The bill is particularly impactful considering the rise in cyber incidents affecting healthcare, with reported breaches increasing by 107% since 2018. It stipulates that by one year post-enactment, CISA must update the sector-specific risk management plan, which should include evaluations of how such risks affect rural and small to medium-sized assets. Additionally, the Secretary is tasked with identifying high-risk covered assets using objective criteria, which will inform resource allocation towards enhancing the cybersecurity resilience of these critical infrastructure components.
Summary
SB1851, known as the Healthcare Cybersecurity Act of 2025, aims to significantly enhance the cybersecurity posture of the Healthcare and Public Health Sector. As cyberattacks increasingly target medical facilities and their data systems, the bill emphasizes the need for improved coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services. The legislation mandates a comprehensive assessment of cybersecurity risks specific to covered assets, which include technologies, services, and utilities within this sector, along with the deployment of updated risk management plans to address these vulnerabilities.
Contention
While the focus on cybersecurity in healthcare is broadly supported, there may be points of contention regarding the implementation and oversight of these measures. Opponents could argue that the compliance burden on healthcare facilities, particularly smaller entities, may be exacerbated due to stringent requirements outlined in the bill without corresponding funding or resources. Furthermore, the lack of provisions for additional funding to carry out these initiatives may raise concerns among stakeholders regarding the feasibility and effectiveness of enhancing cybersecurity across the sector.