Sponsors (3)
Introduced June 9, 2025 by Jason Crow · Last progress June 9, 2025
The bill strengthens federal coordination, planning, and transparency to improve healthcare cybersecurity and resilience, but relies largely on non‑mandatory measures without dedicated funding—shifting costs and implementation burdens onto providers (especially small/rural facilities) and creating governance, privacy, and administrative trade‑offs.
Hospitals and health systems will receive clearer federal coordination, a designated cybersecurity liaison, and prioritized federal resources, improving preparedness and incident response for the health sector.
Owners/operators and healthcare organizations will gain improved threat information sharing, asset notifications, and biannual review processes, enabling faster detection/response and reducing disruptive incidents like ransomware.
Small, rural, and medium facilities will get sector‑specific plans and tailored recommendations (including workforce recruitment/training guidance) that can strengthen local resilience and response capacity.
Hospitals, health systems, and vendors could face substantial new compliance costs and administrative burdens from broader statutory definitions, designated asset listings, training and implementation expectations.
Many requirements (training, plans, liaison/reporting) lack dedicated funding, deadlines, or enforceable authorities, so benefits may be uneven, largely symbolic, or shifted onto providers—especially small and rural facilities.
Without funding or enforceable standards, planning and training efforts may not meaningfully reduce patient risk; gaps in implementation could leave EHRs, medical devices, and care delivery vulnerable to breaches.
Based on analysis of 9 sections of legislative text.
Directs CISA and HHS to coordinate on healthcare cybersecurity: appoint a liaison, deliver training, update the sector risk plan, create a high-risk asset list, and report to Congress; no new funds authorized.
Requires CISA and the Department of Health and Human Services (HHS) to work together to strengthen cybersecurity across the Healthcare and Public Health Sector. It directs CISA to place a cybersecurity liaison at HHS, provide training to owners and operators of healthcare assets, update the sector-specific risk management plan, create objective criteria and a list for "high-risk covered assets," and deliver multiple reports and briefings to Congress — while clarifying that no new funds are authorized and existing legal limits and constitutional protections remain in effect. Sets clear deadlines for certain deliverables (120 days, 1 year, 18 months, and biannual reviews) and emphasizes attention to small, rural, and resource-limited healthcare providers, workforce shortages, and information sharing with sector stakeholders and ISACs/ISAOs.