House and Senate lawmakers introduced the bipartisan Healthcare Cybersecurity Act in an effort to safeguard medical data and increase coordination between federal agencies. Similar legislation was introduced in the 117th and 118th Congresses in 2022 and 2024, respectively.
Representatives Brian Fitzpatrick (R-Pa.) and Jason Crow (D-Colo.) led the legislation in the House, and Senators Jacky Rosen (D-Nev.) and Todd Young (R-Ind.) introduced it in the Senate.
If the legislation passes this time around, it would require the Cybersecurity and Infrastructure Security Agency (CISA) and HHS to collaborate on improving healthcare cybersecurity. It would also mandate the appointment of a liaison who would work between HHS and CISA to coordinate cyberattack response.
“This bipartisan bill takes direct, strategic action: empowering CISA and HHS to coordinate real-time threat sharing, expanding cybersecurity training for providers, and establishing a dedicated liaison to bolster response. We’re not just responding to attacks — we’re building the infrastructure to prevent them, protect patient privacy, and defend a vital pillar of our national security,” Fitzpatrick stated.
In addition to establishing a liaison, the proposed legislation directs HHS and CISA to conduct a joint study identifying cybersecurity vulnerabilities within the healthcare sector. The bill would also facilitate training for healthcare owners and operators on cybersecurity risks to the healthcare sector and ways to mitigate them.
The proposed legislation arrives at a time when cyberattacks are continuing to disrupt healthcare operations at a high volume. Kettering Health in Ohio restored operations in June 2025 after more than three weeks of disruptions due to an Interlock ransomware attack. In April, Yale New Haven Health System reported a data breach to HHS that impacted nearly 5.6 million individuals.
“In recent years, hospitals and other health care facilities in Indiana and across America have experienced a dramatic increase in cyberattacks,” Young stated. “Our bipartisan bill will take critical steps to strengthen cybersecurity infrastructure and better protect patients’ personal data.”
Other legislative efforts to improve healthcare cybersecurity have achieved mixed results, often failing to make it past the introduction stage.
In January 2025, HHS proposed significant updates to the HIPAA Security Rule. As of March 2025, the HHS Office for Civil Rights was in the process of reading and considering the public comments on the rule. At this time, the future of the proposed rule is uncertain.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
