What congress’s summer budget battle means for healthcare cybersecurity

Congress is debating a budget reconciliation package that could significantly impact healthcare cybersecurity. The budget reconciliation package—designed to fast-track the administration’s key priorities without bipartisan support—is raising alarm across sectors that rely on federal funding for cyber readiness and threat intelligence. 

“This is expected to be the largest bill that will pass in President Trump’s second term,” said Cassie Ballard, Director of Congressional Affairs at CHIME, during the April 29 policy webinar. “It’s pretty much taken up all the oxygen in Congress.” 

At stake: Cybersecurity reauthorization and medicaid funding 

The budget fight casts a shadow over critical cybersecurity legislation. One key concern is the reauthorization of the 2015 Cybersecurity Information Sharing Act (CISA), which expires at the end of this fiscal year. The law enables secure sharing of cyber threat intelligence between the private sector and federal agencies. Although voluntary, entities that share cyber threat indicators gain legal immunity from civil or regulatory liability. 

“There are some concerns that that bill will lapse,” Ballard warned. “We’re not sure yet if that would pass as a standalone bill or maybe get attached to another bil, maybe an appropriations package.” 

Given the scale and speed of the reconciliation effort, cybersecurity professionals are right to worry that urgent legislation like CISA reauthorization could get lost in the shuffle—or be used as leverage in political negotiations. 

New federal reporting mandate: CIRCIA

Adding to the landscape of cybersecurity policy is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which introduces mandatory cyber incident reporting for critical infrastructure entities, including many in the healthcare sector. Under CIRCIA, covered entities will be required to report substantial cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransom payments within 24 hours. 

Although CIRCIA was signed into law in 2022, its implementation is still in progress. A Notice of Proposed Rulemaking (NPRM) was published in April 2024, with a final rule expected by late 2025. Enforcement is anticipated to begin in 2026. 

While some may wonder whether CIRCIA could replace the 2015 CISA law, they serve distinct purposes. The 2015 CISA law facilitates voluntary cyber threat information sharing and offers liability protections, while CIRCIA establishes mandatory reporting requirements for cyber incidents. The two laws are complementary—CISA focuses on proactive collaboration and threat awareness, whereas CIRCIA ensures reactive transparency and accountability. Losing the 2015 CISA framework would remove critical protections and hinder real-time threat coordination, especially among healthcare organizations that depend on early warning systems and interagency communication. 

Medicaid cuts could undermine cyber investments

The bill includes $880 billion in cuts from programs under the House Energy and Commerce Committee, slashing the budget for Medicaid. 

“A lot of experts have said that it’s not possible to meet [an agreement] without cuts to Medicaid,” Ballard explained. “This [budget] bill will likely get no Democrat support. Republicans will need every vote they can get.” 

A less obvious, but equally damaging consequence of massive Medicaid cuts could be the ripple effect on hospital IT infrastructure. Safety-net hospitals and Medicaid-heavy systems often rely on federal reimbursement to maintain basic digital health operations, including cybersecurity protections. 

Proposals floated so far include controversial policies like imposing Medicaid work requirements, rescinding the Biden-era nursing home staffing rule, and a 10% Federal Medical Assistance Percentage (FMAP) reduction for states that provide Medicaid to undocumented immigrants. 

The House Energy and Commerce Committee is expected to release its draft in early May. Until then, uncertainty looms.