Healthcare Cybersecurity Act of 2025

This bill aims to protect hospitals, clinics, and other health services from cyberattacks. It tells federal health and cybersecurity agencies to work together, set up a point person to coordinate during incidents, and share threat information and tools with the health sector . It requires free training for healthcare owners and operators on common risks and how to reduce them . The plan for managing cyber risks in healthcare must be updated within one year, including how attacks affect small, rural, and medium-sized providers; weaknesses in medical devices and records systems; best ways to use federal help before, during, and after an attack; workforce shortages; and faster ways to get guidance to providers . The bill responds to sharp increases in healthcare data breaches in recent years and the risks they pose to patient care and costs .

The Health Department may set clear rules to label certain hospitals or systems as “high risk,” keep a list that’s updated twice a year, and use it to target help where it’s needed most . Early reports are required on what support is being provided to the health sector, and other reviews will map what federal resources are available, all without creating new funding or new powers beyond current law, and while protecting constitutional rights .

• Who is affected: Hospitals, clinics, public health systems, their IT and security teams; federal health and cybersecurity agencies .
• What changes: Better agency coordination, a dedicated liaison, free cybersecurity training, an updated risk plan, a list to identify high‑risk sites, and regular reports on support and resources .
• When: Training and coordination begin upon enactment; the updated sector risk plan is due within 1 year; an initial support report is due within 120 days; other reports follow within 18 months; the high‑risk list can be reviewed twice a year .