S. 1851: Healthcare Cybersecurity Act of 2025

The Healthcare Cybersecurity Act of 2025 aims to strengthen the cybersecurity of the healthcare and public health sector in the United States. Here is a breakdown of what the bill includes:

Short Title

The bill is officially referred to as the "Healthcare Cybersecurity Act of 2025."

Definitions

The bill defines key terms including:

• Agency: Refers to the Cybersecurity and Infrastructure Security Agency.
• Covered Asset: Any technology, service, or utility in the healthcare and public health sector.
• Director: The Director of the Cybersecurity and Infrastructure Security Agency.
• Department: The Department of Health and Human Services.

Findings

Congress recognizes that:

• Cyberattacks on healthcare assets are increasing, leading to data breaches, higher healthcare costs, and potential impacts on patient health.
• Cyber breaches in healthcare systems rose by 93% from 2018 to 2022.
• The number of breaches affecting unsecured protected health information increased by 107% since 2018, with notable impacts on many individuals.

Agency Coordination

The bill calls for the Cybersecurity and Infrastructure Security Agency to coordinate with the Department of Health and Human Services to enhance cybersecurity in the healthcare sector. Key actions include:

• Appointment of a liaison to facilitate communication and coordination on cybersecurity issues.
• Regular reporting on the progress made in improving cybersecurity coordination.

Resources and Support

The Agency is tasked with providing resources and support to various organizations involved in the healthcare sector. This includes:

• Sharing information on cyber threats.
• Creating specific resources that meet the needs of healthcare entities.

Training Initiatives

To enhance cybersecurity awareness, the bill mandates training for owners and operators of healthcare assets. This training will cover:

• Cybersecurity risks specific to the healthcare sector.
• Strategies to mitigate these risks.

Sector-Specific Risk Management Plan

Within a year of enactment, the Department is required to update its risk management plan, which will include:

• An analysis of cybersecurity risks affecting healthcare assets.
• Challenges healthcare entities face in securing their systems and responding to breaches.
• Best practices for utilizing resources to bolster cybersecurity.

Identifying High-Risk Assets

The bill allows the Secretary of Health and Human Services to establish criteria for identifying high-risk healthcare assets. Actions include:

• Creating and maintaining a list of high-risk assets to prioritize resource allocation for enhanced cybersecurity.
• Regular updates to this list every six months.

Reporting Requirements

Regarding accountability, the bill includes provisions for regular reporting to Congress about:

• The support provided by the Agency to the healthcare sector against cyber threats.
• Resources available for critical infrastructure in healthcare.

Rules of Construction

The bill explicitly states that:

• It does not authorize any actions that violate existing laws or constitutional rights.
• No additional funds will be appropriated for the bill’s implementation.

Relevant Companies

• UNH (UnitedHealth Group Inc): As a major player in the healthcare sector, UnitedHealth may need to enhance its cybersecurity measures to comply with the bill.
• CAH (Cardinal Health Inc): Being involved in supply chain and healthcare services, Cardinal Health could be impacted by new cybersecurity regulations.
• AET (Aetna Inc): Aetna may need to adapt its own cybersecurity protocols in response to the additional regulatory landscape created by this bill.