A bipartisan group of senators reintroduced the Health Care Cybersecurity and Resilience Act of 2025, led by Senator Bill Cassidy (R-LA), with co-sponsors Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX,) after a year of escalating ransomware attacks across hospitals and insurers.
Lawmakers framed the bill as a direct response to large-scale incidents in 2023–2024 that disrupted patient care and exposed millions of records, arguing that federal agencies were too fragmented in their cyber roles. The bill’s release marked a turning point because it formally instructed HHS and CISA to enter a cooperative agreement and required HHS to build a sector-wide cybersecurity incident response plan within one year of enactment.
It also expanded breach-reporting transparency under HITECH and pushed minimum security standards like encryption and MFA across systems holding PHI. Senators emphasized that rural and under-resourced providers lacked the means to comply with rising cyber threats, so the bill authorized grants and workforce development programs to modernize technology and support frontline health-care entities.
According to Sen. Warner in the press release, “Cyberattacks on our health care organizations threaten the sensitive information of millions of Americans and can have life-or-death consequences on the care patients receive. I’m glad to join my colleagues in introducing this bill to strengthen our cybersecurity, protect patients, and provide additional tools for rural health care providers in Virginia.”
The Health Care Cybersecurity and Resilience Act of 2025 aligns with a growing legislative trend aimed at strengthening the healthcare sector's resilience against escalating cyber threats by building on earlier efforts, such as the Healthcare Cybersecurity Act of 2025 (H.R. 3841 & S. 1851) and the Health Care Cybersecurity and Resiliency Act of 2024.
The 2025 House Senate bill strengthened HHS-CISA collaboration through expanded threat sharing, incident-response coordination, training programs, and sector-specific risk assessments that account for vulnerabilities in rural infrastructure, medical devices, and patient-data systems.
The 2024 precursor contained nearly identical provisions, incident-response planning, breach-reporting portals, rural cybersecurity guidance, and grant support, making it the direct developmental foundation for the 2025 version. The new Act continues this legislative trajectory by converting these repeated policy themes into more formal, enforceable expectations for health-care organizations.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Sixteen sectors, including health care, energy, communications, financial services, food and agriculture, transportation, and government facilities, are designated as critical to national security and public safety.
HHS acknowledges industry standards such as NIST CSF, CIS Controls, and other documented cybersecurity programs that organizations implement for at least 12 months. Demonstrating these practices can reduce penalties after a cyber incident.
Ransomware encrypts a victim’s systems and demands payment to restore access.