Bipartisan Group of Senators has Second Stab at Improving Healthcare Cybersecurity and Resiliency
A bipartisan healthcare cybersecurity bill – The Health Care Cybersecurity and Resiliency Act of 2025 – has been reintroduced in an effort to improve cybersecurity and resiliency across the healthcare and public health (HPH) sector, which has been plagued by ransomware and other cyberattacks in recent years. The bill was co-sponsored by Senate Health, Education, Labor, and Pensions (HELP) Committee Chair Sen. Bill Cassidy, (R-LA), and Sens. Mark Warner, (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH), and is virtually identical to the first version of the bill that was introduced late in the 188th Congress session last year.
The bill is the product of the efforts of a bipartisan Senate working group that was formed in 2023 by the same four Senators to study proposals for strengthening HPH sector cybersecurity. The group was formed in response to the alarming increase in healthcare cyberattacks since 2019, and the aim was to study various proposals for bolstering cybersecurity and rally congressional support for further healthcare legislation.
Cyberattacks have increased in sophistication, and more threat actors are targeting the industry; however, many attacks have been made possible due to weak security controls and a failure to follow cybersecurity best practices. The bill would make certain cybersecurity best practices mandatory, including multifactor authentication, data encryption, regular security audits, and penetration testing.
Most of the new cybersecurity best practices included in the bill are also included in the proposed update to the HIPAA Security Rule, published by the HHS’ Office for Civil Rights (OCR) in December 2024 under the previous administration. The proposed HIPAA Security Rule has attracted a lot of criticism from healthcare providers, healthcare provider associations, and industry organizations due to the cost and difficulty of implementing the new requirements, the one-size-fits-all approach to cybersecurity, and the implementation timeframe. This week, a coalition of healthcare providers and industry groups led by CHIME petitioned the HHS to withdraw the proposed rule.
There have been several efforts to improve healthcare cybersecurity through further legislation. The Health Care Cybersecurity and Resiliency Act of 2025 may stand a greater chance than previous attempts, as the bill proposes grants for healthcare providers to ease the financial burden of implementing the new cybersecurity measures. In addition to updates to the HIPAA Security Rule to make cybersecurity best practices mandatory, the bill requires an update to the HIPAA Breach Notification Rule to include “the number of individuals affected by the breach” in the individual notification requirements. The bill also requires the HHS to make information publicly available, via the OCR data breach portal, about any corrective action taken against a covered entity that provided notification of a breach, and the extent to which OCR considered the recognized security practices implemented by that entity.
The bill requires the HHS to provide guidance on cybersecurity to rural healthcare providers on cybersecurity readiness, including how to improve cyber infrastructure, implement safeguards to improve employee preparation to mitigate any cybersecurity risks, and for the HHS to develop and implement its own cybersecurity incident response plan, and improve coordination between the HHS Secretary and the Director of the Cybersecurity and Infrastructure Security Agency (CISA).
“Patients deserve absolute confidence that their sensitive medical data stored online is protected and shielded from cybersecurity breaches or ransomware attacks,” said Sen. Cornyn. “This legislation would strengthen interagency coordination and improve security practices for rural providers, ensuring Texans’ health care is not delayed or compromised by cyberattacks.”
