The Healthcare Cybersecurity Act of 2025 directs federal agencies to strengthen defenses across the Healthcare and Public Health (HPH) Sector by formalizing coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS). It focuses activity on sector risk planning, threat information sharing, and targeted support for owners and operators of healthcare assets.
Congressional attention is driven by rising attacks on health systems and the operational risks those attacks create for patient care. The bill is structured around updated planning documents, a designated federal liaison, capacity-building through training and resource sharing, and targeted reporting to Congress—while expressly not authorizing new funding.
At a Glance
What It Does
The bill requires CISA and HHS to coordinate on a Healthcare and Public Health Sector-specific Risk Management Plan, appoints a CISA liaison to HHS, directs CISA to provide trainings and resources to the sector, and allows HHS to identify and notify high-risk covered assets for prioritization.
Who It Affects
The measures affect HHS and CISA operations, hospital and health system leaders (especially rural and small- and medium-sized facilities), medical device and EHR vendors that support covered assets, and Information Sharing and Analysis Organizations (ISACs/ISAOs) serving the sector.
Why It Matters
By centralizing planning and formalizing a liaison role, the bill aims to shorten response times, make federal guidance more sector‑specific, and prioritize scarce federal cyber resources—while leaving substantive regulatory authority and funding unchanged.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill creates a staffed conduit between CISA and HHS: the CISA Director, working with the HHS Secretary, must appoint an experienced cybersecurity employee or detailee to serve as a liaison embedded with HHS’s ASPR office. That liaison is the operational contact for joint threat sharing, coordinating deployment of CISA services such as Cybersecurity Advisors and State Coordinators, assisting with training, and supporting updates to the sector’s Risk Management Plan.
The statute also requires a joint report within 18 months describing liaison activities, obstacles encountered, and the feasibility of formal public-sector agreements.
HHS (in coordination with CISA) must update a Healthcare and Public Health Sector-specific Risk Management Plan within one year. The required update is outcome-focused: it must analyze how cyber risks affect covered assets (with an emphasis on rural and smaller providers), diagnose vulnerabilities in medical devices and records systems, assess response and continuity-of-care impacts, evaluate workforce shortfalls, and recommend ways for federal resources to be used before, during, and after incidents.
HHS must brief relevant congressional committees within 120 days on the plan update effort.Separately, the Secretary may adopt objective criteria—aligned with CISA’s critical-infrastructure methodology—to identify high-risk covered assets, compile a list, notify asset owners, and update that list at least biannually. The statute makes that list usable for prioritizing federal assistance.
CISA also must make sector-specific training available to owners and operators on risks and mitigation options, and the agency is directed to extend resources and tailored products to ISACs, ISAOs, sector coordinating councils, and other non‑federal partners to improve situational awareness and defensive measures.Congressional oversight hooks include (1) a near-term CISA report on the agency’s organization‑level support to the sector due within 120 days, and (2) a Comptroller General study due within 18 months cataloging existing federal critical‑infrastructure resources available to the Healthcare and Public Health Sector. The Act contains rules of construction clarifying it does not create new authorities beyond existing law, does not authorize violations of constitutional rights, and does not appropriate additional funds—so agencies must carry out duties using existing budgets and authorities.
The Five Things You Need to Know
The Director of CISA must appoint a cybersecurity liaison to HHS (detailee or Agency employee) who reports to the Director and coordinates threat sharing, training, and Plan implementation.
HHS, in coordination with CISA, must update the Healthcare and Public Health Sector Risk Management Plan within one year and include analyses of rural/small- and medium-sized asset impacts, medical device vulnerabilities, incident response effects on patient care, and workforce shortages.
CISA must make training available for owners and operators of covered assets on sector-specific cyber risks and mitigation strategies, and must share tailored products with ISACs/ISAOs and sector coordinating councils.
The Secretary may adopt objective criteria (aligned with CISA’s critical-infrastructure methodology) to designate high-risk covered assets, create and biannually update a list, notify owners/operators, and use the list to prioritize federal assistance.
Two required reports: CISA must report to Congress on its sector support within 120 days; the Government Accountability Office (Comptroller General) must report within 18 months on federal critical-infrastructure resources available to the sector—no new appropriations are authorized.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and scope
This section defines key terms used throughout the bill—'Agency' means CISA; 'covered asset' covers HPH sector technologies, services, and utilities; and the 'Plan' is the sector-specific Risk Management Plan. Definitional choices matter because they set the perimeter of who and what the rest of the Act reaches (for example, the bill ties to the HPH sector as defined by NSM–22 rather than creating a new statutory sector list).
CISA–HHS coordination and liaison
The Director of CISA must appoint a liaison (Agency employee or detailee) to HHS’s ASPR office with cybersecurity qualifications who reports directly to the Director. The liaison’s duties include primary contact work with HHS, supporting Plan implementation and updates, facilitating threat-information sharing, assisting with training rollout, and coordinating during incidents. The Secretary and Director must jointly report to multiple congressional committees within 18 months summarizing liaison activities, challenges, and a feasibility study for broader agreements—creating a performance and transparency checkpoint.
Training for owners and operators
CISA is directed to make sector-specific cybersecurity training available to owners and operators of covered assets, focused on the threat landscape and mitigation techniques for information systems. The provision is permissive about delivery models but places responsibility on CISA to operationalize training access, which will primarily affect hospitals, clinics, and supporting IT vendors who must seek out and adopt the materials.
Updated sector-specific Risk Management Plan
HHS, with CISA coordination, must update the Healthcare and Public Health Sector Plan within one year. The update must include impact analyses (with focus on rural and small/medium providers), assessments of securing systems and medical devices, incident response impacts on care delivery, evaluation of federal resource utilization (including CISA field assets), and a workforce gap analysis with recommendations. HHS must brief key congressional committees within 120 days on the update process—establishing both a short-term accountability step and a roadmap for operational recommendations.
Identifying and notifying high‑risk covered assets
The Secretary may adopt objective criteria, aligned to CISA’s critical infrastructure methodology, to determine high-risk covered assets and may compile a list of such assets. HHS can notify owners/operators and update the list biannually; the list can be used to prioritize federal assistance. The statutory language leaves designation discretionary (the Secretary 'may'), so the power exists but is not mandatory, which affects predictability for sector partners.
Agency and GAO reporting requirements
CISA must report to Congress within 120 days on the organization-wide support it provides to the HPH sector, and the Comptroller General must report within 18 months cataloging federal critical-infrastructure resources available to the sector. Those reports are intended to inventory capabilities, assess gaps, and inform prioritization decisions, but they are diagnostic rather than prescriptive—Congress still must act on any resource shortfalls identified.
Rules of construction
The Act clarifies it does not expand statutory authority beyond existing law, does not permit violations of constitutional rights (including speech or unauthorized surveillance), and does not authorize additional appropriations. The no‑new‑funds clause is consequential: agencies must absorb new duties within current budgets unless Congress separately appropriates resources.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Rural and small-to-midsize healthcare providers — the Plan update requires analysis and recommendations specifically aimed at addressing the needs and vulnerabilities of smaller and rural covered assets, which could improve prioritization of federal assistance and guidance for these resource-constrained entities.
- Public health agencies and ISACs/ISAOs — the bill formalizes information-sharing pathways and directs CISA to tailor products and share threat indicators, improving situational awareness and collaboration across federal and non‑federal partners.
- Patients and care recipients — by prioritizing continuity-of-care considerations in incident response planning and focusing on reducing operational disruptions, the statute targets downstream harms such as delayed care or degraded clinical outcomes.
- Medical device and EHR vendors (indirectly) — sector-specific threat intelligence and vulnerability analyses in the Plan may produce clearer expectations and technical guidance that vendors can use to prioritize patches and secure product lifecycles.
Who Bears the Cost
- CISA and HHS operational units — the Act assigns additional coordination, reporting, and planning tasks without authorizing funding, increasing workload and forcing agencies to reallocate existing resources or slow other programs to comply.
- Small and rural healthcare providers — while the bill promises prioritized assistance, these providers will likely need to implement guidance and training with limited budgets and local IT staff, creating potential compliance and operational costs.
- Medical device manufacturers and IT vendors — increased focus on device vulnerabilities and expectations for mitigation may lead to engineering, support, and upgrade costs, particularly for legacy devices that are costly to remediate.
- Congressional oversight resources — committees will receive multiple briefings and reports, requiring staff time to review, hold hearings, or act on resource gaps identified by agencies and GAO.
Key Issues
The Core Tension
The central tension is between accelerating sector resilience through coordination, guidance, and prioritization, and the bill’s deliberate reliance on voluntary uptake and existing agency resources: it avoids heavy-handed mandates and new spending to speed implementation and preserve flexibility, but that same approach risks limited real-world impact where hospitals, device vendors, and agencies lack the funds or incentive to act on recommendations.
The bill creates coordination and diagnostic workstreams but deliberately avoids creating binding cybersecurity standards or new funding. That design reduces immediate political resistance but shifts the central implementation challenge to agency prioritization: absent new appropriations, CISA and HHS must reallocate staff and field resources to meet liaison, training, plan update, and reporting deadlines.
The 'may' language on high-risk asset designation gives HHS discretion, which can be useful for flexibility but risks uneven transparency and planning certainty for owners and operators. Those entities may not know whether they will be prioritized until after a list is compiled and kept under biannual review.
Another operational friction is information sharing. The bill directs enhanced threat indicator sharing but does not change underlying privacy, contractual, or statutory limits (for example, HIPAA and state privacy laws) that can constrain what health entities share.
Similarly, workforce recommendations are required, but the bill stops short of funding training pipelines or mandating staffing ratios; without resources, recommended fixes may remain aspirational. Finally, because the statute does not create enforcement mechanisms or mandatory technical standards, its success depends heavily on the liaison’s effectiveness, interagency relationships, and voluntary uptake by the private sector—factors that are harder to guarantee and measure than a prescriptive regulatory approach.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.