Healthcare Cybersecurity Act of 2025

This bill aims to better protect hospitals, clinics, and other health services from cyberattacks. It makes the cybersecurity agency (CISA) and the health department (HHS) work together more closely by placing a dedicated cybersecurity liaison at HHS to coordinate, share threat information, support training, and help during incidents. CISA must offer training for healthcare owners and operators on cyber risks and how to reduce them. HHS, working with CISA, must update a risk management plan within one year. The update must look at how cyber risks affect all types of facilities—especially rural and small or mid-sized ones—cover challenges with IT systems, medical devices, patient records, incident response, and workforce shortages, and lay out better ways to get tools and guidance to providers quickly.

The bill also lets HHS identify “high‑risk” healthcare assets using clear criteria, keep and update a list twice a year, and use it to steer help where it’s needed most. It requires quick reports to Congress on current support for the sector (within 120 days) and a review of available federal resources (within 18 months). The liaison’s coordination work must also be reported after 18 months. It does not create new powers beyond existing law, protects individual rights (including free speech and against unauthorized surveillance), and does not authorize new funding.

• Who is affected: Hospitals, clinics, public health agencies, and other healthcare providers; HHS and CISA; with special attention to rural and small/medium facilities.
• What changes: Closer HHS–CISA coordination with a liaison; free training; an updated risk plan; a “high‑risk” asset list to target help; required reports on progress and resources .
• When: Plan update due in 1 year; one report due in 120 days; other reports due in 18 months; high‑risk list reviewed every 6 months .