Sponsors (4)
The bill boosts federal support, coordination, and targeted resources to make healthcare organizations more cyber‑resilient—improving patient safety and privacy—but does so in ways that create compliance costs, administrative burdens, information‑sensitivity risks, and potential limits on flexible implementation unless funding, safeguards, and careful handling are addressed.
Hospitals, clinics, and other health-care providers will get clearer federal/state roles, a designated liaison, tailored threat indicators, a sector risk-management plan, prioritized resources, and training—improving cybersecurity preparedness and operational resilience against attacks that disrupt patient care.
Patients (including people with chronic conditions) will face lower risk of data breaches and service disruptions because stronger cybersecurity focus reduces successful attacks and preserves continuity of care and privacy.
State cybersecurity coordinators, Information Sharing and Analysis Organizations (ISAOs), and health-sector owners/operators gain a statutory reference and clearer information-sharing channels, improving cross-jurisdictional coordination and incident response.
Hospitals, clinics—especially small and rural providers—and taxpayers may face significant new costs for compliance, upgrades, training, and recommended cybersecurity controls, straining limited provider budgets and potentially diverting funds from care.
Providers and federal/state agencies could face substantial new administrative and reporting burdens (more oversight, notifications, and coordination tasks), consuming staff time and resources that might otherwise be used for direct cyber defense or care delivery.
Publishing inventories, high‑risk asset lists, or sharing detailed threat information risks exposing sensitive infrastructure or capability gaps that adversaries could exploit, and sharing with non‑federal entities raises privacy/confidentiality concerns.
Based on analysis of 9 sections of legislative text.
Requires CISA and HHS coordination on healthcare cybersecurity, creates a CISA liaison at HHS, mandates training and a risk plan update, allows HHS to list high‑risk assets, and requires several reports.
Introduced May 21, 2025 by Jacklyn Sheryl Rosen · Last progress May 21, 2025
Requires coordinated action by the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to strengthen cybersecurity across the Healthcare and Public Health Sector. Creates a dedicated CISA liaison to HHS, mandates sector-specific training and an updated risk management plan, authorizes HHS to designate high‑risk healthcare assets for prioritization, and requires several reports to Congress on sector support and federal resources. The Act clarifies it does not expand existing authorities, does not permit violations of constitutional rights, and does not authorize additional appropriations.