US lawmakers have introduced a new Healthcare Cybersecurity Act aimed at helping frontline health providers better respond to cyber threats and protect Americans’ private medical data, but does it do enough? One security expert lays out the pros and cons to Cybernews.
The new bill, introduced this week by a bipartisan group in Congress, has also garnered support from both sides of the aisle in the Senate, according to Republican Congressman Brian Fitzpatrick of Pennsylvania.
“Cyberattacks on our healthcare system endanger more than data—they put lives at risk,” Congressman Fitzpatrick said.
"I’ve spoken with local hospitals, health care providers, and families across our community about the real-world impacts of these breaches—and the urgent need for action," he said, adding that it's more than just responding to attacks, but “building the infrastructure to prevent them and protecting patient privacy.”
Cybercriminals are targeting hospitals, stealing patient data, and putting lives at risk. I’ve spoken with local hospitals, health care providers, and families across our community about the real-world impacts of these breaches—and the urgent need for action.
undefined Rep. Brian Fitzpatrick 🇺🇸 (@RepBrianFitz) June 11, 2025
We worked together… pic.twitter.com/UBxJMJiynK
Over 46 million Americans had their personal health information compromised in cyber breaches in 2021, with the number of incidents tripling over three years, according to statistics provided by Fitzpatrick's office.
These cybercriminal attacks have "shut down hospitals, delayed care, exposed patients’ most sensitive data, and – in some cases – left that data circulating on the dark web,” the Congressman said.
Last month alone, two major US healthcare networks suffered massive breaches – a ransomware attack on Kettering Health in Ohio and a data leak due to third-party trackers announced by the California-based Kaiser Permanente.
The cyber incidents not only forced multiple hospitals and hundreds of medical facilities to cancel thousands of patient procedures, with some said to be life-threatening, but also exposed the personal health data of more than 13 million Americans.
What’s inside?
Officially called the Healthcare Cybersecurity Act of 2025, one of the main tenets of the bill tasks the federal government to proactively work with healthcare organizations; first, providing the tools needed to help defend against an attack, and second, providing direct support if they become victims of an attack.
“From small businesses to hospitals. This bipartisan bill takes direct, strategic action: empowering CISA and HHS to coordinate real-time threat sharing, expanding cybersecurity training for providers, and establishing a dedicated liaison to bolster response," Rep. Fitzpatrick said in the release.
HHS, the acronym for the US Department of Health and Human Services, requires any healthcare breach to be reported to the agency. The HHS is also responsible for investigating the circumstances surrounding a breach and levying any fines or civil actions against an entity if it has failed to properly secure its systems or patient data according to the Health Insurance Portability and Accountability Act (HIPAA).
Specifically, the Healthcare Cybersecurity Act would:
- Require the Cybersecurity and Infrastructure Security Agency (CISA) and HHS to coordinate real-time cyber threat response.
- Establish a dedicated liaison between CISA and HHS to improve communication, threat analysis, and incident response.
- Expand comprehensive cybersecurity training for all frontline healthcare providers and personnel.
- Direct both agencies to conduct a full scal review identifying cybersecurity vulnerabilities and risks within the health sector.
Security experts not entirely convinced
Some cybersecurity insiders believe that while the proposal has legs, it may not be as effective in the real world as expected by the lawmakers who have propsed it.
"While this is a good step in the right direction, you can’t really legislate a good security strategy and approach,” said Kevin Kirkwood, CISO at the California-based cybersecurity firm Exabeam.
Laying out the pros and cons of the bill, Kirkwood said, “Without funding and teeth to ensure compliance to a dedicated and real cyber strategy, it might as well be categorized as a false start."
On the positives, Kirkwood said a collaboration between CISA and the HHS will help the agencies coordinate their operations, thereby improving communications and the ability to apply solutions in a risk-based manner.
Kirwkood said the bill guarantees that smaller healthcare entities – often working with smaller budgets – still have access to the “training and best practices” necessary to defend their digital infrastructure, all while “keeping the concept of data privacy intact.”
On the opposite front, Kirkwood said the bill does not cover the funding for healthcare organizations to adopt the resources they need – such as skills training and security system upgrades – to meet the goals outlined in the bill.
“It doesn’t do anything for the actions that are happening now and outlines a 12 to 18-month plan,” Kirkwood said.
The CISO also points out that the bill “pushes organizations to enact solid cybersecurity standards,” but lacks any requirements, only for “voluntary compliance.”
Your email address will not be published. Required fields are markedmarked