How the Healthcare Cybersecurity Act could impact the healthcare landscape

Cybersecurity remains a defining challenge for the healthcare industry. As care delivery becomes increasingly digital and devices more interconnected, the risk of disruption from a cyberattack continues to grow.

The Healthcare Cybersecurity Act is a bipartisan proposal designed to address this problem. If written into law, it would establish a formal partnership between the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS). The goal of the legislation is to improve cybersecurity resilience in provider organizations by requiring CISA to provide tailored resources, threat intelligence, and technical assistance for healthcare providers.

While organizations of all shapes and sizes stand to potentially benefit from this bill, there is a considerable focus on supporting small, rural, and independent healthcare providers. When it comes to upgrading information systems and keeping patient data secure, these facilities often face a steep uphill battle. Whether it’s due to a lean IT team, a limited budget, or aging technologies (or all the above), it can be a tremendous challenge for small and rural providers to build a modern cybersecurity program. Yet the responsibility to protect sensitive patient data remains the same.

What is the Healthcare Security Act?

At its core, the Healthcare Cybersecurity Act aims to improve cybersecurity preparedness across provider organizations throughout the healthcare industry, with a particular focus on small, rural, and independent practices that may lack a dedicated IT team.

You can read the latest version of the legislative text, which is currently under review in both the Senate and the House of Representatives, for the complete list of provisions. Below, I’ll share some of the key components of the bill and discuss why, should it be passed into law, it could benefit the healthcare industry.

1. Interagency coordination. The bill proposes a close partnership between CISA and HHS. A dedicated CISA liaison will work directly with HHS to facilitate real-time collaboration and incident management.
2. Support for non-federal providers. CISA would provide comprehensive, accessible cybersecurity resources tailored to the needs of diverse healthcare environments, including threat intelligence and technical assistance.
3. Cybersecurity training. The bill calls for CISA to develop best practices and training programs for securing healthcare systems.
4. Evaluation of vulnerabilities. CISA and HHS will investigate and evaluate vulnerabilities within the healthcare industry, including IT infrastructure, EHRs, medical devices, workforce shortages, and more.

Why is the Healthcare Security Act important?

The Healthcare Cybersecurity Act arrives at a time when data breaches and cyber threats facing the healthcare industry are not only persistent, but also increasingly sophisticated.

According to breach reports submitted to the HHS Office for Civil Rights, the total number of reported breaches has stayed elevated year-over-year.

Fig 1. Total volume of data breaches reported to the HHS from January 1, 2020, through December 31, 2025. Data breaches were reported by healthcare providers, health plans, healthcare clearing houses, and business associates of those entities. The data includes data breaches currently under investigation as well as archived cases. Source: HHS Office for Civil Rights, HIPAA Breach Reporting Tool. Accessed February 2026.  

While headlines often focus on large ransomware events, federal reporting data shows that data breaches have remained consistently high in recent years. The broader trend is clear: Healthcare organizations continue to experience hundreds of reportable breaches annually. It’s an opportunity for vendors, organizations, and the federal government to provide assistance and resources to keep protected health information (PHI) secure and patients safe.

Hacking attempts remain the dominant threat vector

Fig 2. Most common types of healthcare data breaches from 2020 through 2025, reported to the HHS Office for Civil Rights. Source: HHS Office for Civil Rights, HIPAA Breach Reporting Tool. Accessed February 2026.  

When examining breach types, hacking and IT incidents account for the vast majority of breaches, about 78%, significantly outpacing the other categories. This reinforces that most modern healthcare breaches are not the result of misplaced devices or paperwork—they stem from deliberate and technically sophisticated cyber activity. Threat actors are increasingly leveraging phishing, ransomware, credential harvesting, and exploiting other vulnerabilities to capture data.

Network servers and email are primary entry points

Fig 3. Most common locations of breached data in a healthcare organization from 2020 through 2025, reported to the HHS Office for Civil Rights. Source: HHS Office for Civil Rights, HIPAA Breach Reporting Tool. Accessed February 2026.

Breach location data further clarifies where vulnerabilities exist. Network servers and email systems account for about 58% and 26% of compromised data locations, respectively.

The cost of inaction

Data breaches in the healthcare industry are among the most financially damaging across any sector, costing organizations millions of dollars per incident. According to IBM’s Cost of a Data Breach Report 2025, healthcare held the highest average breach cost among industries for the twelfth consecutive year at $7.42 million, even though it saw a reduction from last year ($9.77 million). The report goes on to say that attackers value and target patient PHI for identity theft, insurance fraud, and other financial crimes.

But in healthcare, the consequences extend beyond cost. Cyberattacks can delay treatments, shut down hospital systems, cause medical errors, erode patient trust, and lead to higher insurance premiums for the affected organization.

Don’t wait for legislation—start strengthening your defenses now

While the Healthcare Security Act could offer specialized resources, training, and assistance, it is still under consideration. Even if passed, implementation and rollout of support programs would take time.

Fortunately, there are practical steps you and your teams can take today to reduce risk and improve cybersecurity resilience.

Practical steps to improve cyber resilience at your organization

Understanding where risk originates is the first step toward mitigating it. You should remain vigilant against:

• Phishing attempts, which involve deceptive emails to trick employees into sharing credentials or downloading malware.
• Ransomware, an attack that captures and encrypts critical data that hackers then demand payment if an organization wants its release.
• Insider leaks of sensitive data from employees or contractors, whether done accidentally or maliciously.
• Third-party vulnerabilities from the vendors and organizations you partner with that handle healthcare data.

You can also consider taking more meaningful action within your organization. This includes:

• Expanding cybersecurity leadership at the executive level through a Chief Information Security Officer (CISO).
• Investing in secure technologies like multi-factor authentication, secure cloud configurations, endpoint detection, and more.
• Leveraging AI in defensive ways, such as real-time monitoring, anomaly detection, and threat response.
• Training employees to be a first line of defense.

The truth is that cybersecurity resilience is not built overnight. But incremental, strategic improvements can significantly reduce exposure and improve response capabilities.

What it all means

If enacted, the Healthcare Cybersecurity Act could help provide stronger coordination, clearer intelligence, and more accessible support to all healthcare provider organizations. The legislation could help fill gaps in preparedness and improve how providers anticipate and respond to modern cyber threats.

But legislation alone won’t eliminate the risk of a data breach. You can take steps in your own organization today to strengthen internal defenses, find vulnerabilities, and prioritize resources effectively.

You can find plenty more insights, tips, and best practices in our Content Center. Check out our blog on building cybersecurity resilience in rural hospitals, learn how to protect your organization against AI-powered phishing attacks, or dive into the latest cybersecurity developments in our 2026 healthcare trends eBook.

As healthcare grows more digitally connected, clarity and visibility will become even more important. Definitive Healthcare helps teams better understand the healthcare landscape, from provider networks and technology adoption to broader market dynamics that influence strategic risk.

Book a demo today to see how Definitive Healthcare can support your strategic planning and growth efforts.