Healthcare Cybersecurity Act of 2025
Sponsored By: Senator Jacky Rosen
Introduced
Summary
A sector-specific cybersecurity framework for the Healthcare and Public Health Sector would coordinate CISA and HHS, set a dedicated HHS liaison, and require updated risk planning, training, and ongoing asset risk reporting.
Your PRIA Score
Personalized for You
How does this bill affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Bill Overview
Analyzed Economic Effects
5 provisions identified: 3 benefits, 0 costs, 2 mixed.
Update healthcare cyber risk plan
This bill would require HHS, working with CISA, to update the Healthcare and Public Health Sector Risk Management Plan within one year. The update would analyze risks to covered assets, with emphasis on rural and small- and mid-sized providers. It would assess medical device and patient data vulnerabilities and workforce shortages and recommend fixes. HHS must brief Congress on the update within 120 days.
Which healthcare assets are covered and prioritized
This bill would define what counts as a covered Healthcare and Public Health Sector asset. The definition would follow NSM-22 (April 30, 2024). HHS, with CISA, could set objective rules to call some assets "high-risk." HHS would keep a list, tell owners when assets are added or removed, notify Congress when the initial list is made, and review the list twice a year.
GAO report on healthcare cyber resources
This bill would require the Comptroller General (GAO) to report to Congress within 18 months. The report would list federal resources for Healthcare and Public Health Sector critical infrastructure and note recent collaboration with CISA and HHS. The report would inform congressional oversight and future resource choices.
CISA-HHS cybersecurity liaison and training
This bill would require CISA to assign a qualified cybersecurity liaison to HHS. The liaison would coordinate threats, help during incidents, and assist with Plan updates. CISA would provide training for owners and operators on cyber risks and how to protect systems. CISA would also coordinate with ISAOs, ISACs, and other groups and must report to Congress within 120 days on its sector support.
No new money or extra powers
This bill would say nothing in it lets HHS or CISA act beyond existing law. It would also say it cannot be used to violate constitutional rights. The bill would not authorize any new money to carry out its provisions.
Free Policy Watch
You just read the policy. Now see what it costs you.
Pick a topic. PRIA runs your household against live legislation and sends you a free personalized readout.
Pick a topic to get started
Sponsors & CoSponsors
Sponsor
Jacky Rosen
NV • D
Cosponsors
Sen. Young, Todd [R-IN]
IN • R
Sponsored 5/21/2025
Angus King
ME • I
Sponsored 6/2/2025
Sen. Tillis, Thomas [R-NC]
NC • R
Sponsored 6/2/2025
Roll Call Votes
No roll call votes available for this bill.
View on Congress.govTake It Personal
Get Your Personalized Policy View
Take the PRIA Score to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in