Congress Moves to Strengthen Healthcare Cybersecurity After Wave of Disruptive Attacks

U.S. lawmakers are advancing new legislation aimed at strengthening cybersecurity defenses across the healthcare sector, responding to a growing wave of cyberattacks that have exposed patient data and disrupted critical medical services nationwide.

The effort follows several high-profile breaches in recent years, most notably the 2024 ransomware attack on Change Healthcare that crippled claims processing across large portions of the U.S. healthcare system and disrupted patient care for weeks. The incident exposed the fragility of healthcare infrastructure and intensified calls for stronger federal action. According to an AHA impact report, the attack underscores the urgent need for a more resilient national preparedness strategy.

Now, members of Congress are attempting to push through a bipartisan framework designed to improve cybersecurity readiness among healthcare providers, insurers, and related service providers.

Bipartisan legislation advances

The Senate Health, Education, Labor and Pensions Committee recently advanced the bill in a decisive 22-1 vote, signaling broad support across party lines. The proposal, officially known as the Health Care Cybersecurity and Resilience Act, seeks to strengthen cyber defenses across healthcare networks while encouraging collaboration between federal agencies and private-sector operators.

Sen. Bill Cassidy (R-La.), chair of the committee and a lead sponsor of the legislation, said the Change Healthcare incident demonstrated how cyber incidents can cascade through the healthcare ecosystem.

“The Change Healthcare cyberattack in 2024 had widespread impacts on patient care,” Cassidy said in a statement. “This bill enhances cybersecurity across the health care system to better withstand these attacks.”

The legislation would push healthcare organizations to adopt stronger cybersecurity practices and improve resilience against disruptions that could jeopardize patient treatment or delay medical services. These efforts align with the HHS Cybersecurity Performance Goals, which provide a clear roadmap for prioritizing essential security measures.

A growing national security concern

Healthcare organizations have increasingly become prime targets for cybercriminals and nation-state actors. Hospitals and healthcare providers often operate legacy systems, manage vast amounts of sensitive patient data, and rely on complex supply chains — factors that make them attractive targets.

When healthcare networks are compromised, the consequences extend far beyond financial losses. System outages can delay surgeries, interrupt prescription processing, and disrupt emergency care operations. To combat these threats, CISA’s healthcare sector resources offer tools and guidance designed to harden these essential systems against evolving attack vectors.

The Change Healthcare attack illustrated the systemic risk. As one of the largest medical claims processors in the United States, the company sits at the center of the healthcare payment ecosystem. When its systems went offline, thousands of hospitals and clinics were forced to revert to manual billing processes.

Industry analysts say incidents like this highlight a broader challenge: the healthcare sector’s cybersecurity maturity has not kept pace with the increasing sophistication of cyber threats.

Industry support grows

Unlike earlier proposals that faced resistance from healthcare industry groups, the latest legislative effort appears to have broader support.

Organizations such as the Healthcare Trust Institute and the Blue Cross Blue Shield Association have backed the initiative, signaling that the industry is increasingly aligned with policymakers on the need for stronger protections and coordinated response mechanisms.

Previous proposals introduced in 2024 included stricter regulatory requirements and potential penalties for organizations that failed to meet cybersecurity standards. Those measures faced pushback from healthcare providers concerned about compliance costs and operational burdens. A detailed legislative analysis by The HIPAA Journal notes that the newer approach strikes a more collaborative tone, emphasizing resilience, information sharing, and public-private coordination.

The newer approach appears to strike a more collaborative tone, emphasizing resilience, information sharing, and public-private coordination.

Legislative hurdles remain

Despite bipartisan momentum, the bill still faces an uncertain path forward. Congressional leaders are juggling a packed legislative calendar ahead of upcoming elections, which could delay final passage.

Cybersecurity legislation has historically struggled to move quickly through Congress, often becoming entangled in broader debates about regulation, funding, and federal oversight.

Still, lawmakers say the stakes are too high to ignore.

Healthcare cyberattacks now rank among the most disruptive incidents affecting critical infrastructure, with attackers increasingly targeting hospitals, insurance providers, and healthcare technology vendors.

The broader policy shift

The emerging legislation reflects a broader shift in Washington’s approach to cybersecurity. Rather than focusing solely on government networks, policymakers are increasingly turning their attention to private-sector infrastructure that supports essential services.

Healthcare, energy, water systems, and transportation networks are all under growing scrutiny as potential cyberattack targets.

Security experts say strengthening healthcare cybersecurity is especially urgent because cyber incidents can quickly translate into real-world consequences for patients.

As Congress debates the next steps, one reality is clear: protecting healthcare systems from cyber threats is no longer just an IT challenge — it is now a national security priority.