The Senate Health, Education, Labor, and Pensions (HELP) Committee has advanced the Health Care Cybersecurity and Resiliency Act, with a 22-1 vote in favor of the bill. The Health Care Cybersecurity and Resiliency Act was first introduced in November 2025, followed by a largely unchanged bill that was reintroduced in December 2025. As the name suggests, the bill seeks to introduce new cybersecurity requirements to strengthen healthcare cybersecurity.

Many of the bill’s requirements were included in the proposed update to the HIPAA Security Rule issued by the HHS’ Office for Civil Rights in the final days of the Biden administration. It remains to be seen whether the current administration will push ahead with the HIPAA Security Rule update, which has proven to be unpopular with health systems and provider associations.

The Health Care Cybersecurity and Resiliency Act was proposed by a bipartisan group of senators – HELP Committee Chair Sen. Bill Cassidy (R-LA), and Sens. Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX), and could attract more support than the unpopular Security Rule update. The Health Care Cybersecurity and Resiliency Act calls for several cybersecurity measures similar to but not as extensive as those in the proposed HIPAA Security Rule update. They include new cybersecurity minimum standards for HIPAA-regulated entities, including multifactor authentication, data encryption, penetration testing, and regular security audits. The bill also requires changes to breach reporting requirements, such as requiring all regulated entities to report the number of individuals affected by a cybersecurity incident, and for the HHS to publish the corrective actions and recognized security practices applied by a regulated entity following a data breach.

Other requirements of the bill are greater coordination between the HHS and the Cybersecurity and Infrastructure Security Agency (CISA), the HHS to develop a cybersecurity incident response plan, the HHS to designate the Administration for Strategic Preparedness and Response as the Sector Risk Management Agency, and for enhanced recognition of security practices, including an annual report on how the HHS is complying with the requirements of the Consolidated Appropriations Act of 2021 with respect to the adoption of recognized security practices by HIPAA-regulated entities.

Much of the criticism of the proposed Security Rule update centered on the considerable burden it would place on healthcare providers and the cost of the required security changes, which would divert resources away from patient care. The Health Care Cybersecurity and Resiliency Act would provide financial assistance to under-resourced providers, including hospitals, cancer centers, rural health clinics, health facilities operated by the Indian Health Service, and academic health centers, to help them make the necessary improvements to cybersecurity. The bill also requires the HHS to issue guidance for rural entities and rural health clinics on best practices for cybersecurity breach prevention, resilience, and coordination with federal agencies.

While advancing past a HELP Committee vote is an important step, it remains to be seen whether the bill has sufficient strength to survive a House vote, make it to the President’s desk, and be signed into law.

The post Senate HELP Committee Advances Healthcare Cybersecurity Bill appeared first on The HIPAA Journal.

Faced with diminishing returns from their attacks, ransomware groups conducted attacks in greater volume in 2025 and increased their ransom demands. In 2025, the number of claimed attacks increased by 50% year-over-year to the highest ever level; however, ransomware payments decreased by 8% year-over-year to $820 million, down from $892 million in 2024 and $1,023 million in 2023, according to the blockchain analytics firm Chainalysis.

The analysis reveals that ransomware groups are having to work much harder due to fewer victims choosing to pay ransoms. In 2024, 64% of victims of ransomware attacks paid the ransom to recover their data, prevent a data leak, or both. In 2025, the percentage of victims paying ransoms fell to a record low of just 28%. In addition to conducting more attacks, ransom demands have increased. Chainalysis reports a 368% increase in median payment size, rising from $12,738 in 2024 to $59,556 in 2025.

Law enforcement operations appear to be having a positive effect, with ransom payments falling for two consecutive years. While there have been major operations targeting specific ransomware operations, law enforcement operations are increasingly targeting the infrastructure used by ransomware groups, such as bulletproof hosting providers and money laundering services. These services are used by financially-motivated threat actors and state-sponsored hacking groups alike, and targeting these services and imposing sanctions has increased the attack costs for threat actors.

The ransomware ecosystem has evolved, in part due to law enforcement operations and efforts by private sector companies targeting major players. There has been a shift from a handful of dominant strains to a much more fragmented ecosystem, with large numbers of smaller ransomware groups now operating, which find it easier to remain under the radar and avoid law enforcement takedowns. While the number of active ransomware and extortion groups varies across different analyses, there are thought to have been up to 85 distinct active ransomware groups in operation in 2025.

There has also been a change in the companies being targeted. Attacks on larger organizations can result in a bigger payday; however, the attacks need to be more sophisticated to breach defenses, and when attacks are successful, it can take longer for larger companies to pay the ransom. Ransomware groups appear to now favor small- to medium-sized organizations and are concentrating on conducting attacks in greater volume. While the ransom payments are much lower, attacks require less effort, and victims tend to pay up more quickly.

Another response to diminishing returns is more aggressive tactics, such as contacting patients, customers, and employees of an attacked organization directly. Some groups have abandoned data encryption altogether and are now solely focused on data theft and extortion. In some cases, these threat groups have analyzed the exfiltrated data to determine its sensitivity, which has allowed them to make highly specific threats about the consequences of a data leak.

“The ransomware narrative of 2025 cannot be told through revenue figures alone. While payments declined modestly, the scale, sophistication, and strategic impact of attacks continued to expand,” explained Chainalysis. “Organizations large and small — from global automakers to regional healthcare systems — faced extortion that disrupted operations, eroded trust, and faced systemic costs that far exceeded on-chain ransom totals.”

The post Ransom Demands Increase as Ransom Payments Fall to Record Low appeared first on The HIPAA Journal.