Bipartisan Bill Proposes CISA-HHS Liaison to Address Hospital Cyberattacks

A new bipartisan bill introduced in Congress aims to improve coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to better defend hospitals against cyberattacks.  

The Healthcare Cybersecurity Act, sponsored by Reps. Brian Fitzpatrick and Jason Crow, would create a formal liaison between CISA and HHS to facilitate real-time threat information sharing, enhance incident response, and coordinate cybersecurity training for healthcare providers, The Record reports.

Under the proposed legislation, both agencies would be required to conduct joint studies on vulnerabilities in the healthcare sector, with a particular focus on small and rural hospitals, medical devices, and electronic health records.  

The findings would be compiled into a report for Congress within a year, including a list of high-risk devices and recommendations for protecting critical systems. The liaison would also serve as the primary point of contact during significant cyber incidents.

Lawmakers say the bill responds to a surge in recent cyberattacks that have shut down hospitals, disrupted emergency services, and compromised patient data. Fitzpatrick emphasized that such attacks not only threaten data but endanger lives, while Crow noted the bill is about building long-term resilience.

Critics argue the bill falls short by lacking provisions for real-time monitoring or deeper regulatory authority. Some experts believe the emphasis on training misses the real issue—lack of resources in hospitals to implement strong cybersecurity measures. Still, the bill represents another step in the ongoing effort to address persistent and growing cyber risks in healthcare.

Takeaway: Ransomware attacks on hospitals aren’t just a cybersecurity problem, they’ve become a public health crisis, and we’re way past the point of asking if these attacks harm patients. The data is in, and it tells us that patient outcomes get worse after a ransomware incident.  

People are dying because lifesaving care is delayed, systems go offline, and entire facilities are thrown into chaos. This isn’t just about encrypted files or stolen records. It’s about real-world consequences, and they’re getting more severe by the day.

It’s a good sign that lawmakers are finally moving on this. A more formal CISA-HHS liaison, coordinated threat analysis, and a focus on high-risk devices are moves in the right direction, and we’re no longer pretending that hospitals can fight this battle alone.

Ransomware is a different breed of threat, one that bypasses traditional cyber defenses and preys on systemic weaknesses in underfunded, overworked environments like hospitals. You can train staff all day long, but training doesn’t stop zero-days, doesn’t patch legacy systems, and doesn’t fend off nation-state level threats masquerading as cybercriminals.

This legislation helps move the conversation in the right direction. It acknowledges what many of us have been screaming for years: our response to ransomware, especially with regard to attacks on our critical infrastructure, has been woefully inadequate. We’re bleeding out.

This bill cracks open the door for federal muscle and budget to finally get aligned with the urgency of the threat. If we don’t build real resilience into the systems that keep people alive, ransomware groups will keep finding pressure points and squeezing them for every last drop.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.