New Bipartisan Bill Aims to Fortify Healthcare Cybersecurity with Enhanced Regulations and Support
A bipartisan group of four U.S. senators is reviving efforts to enhance cybersecurity in the healthcare sector with the introduction of the Health Care Cybersecurity and Resiliency Act of 2025. This legislation, which closely mirrors a previous proposal put forth in November 2024, aims to solidify cybersecurity measures critical to safeguarding sensitive health information.
Among the primary objectives outlined in the bill is an overhaul of HIPAA privacy regulations, which will include provisions for grants and training specifically for healthcare organizations, alongside improved reporting requirements for data breaches. The legislation is co-sponsored by notable senators including Bill Cassidy, R-La., the chair of the Senate HELP Committee; Mark Warner, D-Va.; John Cornyn, R-Texas; and Maggie Hassan, D-N.H.
Formed in 2023, the bipartisan Senate working group aims to garner legislative support dedicated to bolstering cybersecurity measures across the healthcare landscape. The bill explicitly mandates collaboration between the Secretary of the U.S. Department of Health and Human Services (HHS) and the Director of the Cybersecurity and Infrastructure Security Agency (CISA), emphasizing the importance of coordinated action in addressing cybersecurity vulnerabilities unique to healthcare and public health sectors.
A key aspect of the legislation calls for HHS to update existing HIPAA regulations, focusing on security and breach notification. It stipulates that HIPAA-covered entities and business associates implement multifactor authentication and encryption, conduct regular audits such as penetration testing, and adhere to other minimum cybersecurity standards, which will be defined in consultation with private-sector organizations.
In response to earlier proposals for HIPAA rule updates, which faced criticism from industry stakeholders for being overly burdensome, this new legislative effort looks to balance regulatory compliance with the provision of necessary financial support through grants aimed at enhancing preparedness against cyber threats. In particular, amendments are aimed at aiding rural healthcare providers with guidelines to boost their cybersecurity posture and establish workforce training protocols for best practices in digital security.
The act also seeks to improve transparency in breach reporting by enhancing the public HIPAA breach reporting portal. HHS will be tasked with indicating whether corrective measures were taken against entities that experienced security breaches and detailing how recognized security practices were implemented during investigations.
Additional legislative efforts have attempted to address concerns regarding cybersecurity shortcomings within the healthcare sector. The Strengthening Cybersecurity in Health Care Act of 2024, alongside recent proposals targeting privacy surrounding consumer health data, aim to sustain momentum in improving healthcare cybersecurity frameworks.
In light of the widespread impact of cyberattacks—a staggering 270 million Americans were affected by major health data breaches in 2024—this legislative initiative further acknowledges the pressing need to safeguard sensitive patient information. The act aims to mitigate the array of tactics exploited by adversaries, covering initial access techniques such as phishing or exploiting software vulnerabilities, alongside persistence and privilege escalation methods.
Commenting on the urgent need for these reforms, Senator Cassidy emphasized the critical nature of addressing cybersecurity threats, indicating the potential disruptions to patient care and the overall healthcare infrastructure posed by these incidents. As the legislative process unfolds, stakeholders in the healthcare sector will closely monitor developments, hoping to implement robust safeguards against evolving digital threats.
