Lawmakers advance Health Care Cybersecurity and Resilience Act 2025

A bipartisan group of senators reintroduced the Health Care Cybersecurity and Resilience Act of 2025, led by Senator Bill Cassidy (R-LA), with co-sponsors Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX,) after a year of escalating ransomware attacks across hospitals and insurers.

What happened 

Lawmakers framed the bill as a direct response to large-scale incidents in 2023–2024 that disrupted patient care and exposed millions of records, arguing that federal agencies were too fragmented in their cyber roles. The bill’s release marked a turning point because it formally instructed HHS and CISA to enter a cooperative agreement and required HHS to build a sector-wide cybersecurity incident response plan within one year of enactment. 

It also expanded breach-reporting transparency under HITECH and pushed minimum security standards like encryption and MFA across systems holding PHI. Senators emphasized that rural and under-resourced providers lacked the means to comply with rising cyber threats, so the bill authorized grants and workforce development programs to modernize technology and support frontline health-care entities.

The main provisions 

• HHS and CISA must form a formal cooperative agreement to coordinate cybersecurity support for the health-care sector.
• HHS must create a full cybersecurity incident response plan within one year.
• Covered health-care entities must adopt baseline security measures, including multifactor authentication and encryption.
• Organizations must conduct regular cybersecurity audits and penetration testing.
• Breach-notification rules expand to require public reporting of the number of affected individuals, corrective actions taken, and whether recognized security practices were in place.
• HHS may award grants to hospitals, clinics, and other providers to improve cybersecurity, especially rural and under-resourced facilities.
• The Act supports cybersecurity workforce development through training programs and public-private partnerships.
  
  

What was said 

According to Sen. Warner in the press release, “Cyberattacks on our health care organizations threaten the sensitive information of millions of Americans and can have life-or-death consequences on the care patients receive. I’m glad to join my colleagues in introducing this bill to strengthen our cybersecurity, protect patients, and provide additional tools for rural health care providers in Virginia.”

Why it matters 

The Health Care Cybersecurity and Resilience Act of 2025 aligns with a growing legislative trend aimed at strengthening the healthcare sector's resilience against escalating cyber threats by building on earlier efforts, such as the Healthcare Cybersecurity Act of 2025 (H.R. 3841 & S. 1851) and the Health Care Cybersecurity and Resiliency Act of 2024. 

The 2025 House Senate bill strengthened HHS-CISA collaboration through expanded threat sharing, incident-response coordination, training programs, and sector-specific risk assessments that account for vulnerabilities in rural infrastructure, medical devices, and patient-data systems. 

The 2024 precursor contained nearly identical provisions, incident-response planning, breach-reporting portals, rural cybersecurity guidance, and grant support, making it the direct developmental foundation for the 2025 version. The new Act continues this legislative trajectory by converting these repeated policy themes into more formal, enforceable expectations for health-care organizations.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is considered critical infrastructure?

Sixteen sectors, including health care, energy, communications, financial services, food and agriculture, transportation, and government facilities, are designated as critical to national security and public safety.

What are recognized security practices under federal law?

HHS acknowledges industry standards such as NIST CSF, CIS Controls, and other documented cybersecurity programs that organizations implement for at least 12 months. Demonstrating these practices can reduce penalties after a cyber incident.

What is ransomware?

Ransomware encrypts a victim’s systems and demands payment to restore access.