Bill Reintroduced to Strengthen Healthcare Cybersecurity
A bipartisan quartet of Senators has reintroduced the Health Care Cybersecurity and Resiliency Act of 2025 in another attempt to bolster privacy and healthcare cybersecurity. The Health Care Cybersecurity and Resiliency Act of 2025 was introduced by Senate Health, Education, Labor, and Pensions (HELP) Committee Chair Bill Cassidy (R-LA), and was co-sponsored by Sens. Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX). The bill is the product of a bipartisan healthcare cybersecurity working group established in 2023, and it is largely unchanged from its first iteration, the Health Care Cybersecurity and Resiliency Act of 2024, which was introduced in November 2025 with little time for consideration before Congress adjourned at the start of this year.
Cyberattacks on healthcare organizations have steadily increased over the past decade, with a significant uptick in recent years. In each of the past four years, more than 700 data breaches have been reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), with large data breaches now occurring at twice the volume as in 2016, 2017, and 2018. According to OCR, healthcare hacking incidents increased by 239% between 2018 and 2023, ransomware attacks increased by 278% over the same period, and in 2024 alone, the personal and health information of more than 270 million Americans was compromised in cybersecurity incidents and other data breaches.
Healthcare cyberattacks can have life-or-death consequences. With IT systems taken out of action, ER departments are placed on redirect, and appointments are cancelled, resulting in delays to diagnosis and treatment. Medical errors and complications often increase following a cyberattack, resulting in poorer patient outcomes, and various studies suggest that mortality rates increase following a cyberattack. Further, highly sensitive patient data is typically stolen, putting patients at an increased risk of identity theft and fraud.
The Health Care Cybersecurity and Resiliency Act of 2025 seeks to improve cybersecurity across the healthcare and public health (HPH) sector through a variety of initiatives. The bill calls for greater collaboration between the HHS Secretary and the Director of the Cybersecurity and Infrastructure Security Agency (CISA), the HHS is required to develop a cybersecurity incident response plan, products need to be developed specific to HPH sector entities for improving cybersecurity, and further resources must be made available for Information Sharing and Analysis Organizations and information sharing and analysis centers.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
If enacted, training will be provided to HPH entities on cybersecurity best practices, grants will be made available for HPH sector entities to help them improve cyberattack prevention and response, and there will be greater support for rural health care providers to enhance cyber breach prevention and resilience. The Health Care Cybersecurity and Resiliency Act of 2025 also requires updates to modernize the Health Insurance Portability and Accountability Act (HIPAA), including the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. Those updates include new minimum cybersecurity standards and mandatory adoption of cybersecurity best practices, including multifactor authentication, encryption of health information, and regular cybersecurity audits and penetration tests. Greater clarity is called for regarding breach reporting obligations, including the requirement to report the number of individuals affected by a data breach or cybersecurity incident and the inclusion of any actions taken against HIPAA-regulated entities to be made public via the OCR breach portal.
Many of the cybersecurity elements required by the bill are included in the proposed update to the HIPAA Security Rule, issued in December 2024 in the final days of the Biden administration. The proposed update did not prove popular with many healthcare organizations, and on December 8, 2025, more than 100 hospital systems, healthcare provider organizations, and provider associations signed a joint stakeholder letter urging the HHS to withdraw the proposed HIPAA Security Rule update. The proposed Security Rule update was criticized as it would “drive up costs, require extensive infrastructure redesigns, and divert limited resources away from patient care and frontline operations.”
Given that the Health Care Cybersecurity and Resiliency Act of 2025 includes several similar cybersecurity provisions, it has the potential to prove equally unpopular, although the bill calls for grants to be made available to hospitals, cancer centers, rural health clinics, health facilities operated by the Indian Health Service, academic health centers, and certain nonprofit entities, which will at least ease some of the financial burden of strengthening cybersecurity.
“Cyberattacks on our health care sector not only put patients’ sensitive health data at risk but can delay life-saving care,” said Dr. Cassidy. “This bipartisan legislation ensures health institutions can safeguard Americans’ health data against increasing cyber threats.” A summary of the requirements of the Health Care Cybersecurity and Resiliency Act of 2025 can be viewed here, and the full text of the bill is available on this link.
