The Cybersecurity Information Sharing Act of 2015 expires on September 30, 2025, potentially removing legal protections that enable healthcare facilities to share cyber threat data with the federal government.
What happened
The Cybersecurity Information Sharing Act (CISA) of 2015 is set to expire on September 30, 2025, according to Congress.gov. The law currently enables hospitals and other infrastructure to share cyber threat data with the federal government under liability and privacy protections. Healthcare facilities face losing legal protections that make information sharing safer if the law is not renewed. The healthcare sector experienced the most cyberthreats in the past year compared to any other critical infrastructure industry, with 444 reported incidents including 238 ransomware threats and 206 data breach events, according to the FBI's 2024 Internet Crime Report. Palomar Health Medical Group suffered a cyberattack in May 2024 that knocked out their systems until July 2024, resulting in unauthorized access to certain files and substantial downtime over two months.
Going deeper
Without CISA 2015's legal protections, healthcare organizations may become hesitant to share threat data, which would disrupt existing information-sharing relationships and slow down the exchange of threat indicators critical for defending against cyberattacks. The healthcare sector faces specific vulnerabilities including increased exposure due to many facilities lacking internal resources and expertise to independently fend off sophisticated attacks, and loss of coordinated defense capabilities since cyberattacks often have cascading effects on patient care, safety and business operations.
What was said
"If CISA 2015 is not reauthorized, it would be a step back for our nation's cybersecurity posture," says Errol Weiss, chief security officer at Health-ISAC. "The expiration jeopardizes the legal protections that have enabled public-private partnership collaboration for the past 10 years."
Weiss explains that without those protections, organizations could become hesitant to share crucial threat data, disrupting existing information-sharing relationships and slowing down threat indicator exchange.
"The expiration of CISA 2015 would disproportionately impact the healthcare sector, which is a prime target for cybercriminals," he says.
In the know
The Cybersecurity Information Sharing Act of 2015 provides liability and privacy protections that encourage critical infrastructure organizations to share cyber threat information with the federal government. This information sharing enables coordinated defense strategies and helps organizations prepare for and respond to cyberattacks more effectively. Healthcare facilities often rely on shared intelligence and coordinated support from information sharing organizations and government partners such as CISA and HHS due to limited internal cybersecurity resources.
Why it matters
Healthcare facilities' ability to defend against cyberattacks depends heavily on coordinated information sharing, which CISA 2015's legal protections currently enable. The law's expiration threatens to break down these critical defense networks at a time when healthcare faces cyber threats. Healthcare organizations often lack the internal cybersecurity expertise to defend against attacks independently, making shared threat intelligence and coordinated responses essential for patient safety and operational continuity. The potential loss of legal protections could result in slower recovery times and greater harm following breaches, including delayed patient treatments and loss of medical records.
The bottom line
Healthcare facilities must prepare for CISA 2015's potential expiration by strengthening internal defenses through regular system audits, staff training, and continued participation in trusted information-sharing networks. Organizations should invest in cybersecurity resilience now to maintain operational continuity and protect patient care, even if coordinated federal support becomes limited.
FAQs
Why was the Cybersecurity Information Sharing Act (CISA) originally created in 2015?
CISA was introduced to encourage safer public-private cyber threat data sharing under liability and privacy protections.
What specific legal protections does CISA provide to healthcare organizations?
The law shields organizations from certain liabilities when sharing cyber threat information with the government.
How do other critical infrastructure sectors besides healthcare benefit from CISA?
Sectors like energy, transportation, and finance also rely on CISA protections to share cyber threat intelligence securely.
What role do federal agencies such as CISA and HHS play in supporting healthcare cybersecurity?
These agencies coordinate shared threat intelligence, provide guidance, and help respond to large-scale cyberattacks.
