest Action
- 2025-05-21: Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
- Last Updated
- 2025-12-05T21:59:10Z
AI-Generated Summary
Purpose
The Healthcare Cybersecurity Act of 2025 aims to strengthen cybersecurity protections for the Healthcare and Public Health Sector, a critical part of U.S. infrastructure. It focuses on reducing cyber threats to healthcare systems, data, and patient care by improving coordination between federal agencies, updating risk management strategies, and providing resources to sector participants.
Key Provisions
- Definitions (Section 2): Establishes terms such as "Agency" (referring to the Cybersecurity and Infrastructure Security Agency, or CISA), "covered asset" (healthcare technologies, services, and utilities), "Department" (Department of Health and Human Services, or HHS), and "Plan" (the Healthcare and Public Health Sector-specific Risk Management Plan).
- Findings (Section 3): Recognizes the growing threat of cyberattacks on healthcare, noting a 93% rise in large breaches from 2018 to 2022 and a 107% increase in breaches of unprotected health information since 2018, affecting millions of individuals.
- Agency Coordination with HHS (Section 4): Requires CISA to work with HHS to boost sector cybersecurity. Key elements include:
- Appointing a qualified CISA liaison to HHS to handle coordination, threat sharing, training support, incident response, and plan updates.
- Requiring a report to Congress within 18 months on coordination activities, liaison effectiveness, and feasibility of public-sector cybersecurity agreements.
- Directing CISA to share resources and cyber threat information with sector groups like Information Sharing and Analysis Organizations (groups that exchange cybersecurity data).
- Training for Healthcare Owners and Operators (Section 5): Mandates CISA to offer training on cybersecurity risks to the sector and mitigation strategies for information systems.
- Sector-Specific Risk Management Plan Update (Section 6): Requires HHS, with CISA input, to update the existing Plan within one year. The updated Plan must cover:
- Analysis of cyber risks' impacts, especially on rural and small- to medium-sized assets.
- Challenges in securing systems, medical devices, patient data, and responding to breaches (including effects on care access and outcomes).
- Best practices for using CISA resources like advisors during incidents.
- Workforce shortages in cybersecurity and recommendations to address them, focusing on rural areas.
- Effective communication of cybersecurity tools to sector operators.
- A congressional briefing within 120 days on the update process.
- Identifying High-Risk Covered Assets (Section 7): Allows HHS, with CISA and sector input, to set criteria for designating high-risk assets based on existing critical infrastructure methodologies. HHS may create and biannually update a list of such assets, notify owners/operators, inform Congress, and use the list to prioritize resources for cyber resilience.
- Reports (Section 8):
- CISA must report to Congress within 120 days on its support for the sector in preparing for and responding to cyber threats.
- The U.S. Government Accountability Office (Comptroller General) must report within 18 months on available federal critical infrastructure resources for the sector, including CISA-HHS collaborations.
- Rules of Construction (Section 9): Clarifies that the Act does not authorize actions beyond its scope or existing laws; it protects constitutional rights (e.g., no censorship or unauthorized surveillance); and no new funding is authorized, relying on current appropriations.
Significant Changes to Existing Law
This bill introduces new mandates building on laws like the Homeland Security Act of 2002 and the Critical Infrastructures Protection Act of 2001, without directly amending them. Key additions include:
- A dedicated CISA liaison to HHS for ongoing coordination.
- Requirements to update the Sector-Specific Risk Management Plan with specific analyses (e.g., on medical devices and workforce shortages).
- Mechanisms to identify and prioritize high-risk healthcare assets.
- Enhanced reporting and training obligations, emphasizing rural and smaller entities, which were not previously detailed in sector-specific cybersecurity frameworks.
Potential Impacts
- Government Agencies: Improves collaboration between CISA and HHS, potentially streamlining threat response and resource sharing. It may strain existing budgets due to no new funding, requiring agencies to reprioritize. Reports and briefings will increase congressional oversight.
- Citizens: Enhances protection of personal health data and reduces risks of breaches that could disrupt care, lower costs, and improve patient outcomes. Rural and underserved areas may benefit from targeted workforce and risk assessments.
- International Relations: No direct impacts mentioned, though stronger domestic cybersecurity could indirectly bolster U.S. resilience against global cyber threats.
Main Stakeholders Affected
- Federal Agencies: CISA (leads coordination and training) and HHS (oversees plan updates and high-risk designations).
- Healthcare Sector: Owners and operators of assets (e.g., hospitals, clinics, medical device makers), especially rural and small- to medium-sized entities; Information Sharing and Analysis Organizations and sector councils for threat collaboration.
- Congress: Receives briefings, reports, and notifications to monitor implementation.
- Patients and Public: Indirectly affected through safer health systems and data protection.
Notable Legal, Constitutional, or Political Implications
- Legal: Aligns with existing critical infrastructure protections but adds specificity to healthcare without expanding agency authority beyond current laws. The lack of new funding may limit enforceability if resources are insufficient.
- Constitutional: Explicitly safeguards rights, prohibiting actions like speech censorship or improper surveillance, ensuring compliance with the U.S. Constitution.
- Political: Promotes bipartisan focus on a non-partisan issue (cybersecurity in healthcare), with potential for broader infrastructure resilience debates. Emphasis on rural areas could appeal to regional interests, but reliance on existing funds may spark discussions on prioritization.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (3)
Sen. Young, Todd [R-IN], Sen. King, Angus S., Jr. [I-ME], Sen. Tillis, Thomas [R-NC]
Recent Actions
- 2025-05-21: Read twice and referred to the Committee on Homeland Security and Governmental Affairs.
- 2025-05-21: Introduced in Senate
Bill Versions
- Healthcare Cybersecurity Act of 2025 — issued 2025-05-21 — PDF (12 pages)