United States legislators have now introduced a new Healthcare Cybersecurity Bill to the U.S. Congress to expand the federal government’s role. This bipartisan legislation is designed to help in preventing and responding to the growing number of data breaches of Americans’ medical data. Congressman Jason Crow introduced the legislation on June 10th as part of efforts to tackle surging healthcare data breaches in the United States. In January 2025, it was reported that 190 million U.S. citizens’ personal and medical data records were impacted by one ransomware attack. The Change Healthcare incident also resulted in significant and widespread disruption to patient care across the entire United States.
The new Healthcare Cybersecurity Bill would specifically require the CISA and the HHS.
These two important federal government agencies would be required to collaborate on improving cybersecurity in both the healthcare and public health sectors. These important collaboration efforts include facilitating the sharing of cyber threat intelligence between the agency and the department to improve understanding. CISA would also provide essential training to the owners and operators of healthcare organizations on how to effectively mitigate all these risks.
This would help to bolster the defenses of many healthcare providers.
The HHS and CISA would also be required to create a healthcare sector-specific risk management plan for the United States. This includes evaluating best practices for how the government can support the security of covered technologies, services, and all of its utilities. They would also establish objective criteria for determining high-risk assets in the healthcare sector and notify the owners of these assets. Congressman Brian Fitzpatrick, who co-introduced the bill, commented on its direct and strategic action to empower CISA and also HHS. He stated they are not just responding to attacks but are building the infrastructure to prevent them and protect patient privacy.
This important new legislation follows other recent government efforts to bolster the security of the United States healthcare sector. In January 2025, the HHS announced its own plans to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These updates to the HIPAA Security Rule would require healthcare providers to implement enhanced security measures for individuals’ protected health information. This includes providing all regulated entities with a specific and much higher level of authentication for accessing any relevant IT systems. It also includes mandating the continuous and rigorous testing of all implemented security measures by the various healthcare providers.
Reference:
