This week, Health-ISAC®‘s Hacking Healthcare® examines a legislative bill in the United States Senate that may have the congressional support to significantly change numerous aspects of health sector cybersecurity and resiliency. Join us as we assess what the bill would do, the progress it appears to be making, and what it could mean for health sector entities in the United States if it is passed.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare® !
The Health Care Cybersecurity and Resiliency Act of 2025 Makes Progress
Congressional gridlock, stymying the passage of needed legislation, has been a common lament in the United States, with recent congressional sessions seeming to be particularly ineffectual. The inability to find a path forward on the Cybersecurity Information Sharing Act of 2015 (CISA 2015) is a frustrating example of how even broadly supported legislation can become bogged down. However, recent progress on a consequential sector cybersecurity and resiliency bill is a reason for some optimism.
What Is the Health Care Cybersecurity and Resiliency Act of 2025[i]?
Previously introduced last Congress in November 2024 and reintroduced in early December 2025, the Health Care Cybersecurity and Resiliency Act of 2025 would drive numerous changes to policies, processes, and regulations for both the public and private sectors. The United States Senate Committee on Health, Education, Labor and Pensions press release[ii] from December provides a brief breakdown of some of the most important aspects of the bill, including its intent to:
Strengthen cybersecurity in the health care sector by providing grants to health entities to improve cyberattack prevention and response.
Provide training to health entities on cybersecurity best practices.
Support rural communities by providing best practices to rural health clinics and other providers on cybersecurity breach prevention, resilience, and coordination with federal agencies.
Improve coordination between the Department of Health and Human Services (HHS) and Cybersecurity and Infrastructure Security Agency (CISA) to better respond to cyberattacks in the health care sector.
Modernize current regulations so entities covered under the Health Insurance Portability and Accountability Act (HIPAA) use the best cybersecurity practices.
Require the HHS Secretary to develop and implement a cybersecurity incident response plan
What Is the Catalyst for Introducing the Bill?
The legislation has its roots in the bipartisan Health Care Cybersecurity Working Group, which came together at the end of 2023 to find ways of addressing the “record” number of cybersecurity attacks plaguing the health sector.[iii] The bipartisan sponsors who reintroduced the bill cited the same issues as they did more than two years ago, including the devastating consequences of service disruption on patient care and the need to bolster trust and confidence in the security of sensitive health data.
In our Action & Analysis section below, we will dig into the details of some of the bill’s most impactful provisions and discuss what to make of the recent legislative markup that advanced the bill out of committee last week.
Action & Analysis
**Included with Health-ISAC Membership**
[i] https://www.congress.gov/bill/119th-congress/senate-bill/3315/text
[ii] https://www.help.senate.gov/rep/newsroom/press/chair-cassidy-colleagues-reintroduce-legislation-to-strengthen-cybersecurity-in-health-care
[iii] https://www.help.senate.gov/rep/newsroom/press/ranking-member-cassidy-warner-colleagues-launch-bipartisan-senate-health-care-cybersecurity-working-group
[iv] Towards the end of the Biden administration, HHS put out an extensive Notice of Proposed Rulemaking to address the HIPAA Security Rule that neared 400 pages. The transition to the Trump administration, the subsequent freeze of regulatory developments pending administration review, and a decline in HHS policymaking transparency put the fate of this effort in doubt, given that there is no legal requirement for HHS to pursue an update. However, the Spring Unified Agenda for 2025, the most current agenda listing department and agency regulatory planning, still lists a Final Rule scheduled for May 2025.
[v] https://www.congress.gov/bill/119th-congress/senate-bill/3315/text
[vi] https://www.congress.gov/bill/119th-congress/senate-bill/3315/text
[vii] https://www.congress.gov/bill/119th-congress/senate-bill/3315/text
[viii] https://www.congress.gov/bill/119th-congress/senate-bill/3315/text
[ix] https://www.help.senate.gov/imo/media/doc/health_care_cybersecurity_and_resiliency_act_of_2025_section-by-section.pdf
[x] The legislation advanced in a 22-1 vote, with the lone holdout being Sen. Rand Paul [R-KY], who is also at the center of the CISA 2015 reauthorization holdup.