The reintroduction of the Health Care Cybersecurity and Resiliency Act of 2025 shows that Congress continues to recognize the scale of the cybersecurity crisis facing healthcare. This version of the bill is almost identical to what was introduced in 2024, and that continuity suggests lawmakers believe the sector still lacks the structural support needed to defend patient care and operational stability against rising cyberattacks.
The intent of the legislation remains focused on strengthening cybersecurity standards, improving coordination between federal agencies, increasing transparency in breach reporting, and providing grants and training to resource-constrained healthcare organizations. These concepts were central to the 2024 bill and continue to be central now for a simple reason. Cybersecurity in healthcare is not improving fast enough, and the consequences are becoming more severe, as we saw with the Change Healthcare incident.
Alignment with current regulatory activity
The bill references updated requirements for HIPAA privacy, security, and breach notification regulations. Regulators have already signaled where they want to go. On December 27, 2024, HHS issued a Notice of Proposed Rulemaking to modernize the HIPAA Security Rule. The proposal, published in January 2025, would require stronger controls including multifactor authentication, encryption, penetration testing, vulnerability management, documented policies and procedures, detailed asset inventories, and more rigorous oversight of vendors and business associates.
While these updates are still proposed and not yet final, they reveal a clear federal expectation. Basic cybersecurity controls must become standard across healthcare, not optional or aspirational. The 2025 bill reflects that same expectation.
Required cybersecurity standards
The bill again calls for adoption of specific cybersecurity practices. Multifactor authentication, encryption, penetration testing, and clearly defined baselines are all appropriate minimums for protecting patient data and clinical operations. The challenge is not the standards. The challenge is giving organizations the resources to meet them. Many providers, especially mid-size systems and rural hospitals, simply do not have the budget or workforce to operationalize these requirements without financial support.
Coordination between HHS and CISA
Improved coordination between health and cybersecurity agencies is a needed step. It should lead to better threat information, more timely alerts, and more consistent guidance. However, small and mid-sized healthcare organizations often rely on external cybersecurity partners to act on this information. If those partners are not included in the communication chain, improved coordination will not translate into improved preparedness.
Public breach reporting
The bill requires enhanced visibility into corrective actions and recognized security practices on the public breach portal. Transparency has value, and learning from incidents is essential, but this must be balanced with the reality that detailed public disclosures can help attackers identify weakened organizations. Accountability is important, and it is equally important to safeguard sensitive operational details.
Rural cybersecurity readiness
The bill includes guidance and training for rural providers. This recognizes a longstanding truth. Knowing what to do is not the same as having the people to do it. Rural organizations face chronic staffing shortages and financial constraints. Education alone does not create capacity. Grants are essential if the sector expects meaningful progress in rural cybersecurity.
Grants and funding
Funding remains the most important and most difficult issue. The bill authorizes a broad use of grants that could support staffing, modernizing infrastructure, cloud migration, vulnerability reduction, and third-party partnerships. This flexibility is positive. What remains unclear is how these grants will be funded and at what scale. Without sustainable financial support, the sector will continue to fall behind, regardless of new expectations.
Recognized security practices
Clarifying how HHS evaluates recognized security practices is one of the most constructive pieces of the legislation. Organizations deserve clarity on how frameworks like NIST CSF and 405(d) HICP are applied during audits, investigations, and enforcement actions. This transparency encourages investment in practices that materially improve cybersecurity maturity and program resilience.
Workforce development
The bill calls for more cybersecurity training for the healthcare workforce. Awareness training has value, but the sector’s biggest challenge is the severe shortage of trained cybersecurity professionals who can design, implement, and mature programs. Additional funding for specialized education and certification would have a far greater impact on long-term resilience.
Perspective
The 2025 bill reflects a continued push toward higher cybersecurity standards, stronger coordination, and more support for resource-limited providers. These goals are aligned with what the industry needs. The real question is whether the implementation path will match the urgency of the threat.
Healthcare does not need more intent. It needs capacity, funding, and a workforce capable of meeting rising expectations. Without those elements, regulatory changes and legislative proposals risk widening the gap between organizations that can comply and organizations that cannot.
The intent behind this legislation is sound. Turning that intent into measurable resilience will require consistent commitment from government, industry, and healthcare leaders alike.
Baxter Lee
President, Clearwater Security
Have Questions? Contact us!
