As first reported by Infosecurity Magazine, U.S. lawmakers have introduced a bipartisan bill designed to fortify the healthcare sector against increasingly frequent and damaging cyberattacks.
Led by Congressman Jason Crow (D-CO) and Congressman Brian Fitzpatrick (R-PA), the proposed legislation mandates greater collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to prevent, mitigate, and respond to healthcare data breaches. This comes in the wake of the 2024 Change Healthcare ransomware attack, which exposed the medical records of 190 million Americans and disrupted patient care nationwide.
Source: house.gov, wikipedia.org.
Key provisions of the bill include enhanced cyber threat intelligence sharing between CISA and HHS, targeted cybersecurity training for healthcare operators, and the development of a sector-specific risk management framework. It also introduces the concept of high-risk asset classification within the healthcare ecosystem and requires regular reporting to Congress on cybersecurity preparedness efforts. These measures are aimed at proactively protecting the integrity of critical health infrastructure rather than simply reacting after breaches occur.
In tandem with this legislative push, the HHS announced in January 2025 its intention to update the HIPAA Security Rule, signaling broader reform across the healthcare cybersecurity landscape. Proposed updates include mandatory multi-factor authentication for IT systems and ongoing security testing to ensure better protection of individuals’ protected health information (PHI). Together, the bill and HIPAA changes mark a significant step toward strengthening cybersecurity in an increasingly targeted industry.
