S. 1851 (119th)Bill Overview

Healthcare Cybersecurity Act of 2025

Health|Health

Sponsor

Jacky RosenD

Cosponsors

Support

Lean Republican

Introduced

May 21, 2025

Discussions

Bill Text

View ↗

Committee

Homeland Security Subcommittee

Current stageCommittee

Read twice and referred to the Committee on Homeland Security and Governmental Affairs.

Introduced

Committee

Floor

President

Law

Congressional Activities

01 · The brief

Plain-English summaryWhat this bill actually does

The Healthcare Cybersecurity Act of 2025 directs CISA and HHS to coordinate more closely to strengthen cybersecurity across the Healthcare and Public Health Sector. It requires CISA to appoint a qualified liaison to HHS, mandates training for owners and operators of covered assets, and directs HHS and CISA to update a sector-specific risk management plan within one year.

Why people may split

Progressives emphasize protecting patients, devices, rural providers, and workforce investment

Watch point

Relative to its intended legislative type, this bill is a well‑structured administrative/operational measure that sets out specific coordination mechanisms, responsible parties, required Plan content, and reporting timelines to strengthen Healthcare and Public Health Sector cybersecurity, while relying on existing authorities.

The Healthcare Cybersecurity Act of 2025 directs CISA and HHS to coordinate more closely to strengthen cybersecurity across the Healthcare and Public Health Sector.

It requires CISA to appoint a qualified liaison to HHS, mandates training for owners and operators of covered assets, and directs HHS and CISA to update a sector-specific risk management plan within one year.

The bill authorizes development and biannual updating of an optional list of high‑risk covered assets, requires several reports to Congress (including a GAO study), and clarifies it creates no new authorities or additional appropriations.

Passage70/100

Narrow, technical, low-cost measures with bipartisan appeal and clear implementation paths; committees and Senate procedure are main hurdles.

CredibilityPartially aligned

Contention55/100

Progressives emphasize protecting patients, devices, rural providers, and workforce investment

02 · What it does

Full Analysis

Who stands to gain, and who may push back.

Likely benefits vs burdens50% / 50%

Likely helpedLikely burdened

These are examples from the analysis, not a ranked list of the most-affected groups.

Likely helped

Potential benefitImproved cyber resilience could reduce healthcare service disruptions, protecting patient care continuity and health ou…
Potential benefitEnhanced information sharing between CISA and HHS may increase threat awareness and speed incident response across the…
Potential benefitSector-specific training for owners and operators may improve security practices and lower some breach risks.

Likely burdened

Potential burdenNo new funding authorization may force agencies to reallocate existing budgets, limiting new program implementation.
Potential burdenRecommendations without funding could impose compliance costs on small and rural providers lacking resources.
Potential burdenDesignating high-risk covered assets could stigmatize facilities or affect insurance and procurement, depending on use.

03 · Why people split

Full Analysis

Why the argument around this bill splits.

Progressives emphasize protecting patients, devices, rural providers, and workforce investment

Progressive80%

Generally supportive.

This persona would view the bill as a constructive federal effort to protect patients and health services, especially by addressing device vulnerabilities, rural/small provider needs, workforce shortages, and information sharing.

They would criticize the lack of new funding and prefer stronger, mandatory assistance and workforce investment.

Leans supportive

Centrist70%

Cautiously favorable.

This persona sees practical value in improved coordination, training, and a refreshed sector risk plan, but worries implementation details, costs, and duplication with state efforts.

They will look for measurable milestones, accountability, and assurances this will not impose unfunded mandates on small providers.

Leans supportive

Conservative40%

Skeptical but not uniformly opposed.

This persona values stronger cybersecurity but is concerned about federal overreach, ill-defined high‑risk designations, and unfunded expectations placed on private and state actors.

They note the bill limits new authority and funding, which reduces but does not eliminate concerns about federal expansion.

Split reaction

04 · Can it pass?

Full Analysis

The path through Congress.

Introduced

Reached or meaningfully advanced

Committee

Reached or meaningfully advanced

Floor

Still ahead

President

Still ahead

Law

Still ahead

Passage likelihood70/100

Narrow, technical, low-cost measures with bipartisan appeal and clear implementation paths; committees and Senate procedure are main hurdles.

Scope and complexity

52%

Scopemoderate

52%

Complexitymedium

Why this could stall

No cost estimate or appropriation provided
Potential private-sector pushback on 'high-risk' listings

05 · Recent votes

Recent votes on the bill.

No vote history yet

The bill has not accumulated any surfaced votes yet.

06 · Go deeper

Go deeper than the headline read.

Included on this page

Progressives emphasize protecting patients, devices, rural providers, and workforce investment

Narrow, technical, low-cost measures with bipartisan appeal and clear implementation paths; committees and Senate procedure are main hurdle…

Unlocked analysis

Go beyond the headline summary with full stakeholder mapping, legislative design analysis, passage barriers, and lens-by-lens tradeoff breakdowns.

Perspective breakdownsPassage barriersLegislative design reviewStakeholder impact map

Open full analysis