Introduction

The bipartisan Healthcare Cybersecurity Bill [1] [2] [3] [4], also known as Senate Bill 1851, has been introduced by US legislators to enhance the federal government’s role in safeguarding Americans’ medical data against breaches. Spearheaded by Congressman Jason Crow (D-CO-06) and Congressman Brian Fitzpatrick (R-PA-01) [1], this legislation addresses the increasing threat of healthcare data breaches and aims to fortify cybersecurity measures within the sector.

Description

US legislators have introduced a bipartisan Healthcare Cybersecurity Bill [2] [3] [4], also known as Senate Bill 1851, spearheaded by Congressman Jason Crow (D-CO-06) and Congressman Brian Fitzpatrick (R-PA-01) [1]. This legislation aims to enhance the federal government’s role in preventing and responding to data breaches affecting Americans’ medical data [2] [3], particularly in light of the troubling rise in healthcare data breaches. A significant incident that underscored this urgency was the Change Healthcare ransomware attack in 2024, which compromised nearly 190 million personal and medical records [2], marking one of the largest healthcare data breaches in history [5]. This breach not only disrupted patient care but also posed challenges in verifying patient insurance, especially for smaller healthcare providers [1], and incurred substantial financial losses, with UnitedHealth Group reporting $3.1 billion in expenses related to the attack [5].

The Healthcare Cybersecurity Bill addresses the critical vulnerabilities exposed by recent breaches, such as inadequate third-party access controls and the absence of multifactor authentication in vendor portals. In 2021 alone, 46 million Americans were affected by healthcare data breaches—a threefold increase over three years—highlighting the urgent need for improved data protection measures.

Key provisions of the legislation mandate active collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Health and Human Services (HHS) to bolster cybersecurity in the healthcare sector. These provisions include establishing a streamlined process for sharing cyber threat intelligence to enhance understanding of risks, providing specialized cybersecurity training for healthcare organization operators [1] [2] [4], and developing a sector-specific risk management plan that evaluates best practices and federal support mechanisms before, during [1] [2] [3], and after data breaches [1] [2] [3]. Additionally, the bill establishes criteria for identifying high-risk assets within the healthcare system [1] [2] [3], ensuring direct notifications to asset owners to prevent potential cyberattacks [1].

CISA is also required to submit regular reports to Congress detailing its support activities and readiness strategies [1] [3], ensuring accountability and transparency in the implementation of cybersecurity measures. The bill emphasizes the importance of intelligence sharing to enable swift action against evolving threats [1], necessitating secure communication channels between government agencies and private healthcare entities [1].

Training for healthcare workers in cybersecurity is highlighted as essential [1], as many breaches result from human error [1]. The bill aims to strengthen defenses by equipping personnel with modern cybersecurity skills [1], thereby reducing vulnerabilities in hospital IT networks [1]. Coupled with HHS’s plans to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in January 2025—mandating improved security measures [4], including specific authentication levels for IT system access and ongoing security protocol testing—this initiative seeks to create a cohesive cybersecurity framework.

Challenges remain [1] [5], including the need for funding [1], coordination across state lines [1], and consistent enforcement [1], particularly for smaller healthcare providers [1] [5]. Balancing privacy with data access in emergency situations is also a concern [1]. If effectively implemented [1], the Healthcare Cybersecurity Bill could significantly reduce data breach incidents in the medical sector over the next five years [1], potentially influencing other high-risk industries to pursue similar government collaborations and fostering innovation in cybersecurity for public health [1]. The ongoing calls for increased government oversight and stricter regulations [5], including mandates for comprehensive data backups and enhanced vendor oversight [5], further highlight the necessity of viewing cybersecurity as integral to patient safety and public health [5].

Conclusion

The Healthcare Cybersecurity Bill represents a critical step towards mitigating the risks associated with healthcare data breaches. By fostering collaboration between key federal agencies and enhancing cybersecurity training and protocols, the bill aims to create a robust defense against cyber threats. Its successful implementation could not only reduce the frequency of data breaches in the healthcare sector but also serve as a model for other industries, promoting innovation and strengthening public health security. The emphasis on government oversight and regulation underscores the importance of cybersecurity as a fundamental component of patient safety and public health.

References

[1] https://undercodenews.com/new-healthcare-cybersecurity-bill-aims-to-shield-millions-of-americans-from-data-breaches/
[2] https://ft365.org/index.php/2025/06/11/congress-introduces-bill-to-strengthen-healthcare-cybersecurity/
[3] https://www.infosecurity-magazine.com/news/congress-bill-healthcare/
[4] https://trustcrypt.com/congress-introduces-legislation-to-enhance-cybersecurity-in-healthcare-sector/
[5] https://medtechnews.uk/healthcare-data-breaches/change-healthcare-breach-a-looming-threat/