The bill would codify a formal partnership between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to bolster cybersecurity across the Healthcare and Public Health Sector. It would establish a sector-specific Risk Management Plan, appoint a dedicated Agency liaison to the Department, and require training for owners and operators of covered assets.
It also creates a process to identify and periodically update a list of high‑risk covered assets and requires reporting on sector support and federal resources. The act emphasizes a risk‑based approach that considers rural and small to mid‑size providers and includes rules to protect rights and avoid unfunded mandates, with no new funds authorized.
At a Glance
What It Does
It requires CISA and HHS to coordinate on cybersecurity for the Healthcare and Public Health Sector, appoint a liaison, maintain a sector-specific Risk Management Plan, and train asset owners. It also creates a high‑risk asset designation process and a reporting regime.
Who It Affects
Hospitals, health systems, clinics, rural and small/medium providers, ISACs/ISAOs serving the sector, and state/federal coordinators involved in sector security.
Why It Matters
The bill formalizes sector-wide risk management, aimed at reducing breaches, protecting patient data, and ensuring continuity of care amid rising cyber threats.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Healthcare Cybersecurity Act of 2025 sets up a formal, structured collaboration between CISA and HHS to shore up cybersecurity for the Healthcare and Public Health Sector. It begins by defining key actors and terms, so the responsible agencies know exactly who does what.
A central feature is the Sector-Specific Risk Management Plan, which must be updated within a year and, in its update, explicitly analyzes how cyber risks affect covered assets, including devices, EHRs, and patient data, with special attention to rural and smaller providers. The Plan also looks at best practices and resource deployment to help entities defend against breaches before, during, and after incidents, and it considers workforce shortages in the sector and how to address them.
A dedicated liaison—an experienced CISA or Department detailee—will coordinate cybersecurity issues between the Agency and HHS, facilitate threat information sharing, assist in implementing the training program, and help coordinate responses during sector incidents. The bill also authorizes a process to identify high‑risk assets, establish a list of those assets, and biannually update it, with Congress and asset owners notified when the list is created or revised.
This mechanism enables the government to prioritize scarce cybersecurity resources toward the facilities and systems that pose the greatest risk to patient care and data security. Training provisions require CISA to provide education to owners and operators of covered assets on cybersecurity risks and mitigation methods, supporting the field workforce with practical guidance.
Finally, the Act requires reports to Congress on the scope of Agency support for the sector and on available Federal resources for critical infrastructure in healthcare, while reiterating that no new funds are authorized and that rights and civil liberties remain protected.
The Five Things You Need to Know
The Plan must be updated within 1 year after enactment to analyze risks to covered assets, including rural and SME assets, and to evaluate vulnerabilities in medical devices and EHRs.
The Act creates a list of high‑risk covered assets using Director‑promulgated criteria, with biannual updates and mandatory notices to owners and Congress.
A dedicated Agency liaison will coordinate cybersecurity issues between CISA and HHS, including information sharing and incident coordination.
The Agency must provide sector‑wide training to owners and operators of covered assets on cybersecurity risks and mitigation strategies.
Congressional and GAO‑level reporting is required within tight timelines (120 days for initial performance briefing; 18 months for federal resource assessment).
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions
This section defines key actors (Agency as CISA, Department as HHS, Director of the Agency), terms (covered asset, Healthcare and Public Health Sector, Plan, Information Sharing and Analysis Organizations), and the scope of the sector. The definitions establish the baseline for who is covered, how information is shared, and what constitutes risk management for purposes of the Act.
Findings
The findings frame the rationale for the Act: healthcare assets are increasingly targeted, breaches drive higher costs and can affect patient health, and the sector faces significant incident and data breach risk. These findings justify a coordinated, sector‑specific risk management approach.
Agency Coordination with the Department
This provision mandates coordination between CISA and HHS, including an appointed liaison with cybersecurity qualifications who reports to the Director. The liaison’s duties cover coordination, plan implementation, threat‑information sharing, training support, incident coordination, and other duties as needed. A report within 18 months assesses coordination effectiveness, challenges, and feasibility of a cross‑agency agreement for public‑sector healthcare cybersecurity.
Training for Healthcare Owners and Operators
The Agency must provide training to owners and operators of covered assets about cybersecurity risks and mitigation strategies. The goal is to raise practical awareness and capability across the sector so entities can better defend, detect, and respond to threats.
Sector‑Specific Risk Management Plan
Within 1 year of enactment, the Plan must analyze how cybersecurity risks affect covered assets, including rural and SME providers, evaluate securing information systems and medical devices/EHRs, outline risk‑based protocols, and assess the impact of breaches on patient care. It also requires evaluating workforce shortages and identifying best practices for deploying Agency resources to sector entities before, during, and after incidents.
Identifying High‑Risk Covered Assets
The Secretary may establish objective criteria for designating high‑risk assets, aligned with the Director’s critical infrastructure methods. It may develop and biannually update a list of high‑risk assets, notifying owners and Congress of additions or removals, and allowing the Department to prioritize resource allocation based on the list.
Reports
The Agency must report within 120 days on organization‑wide support and activities for proactive cybersecurity preparation and incident response. Not later than 18 months after enactment, the Comptroller General must report on Federal resources available to the Healthcare and Public Health Sector, including collaboration with the Director and Secretary.
Rules of Construction
This section clarifies that nothing in the Act authorizes actions beyond what is expressly permitted or existing law, preserves constitutional rights (including privacy and freedom of expression), and specifies that no new funds are appropriated to carry out the Act.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Hospitals and health systems with covered assets gain clearer guidance, prioritized attention for high‑risk assets, and access to sector resources that improve cyber resilience.
- Rural and small‑ to medium‑sized healthcare providers receive risk assessments, targeted training, and more practical support to defend their networks and patient data.
- Information Sharing and Analysis Organizations (ISACs) and other sector‑specific information sharing bodies benefit from clearer coordination channels and access to threat indicators that improve sector‑wide defense.
- Cybersecurity State Coordinators and Agency Cybersecurity Advisors gain formal roles and resources to coordinate sector security efforts and training.
Who Bears the Cost
- Covered asset owners and operators (hospitals, clinics, health systems) incur costs to implement plan recommendations, adopt new controls, and complete required training.
- Rural and small/medium providers face financial and operational burdens in meeting enhanced cybersecurity obligations.
- Medical device manufacturers may encounter additional risk assessments or device‑level scrutiny as part of risk management and device vulnerability considerations.
- Non‑federal sector organizations that participate in information sharing (e.g., ISACs/ISAOs) may bear ongoing coordination and participation costs.
Key Issues
The Core Tension
The central dilemma is balancing a robust, risk‑based cybersecurity regime for a critical sector with the reality of limited new funding and the uneven capabilities of rural and smaller providers.
The bill emphasizes collaboration and resilience but does not authorize new funding for implementation, requiring agencies and sector participants to operate within existing budgets. That constraint could affect the pace and scope of risk‑management efforts, training, and asset designation.
The focus on high‑risk assets and information sharing also raises questions about data governance, privacy, and the potential for misclassification or uneven burden across facilities of different sizes. The interplay between sector coordination and civil liberties is acknowledged in the Rules of Construction, but practical questions about enforcement, funding, and enforcement mechanisms remain to be tested in implementation.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.