Sponsors (3)
Referred to the Committee on Homeland Security, and in addition to the Committee on Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Requires CISA and HHS to strengthen cybersecurity for the Healthcare and Public Health Sector by designating a liaison, updating the sector-specific cybersecurity plan, offering training to owners/operators of covered assets, creating objective criteria and a list for high‑risk covered assets, and delivering multiple reports to Congress. The law emphasizes coordination, threat information sharing, and workforce assessment but does not appropriate new funds or expand agency legal authorities beyond existing law.
The term "Agency" means the Cybersecurity and Infrastructure Security Agency.
The term "covered asset" means a Healthcare and Public Health Sector asset, including technologies, services, and utilities.
The term "Cybersecurity State Coordinator" means a Cybersecurity State Coordinator appointed under section 2217(a) of the Homeland Security Act of 2002 (6 U.S.C. 665c(a)).
The term "Department" means the Department of Health and Human Services.
The term "Director" means the Director of the Agency.
Primary effects fall on owners and operators of covered healthcare assets (hospitals, clinics, provider organizations, labs, and similar entities) and the healthcare workforce. These groups will gain federal training resources, clearer guidance, coordinated threat information, and potentially prioritized technical assistance if designated as high‑risk. Federal agencies (CISA and HHS) will take on coordination functions, prepare required reports, and maintain a liaison role, increasing interagency activity but without new appropriations. Patients and the public could see improved cyber resilience and reduced risk of data breaches and care disruptions over time. Small, rural, and medium-sized providers may benefit from the law’s focus on their specific risks, but because the Act does not provide new funding, some providers may face challenges adopting recommended measures without additional resources. The law avoids expanding surveillance or other authorities and explicitly cannot be used to authorize unconstitutional actions.
Last progress June 9, 2025 (8 months ago)
Introduced on June 9, 2025 by Jason Crow
Updated 1 day ago
Last progress May 21, 2025 (8 months ago)