In a strong bipartisan push to confront mounting cyber threats, U.S. lawmakers have introduced two major bills aiming to enhance cybersecurity in the healthcare sector and across critical infrastructure.
One bill proposes a formal liaison between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS), specifically targeting hospitals and healthcare providers. The second extends key provisions from the Cybersecurity Information Sharing Act of 2015, encouraging private-sector threat reporting to the federal government.
This legislative momentum comes amid a wave of alarming cyber incidents that have affected hospital operations across the U.S. In one case, a major Ohio hospital network took weeks to recover from a ransomware attack that shut down patient record systems and disrupted care.
Another multi-state hospital group, Covenant Health, is still recovering from a similar breach.
These incidents underscore the rising stakes, as cyberattacks now threaten patient privacy and the delivery of lifesaving treatment. The proposed bills seek to build a more coordinated, preventive infrastructure to defend against such escalating threats.
Why It Matters: Cyberattacks against healthcare institutions jeopardize both patient safety and national security. By promoting stronger inter-agency cooperation and renewing legal protections that encourage threat sharing, these bills aim to reinforce the resilience of America’s critical infrastructure and bolster frontline cybersecurity defenses.
- Healthcare Cybersecurity Act: Introduced by Reps. Brian Fitzpatrick (R-PA) and Jason Crow (D-CO), the Healthcare Cybersecurity Act seeks to formalize and institutionalize collaboration between CISA and HHS through the establishment of a dedicated liaison role. This position will act as the central communication hub during cyber incidents impacting hospitals, ensuring that threat data, best practices, and response strategies are rapidly and efficiently coordinated between federal agencies and healthcare organizations. The goal is to streamline real-time threat intelligence sharing and develop sector-specific responses that are more nimble and informed.
- Mandatory Risk Assessments and Reporting: The legislation requires CISA and HHS to jointly conduct and publish comprehensive studies that identify critical vulnerabilities across the healthcare sector. These studies must examine issues like the cybersecurity readiness of small and rural hospitals, the susceptibility of electronic health records to breaches, and the relative insecurity of specific medical devices. Devices deemed high-risk will be formally listed and regularly updated, providing a clear guide to where mitigation efforts should be focused. The resulting report will also address how cyberattacks delay treatment and impact patient outcomes.
- Training and Awareness Initiatives: Recognizing the persistent knowledge gap within frontline healthcare environments, the bill calls for the development and distribution of cybersecurity training programs tailored for hospital staff. These would include educational materials, simulations, and guidelines on how to detect, report, and respond to cyber threats. However, some cybersecurity experts argue that training alone is insufficient and that the core issue lies in under-resourced IT departments and inadequate funding for security infrastructure in healthcare facilities.
- Cybersecurity Information Sharing Extension Act: Introduced by Sens. Gary Peters (D-MI) and Mike Rounds (R-SD), this bill extends the protections originally provided under the 2015 Cybersecurity Information Sharing Act for another ten years. These provisions protect businesses from legal liabilities when they share cyber threat indicators, such as malware signatures or malicious IP addresses, with the federal government. The extension is designed to preserve and expand the collaborative ecosystem that enables faster threat detection and broader national cyber defense across the private and public sectors.
- Privacy and National Security: The legislation ensures that the privacy protections embedded in the original 2015 law remain intact. This includes safeguards to strip personally identifiable information (PII) from data shared with the government. By maintaining these privacy standards while simultaneously facilitating wider information exchange, the bill aims to strengthen cybersecurity defenses without compromising civil liberties. The shared intelligence benefits a range of sectors, from healthcare to utilities, and is distributed through platforms like the Joint Cyber Defense Collaborative and Information Sharing and Analysis Centers (ISACs).
Go Deeper → Bipartisan bill aims to create CISA-HHS liaison for hospital cyberattacks – The Record
