New legislation introduced in both chambers of Congress seeks to improve federal coordination and response to cyberattacks targeting the healthcare sector.
Lawmakers have introduced a bipartisan pair of bills in the House and Senate directed at bolstering cybersecurity within the healthcare and public health (HPH) sector. The Healthcare Cybersecurity Act of 2025 would mandate closer coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS), following years of escalating healthcare data breaches and cyber incidents.
The House version was introduced by Rep. Jason Crow (D-CO) and Rep. Brian Fitzpatrick (R-PA), while Senators Jacky Rosen (D-NV) and Todd Young (R-IN) sponsored the companion Senate bill. If passed, the bill would establish a federal liaison between CISA and HHS, authorize cybersecurity training for healthcare-related personnel, and require a joint study to assess the sector’s vulnerabilities.
The proposal comes amid a sharp rise in healthcare cyber incidents. Each of the past four years saw over 700 data breaches reported to the HHS Office for Civil Rights, each impacting at least 500 individuals. The total number of individuals affected reached 172 million in 2023 and soared to 278 million in 2024.
The Change Healthcare ransomware attack in 2024 served as a backdrop to the bill. The attack compromised data from an estimated 190 million individuals, severely disrupted healthcare revenue cycles, and affected patient care nationwide. Leaked records from the breach appeared on the dark web, raising concerns about systemic vulnerabilities in the sector’s digital infrastructure.
Rep. Crow stated the urgency of strengthening federal cybersecurity partnerships: “We must do more to protect Americans’ sensitive data.” Rep. Fitzpatrick echoed this sentiment, calling the bill a strategic effort to empower CISA and HHS with real-time threat sharing and more robust incident response coordination. “We’re not just responding to attacks—we’re building the infrastructure to prevent them,” he said.
The proposed legislation signals bipartisan agreement that healthcare systems require stronger cybersecurity protections comparable to other critical sectors. The bill promotes a shift toward proactive risk management, with a greater role for federal coordination. Its long-term impact will likely depend on consistent funding, interagency cooperation, and the healthcare sector’s capacity to apply common standards across both public and private systems.
The HPH sector includes hospitals, health systems, public health agencies, health IT providers, and supporting organizations critical to patient care and public health infrastructure.
The bill calls for cybersecurity awareness and threat-response training for personnel in healthcare settings who manage or interact with IT systems, particularly those involved in patient data management.
CISA is responsible for protecting U.S. infrastructure, including healthcare, from cyber threats. It provides threat intelligence, support, and incident coordination during major attacks.
Yes. Rep. Crow previously introduced versions of this bill in the 117th and 118th Congresses, but those versions did not advance to law.
Yes. While the bill focuses on federal coordination, many of its provisions, such as training and risk studies, are expected to support both public and private healthcare organizations.