Healthcare Cybersecurity Act of 2025
Sponsored By: Representative Crow
Introduced
Summary
Creates a sector-specific cybersecurity framework inside the Cybersecurity and Infrastructure Security Agency (CISA) to strengthen cyber defenses across the Healthcare and Public Health Sector (HPH Sector). It ties CISA and the Department of Health and Human Services together for joint planning, training, information sharing, and incident coordination.
Show full summary
- Owners and operators of covered health assets must receive cybersecurity training and be prioritized in planning. The Secretary of Health and Human Services and CISA must update the Sector-specific Risk Management Plan within 1 year with special focus on rural and small- and medium-sized assets.
- CISA will name a dedicated liaison to HHS and may use a Director-promulgated methodology to set objective criteria for identifying high-risk covered assets. Congress will get notice when CISA publishes a biannually updated high-risk asset list that can guide prioritizing resources.
- CISA must report within 120 days on agency-wide HPH support and preparedness, and the Comptroller General must report within 18 months on federal resources available to the sector. The bill also explicitly prohibits additional funds being appropriated for its implementation.
Your PRIA Score
Personalized for You
How does this bill affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Bill Overview
Analyzed Economic Effects
6 provisions identified: 4 benefits, 1 costs, 1 mixed.
Protects speech and privacy in cybersecurity
If enacted, the bill would not allow any action that violates constitutional rights. That includes censoring protected speech or doing unauthorized surveillance. All Agency and Department actions would need to follow the Constitution.
Risk-based list of high-risk healthcare assets
If enacted, the Secretary could set objective criteria and create a list of high-risk covered healthcare assets. Owners and operators would be notified if they are on the list. The list could be reviewed and updated every two years, and Congress would be notified when it is created or changed. The Department could use the list to steer resources to strengthen cyber resilience.
Update to healthcare cyber risk plan
If enacted, the Secretary would have to update the Healthcare and Public Health Sector Risk Management Plan within 1 year. The update would cover risks to rural and small- and medium-sized providers, medical devices, electronic health records, workforce shortages, and fast ways to share tools. A briefing to Congress would be due within 120 days on the update effort. The Agency would also report within 120 days on its current help to the sector, and the Comptroller General would report within 18 months on federal resources available for healthcare critical infrastructure.
More cyber help for healthcare providers
If enacted, the Agency would offer cybersecurity training to owners and operators of covered healthcare assets. It would work with healthcare threat-sharing groups to send alerts and practical defensive steps. A qualified cybersecurity liaison would coordinate with Health and Human Services and help during incidents. A report on this work would be due to Congress within 18 months.
Defines which healthcare assets are covered
If enacted, the bill would define a “covered asset” to include healthcare technologies, services, and utilities. It would use the Healthcare and Public Health Sector list named in NSM-22 from April 30, 2024. These definitions would decide who can receive the bill’s training, coordination, and prioritization.
No new funds and limited authority
If enacted, the bill would not authorize new funding. Agencies would need to use existing money or seek separate appropriations. It would also limit Agency actions to powers in this bill or existing law.
Sponsors & CoSponsors
Sponsor
Crow
CO • D
Cosponsors
Rep. Fitzpatrick, Brian K. [R-PA-1]
PA • R
Sponsored 6/9/2025
Rep. Nunn, Zachary [R-IA-3]
IA • R
Sponsored 9/30/2025
Roll Call Votes
No roll call votes available for this bill.
View on Congress.gov