Warner and Colleagues Reintroduce Legislation to Strengthen Cybersecurity in Health Care

WASHINGTON - Today, U.S. Sens. Mark Warner (D-VA), Bill Cassidy, M.D. (R-LA), Maggie Hassan (D-NH), and John Cornyn (R-TX) reintroduced the Health Care Cybersecurity and Resilience Act to protect Americans' health data by strengthening cybersecurity. This legislation is a product of the senators' bipartisan health care cybersecurity working group launched in 2023.

"Cyberattacks on our health care organizations threaten the sensitive information of millions of Americans and can have life-or-death consequences on the care patients receive," said Sen. Warner. "I'm glad to join my colleagues in introducing this bill to strengthen our cybersecurity, protect patients, and provide additional tools for rural health care providers in Virginia."

"Cyberattacks on our health care sector not only put patients' sensitive health data at risk but can delay life-saving care," said Dr. Cassidy. "This bipartisan legislation ensures health institutions can safeguard Americans' health data against increasing cyber threats."

"Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs - and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks," said Sen. Hassan. "Our bipartisan working group came together to develop this legislation based on the most pressing needs for medical providers and patients, and I urge my colleagues to support it."

"Patients deserve absolute confidence that their sensitive medical data stored online is protected and shielded from cybersecurity breaches or ransomware attacks," said Sen. Cornyn. "This legislation would strengthen interagency coordination and improve security practices for rural providers, ensuring Texans' health care is not delayed or compromised by cyberattacks."

The Health Care Cybersecurity and Resiliency Act of 2025:

• Strengthens cybersecurity in the health care sector by providing grants to health entities to improve cyberattack prevention and response.
• Provides training to health entities on cybersecurity best practices.
• Supports rural communities by providing best practices to rural health clinics and other providers on cybersecurity breach prevention, resilience, and coordination with federal agencies.
• Improves coordination between the Department of Health and Human Services (HHS) and Cybersecurity and Infrastructure Security Agency (CISA) to better respond to cyberattacks in the health care sector.
• Modernizes current regulations so entities covered under the Health Insurance Portability and Accountability Act (HIPAA) use the best cybersecurity practices.
• Requires the HHS Secretary to develop and implement a cybersecurity incident response plan.

Click here for full bill text.

BACKGROUND

Health records, unlike other personal records like credit card numbers, are more valuable on the black market since health conditions are permanent and cannot be reissued.

There were more than 730 cyber breaches last year, affecting over 270 million Americans. This includes the attack on Change Healthcare, the largest health care cybersecurity incident in history. This attack exposed the data of over 190 million people, leading to significant delays in care and electronic prescribing.