Sponsors (3)
The bill strengthens federal coordination, prioritization, and support for healthcare cybersecurity—improving defenses, threat intelligence, and oversight—while imposing compliance costs, privacy/liability risks, and potential limits on agency flexibility and funding that could strain smaller providers and administrative resources.
Hospitals, health systems, and state/local partners get clearer federal roles, a single agency liaison, and defined sector plans and reporting that improve coordination, oversight, and transparency of federal cybersecurity support.
Hospitals and health systems are explicitly prioritized as high-risk, with a sector-specific risk management plan and biannual reviews to focus federal resources and keep protections current.
Healthcare entities will receive coordinated, sector-specific cyber threat intelligence and information-sharing products to improve incident awareness and defensive actions.
Hospitals and health systems — especially small, rural, and under-resourced providers — face new compliance, staffing, training, and implementation costs to meet definitions, plans, and prioritized obligations.
Narrow statutory definitions and the Act's statement that no new funds are authorized could limit agency flexibility and constrain program effectiveness unless Congress provides additional appropriations.
Expanded information sharing and collection of detailed vulnerability/operational data raise privacy, liability, and patient-data concerns for providers sharing sensitive information.
Based on analysis of 9 sections of legislative text.
Directs CISA and HHS to coordinate on healthcare cybersecurity: appoint a liaison, provide training, update the sector risk plan, designate high‑risk assets, and report to Congress.
Introduced June 9, 2025 by Jason Crow · Last progress June 9, 2025
Requires the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to coordinate to strengthen cybersecurity for the Healthcare and Public Health Sector. It directs an agency liaison to work with HHS, requires sector-specific training and an updated risk management plan, allows HHS to identify and publish high‑risk healthcare assets, and requires several reports and briefings to Congress, all with specific deadlines. The law explicitly does not authorize new appropriations or expand agency authorities beyond existing law.