Cybersecurity pressure on healthcare has been building for years. Ransomware, data breaches, and system outages now routinely disrupt patient care. In response, lawmakers have proposed the Healthcare Cybersecurity and Resiliency Act of 2025, a bipartisan effort aimed at strengthening cybersecurity across the healthcare sector, with specific attention to smaller and rural providers.

The Act isn’t law yet, but it sends a clear signal: healthcare cybersecurity is now being treated as a patient safety issue, not just an IT or compliance problem.

For smaller healthcare providers already navigating HIPAA, the big question is obvious: How does this fit with what we’re already required to do?

How This Relates to HIPAA (and Why That Matters)

Most notably, HIPAA is not being replaced.

The proposed Act does not introduce a new HIPAA-like rule, nor does it create a new enforcement body. The HIPAA Security Rule still governs how covered entities and business associates protect electronic protected health information (ePHI).

HIPAA already requires providers to:

• Safeguard the confidentiality, integrity, and availability of ePHI
• Identify and protect against reasonably anticipated threats
• Maintain policies, training, and incident response capabilities
• Document compliance and corrective actions

Those obligations remain unchanged.

So, what’s different?

HIPAA defines what providers must do. The proposed Act focuses on how providers are realistically expected to do it, especially when they don’t have large (or any internal) security teams or budgets.

 

What the Health Care Cybersecurity and Resiliency Act of 2025 Actually Aims to Do

Rather than adding new HIPAA requirements, the Act is designed to support and strengthen HIPAA compliance in practice, particularly where smaller providers struggle.

1. Funding and Grants for Cybersecurity Readiness

One of the Act’s central goals is to expand grant funding for healthcare organizations that lack the resources to invest in cybersecurity tools, assessments, and training. Smaller and rural providers are specifically identified as priority recipients.

This acknowledges a long-standing reality: HIPAA compliance without funding often results in paper compliance, not real-world resilience.

2. Training and Practical Guidance

The Act emphasizes healthcare-specific cybersecurity training and best practices, helping providers move beyond checklists toward operational readiness.

This is especially relevant for HIPAA-covered entities, where employee behavior, phishing, and workflow shortcuts remain top contributors to incidents.

3. Better Federal Coordination

Improved coordination between agencies like HHS and CISA should strengthen threat intelligence sharing and incident awareness across the healthcare sector.

For smaller providers, this matters because early warning and clearer guidance can dramatically reduce response time during an incident.

 

Why This Matters for Smaller Healthcare Providers Right Now

Smaller healthcare providers are often told, “Just follow HIPAA.” But HIPAA was never designed to address today’s ransomware-driven, operationally disruptive attacks on its own.

The proposed Act highlights a growing expectation shift:

• Compliance is the baseline
• One of our core mantras: Build a cybersecurity plan to help ensure Defensibility and Resiliency

Regulators are increasingly looking at whether providers can withstand and recover from cyber incidents, not just whether policies exist.

Even if this legislation never passes in its current form, the direction is clear. Expectations around preparedness are rising, not easing.

 

What Small Providers Should Do Today (Regardless of the Act)

Whether or not new legislation moves forward, these steps strengthen both HIPAA compliance and real-world resilience:

• Understand Your Risk: Know what patient data you handle, where it lives, and who has access. Clarity beats complexity.

• Practice Incident Response: HIPAA requires Incident Response capability. Practicing it through tabletop exercises turns policy into muscle memory.

• Train Staff Consistently: Short, recurring awareness training and phishing testing are far more effective than annual sessions.

• Be Ready for Funding Opportunities: If grant programs become available, providers with assessments, plans, and documentation already in place will be able to move faster and use funds more effectively.

 

The OrbitalFire Perspective

We see the Healthcare Cybersecurity and Resiliency Act of 2025 as validation of what smaller healthcare providers that work with us already know:

HIPAA compliance is necessary, but it is not sufficient on its own.

Cybersecurity in healthcare today is about:

• Readiness, not just rules
• Practice, not just policy
• Support, not assumptions

At OrbitalFire, we specialize in cybersecurity for smaller organizations. We help healthcare providers translate HIPAA requirements into real, operational resilience; protecting you from cybercrime, audits, regulations, and yourself.

Want help preparing before new expectations become new requirements? Let’s Talk About Your Healthcare Cybersecurity Strategy.

Blog FAQ:

Is the Healthcare Cybersecurity and Resiliency Act of 2025 a new HIPAA law?
No. HIPAA is not being replaced. The proposed Act is separate from HIPAA and focuses on strengthening cybersecurity readiness and resilience across healthcare.

Does this Act add new HIPAA requirements?
Not directly. HIPAA remains the baseline for protecting ePHI. The Act is designed to provide support like funding, training, and improved coordination so healthcare organizations can better meet cybersecurity expectations.

How does HIPAA overlap with this proposed Act?
HIPAA defines required safeguards for ePHI. The proposed Act focuses on helping healthcare organizations improve real-world resilience, such as preparedness, response, and recovery.

What should small providers do now?
Prioritize practical readiness: understand your data and risks, practice incident response with tabletop exercises, train staff consistently, and be ready to leverage grants or support programs if they become available.