LUGPA Policy Brief: The Healthcare Cybersecurity Act of 2025

June 2025 

On May 21, Senators Jacky Rosen (D-NV) and Todd Young (R-IN) introduced S. 1851, the Healthcare Cybersecurity Act of 2025, a bipartisan proposal to reinforce cybersecurity across the healthcare and public health sectors. The bill directs the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to partner in advancing cyber defenses, improving information sharing, and delivering targeted support to non-federal healthcare entities, including independent and small-group medical practices.

Key Provisions

1. Interagency Coordination

• Establishes a formal partnership between CISA and HHS to improve cybersecurity preparedness and response within the healthcare sector.
• Embeds a dedicated CISA liaison at HHS to facilitate real-time collaboration and incident management.

2. Support for Non-Federal Providers

• Requires CISA to provide tailored cybersecurity resources, threat intelligence, and technical assistance to healthcare organizations, particularly small, rural, and independent practices.
• Ensures resources are scalable and accessible to meet the needs of diverse healthcare environments.

3. Targeted Cybersecurity Training

• Mandates CISA to develop and deliver training on cyber threats, data protection, and best practices for securing health IT systems.
• Prioritizes practical education for providers with limited in-house IT or cybersecurity expertise.

4. Sector Risk Management Plan

• Directs HHS and CISA to update the sector-specific cybersecurity risk management plan to address:
• Vulnerabilities in IT systems, electronic health records, and medical devices.
• Impacts of breaches on patient access, care quality, and health outcomes.
• Workforce shortages in cybersecurity, focusing on rural and small practices.

5. Identification of High-Risk Assets

• Authorizes HHS to identify and prioritize “high-risk” healthcare assets based on critical infrastructure standards.
• Facilitates targeted support and resource allocation to protect essential healthcare functions.

6. Reporting and Accountability

• Requires:
• A joint HHS-CISA report to Congress within 18 months on the liaison’s activities and interagency coordination.
• A CISA report outlining sector-wide support activities and outcomes.
• A GAO evaluation of current federal cybersecurity resources available to healthcare entities.

Independent urology practices face increasing cybersecurity threats, often without the same infrastructure or resources available to large systems. Attacks can lead to:

• Patient Safety Risks – Delays in care, inaccessible medical records, and disrupted device functionality.
• Operational and Financial Strain – High recovery costs and potential regulatory penalties.
• Reputational Harm – Loss of patient trust and long-term damage to practice credibility.

S. 1851 addresses ongoing cybersecurity challenges by proposing tools, training, and federal support to strengthen cyber readiness across all healthcare settings, including independent practices.

LUGPA’s Position
LUGPA supports S. 1851 and encourages its consideration and advancement. The bill aligns with LUGPA’s policy priorities by:

• Enhancing Resilience – Offering practical cybersecurity resources suited to the operational realities of independent medical practices.
• Promoting Equity – Ensuring small, rural, and underserved providers are included in national cybersecurity planning and assistance.
• Protecting Care Continuity – Supporting the stability of systems critical to delivering timely, high-quality patient care.

LUGPA will continue working with lawmakers, federal agencies, and member practices to promote policies that improve cybersecurity preparedness across the healthcare sector.