The proposed Health Care Cybersecurity and Resiliency Act of 2025 would direct the U.S. Department of Health and Human Services to revise cybersecurity protocols and offer guidance to the health care industry.
“Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs,” Sen. Maggie Hassan, D-N.H., said in a statement. “It can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks. Our bipartisan working group came together to develop this legislation based on the most pressing needs for medical providers and patients, and I urge my colleagues to support it.”
Sens. Mark Warner, D-Va., Bill Cassidy, R-La., and John Cornyn, R-Texas, joined Hassan in introducing the legislation last week. Guidance, grants and educational opportunities for health care entities are included in the bill, according to Fierce Healthcare. This includes guidance for rural entities and health clinics on best practices for cybersecurity breach prevention, resilience and coordination with federal agencies in case of an attack.
The legislation comes at a time of heightened awareness of cyber risks in the industry. More individuals had their health care data exposed in 2024 than in any year since the HHS began collecting this data in 2009. The well-publicized cyberattack on Change Healthcare (a subsidiary of UnitedHealth Group) that year exposed the data of an estimated 190 million people.
John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, cited an FBI report documenting 444 health care breaches in 2025.
“It’s not surprising that the report shows health care suffered the highest combined total of ransomware and data theft attacks of any U.S. critical infrastructure sector,” he said. “Concurrently in 2024, health care made 592 regulatory filings of reported ‘hacks’ of protected health information to the Department of Health and Human Services Office of Civil Rights, impacting a record of 259 million Americans."
The bill also would modernize the way in which HHS reports cybersecurity issues, create an incident response plan and update HIPAA regulations to require covered entities to use “modern, up-to-date” cybersecurity practices.
“Patients deserve absolute confidence that their sensitive medical data stored online is protected and shielded from cybersecurity breaches or ransomware attacks,” Cornyn said. “This legislation would strengthen interagency coordination and improve security practices for rural providers, ensuring Texans’ health care is not delayed or compromised by cyberattacks.”
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.