By Jeff Wardon, Jr., Assistant Editor

Cyberattacks threaten critical infrastructure, and one of the strongest defenses may soon be under threat. 

The Cybersecurity Information Sharing Act (CISA) of 2015 is set to expire on September 30, 2025, according to Congress.gov. The law enables hospitals and other critical infrastructure to share cyber threat data with the federal government under liability and privacy protections. If not renewed, healthcare facilities could lose key legal protections that make information sharing safer, potentially leaving them more vulnerable to growing cyberattacks. 

“If CISA 2015 is not reauthorized, it would be a step back for our nation's cybersecurity posture,” says Errol Weiss, chief security officer at Health-ISAC. “The expiration jeopardizes the legal protections that have enabled public-private partnership collaboration for the past 10 years.” 

Without those protections, organizations could become hesitant to share crucial threat data, Weiss says. This would disrupt existing information-sharing relationships and slow down the exchange of threat indicators which are critical for defending against cyberattacks. 

Related Content: 3 Pillars of Stronger Cybersecurity in Healthcare

“The expiration of CISA 2015 would disproportionately impact the healthcare sector, which is a prime target for cybercriminals,” he says. 

The healthcare sector had the most cyberthreats in the past year than any other critical infrastructure industry, according to the FBI’s 2024 Internet Crime Report. Overall, a total of 444 reported incidents impacted healthcare organizations, including 238 ransomware threats and 206 data breach events. 

Palomar Health Medical Group (PHMG) suffered one such cyberattack in May 2024 that knocked out their systems until July 2024, when they partially restored operations. This attack resulted in a breach involving unauthorized access to certain files, some of which may have been lost forever. The incident caused substantial downtime and financial impact over its two-month duration.  

Weiss adds that the healthcare sector would be impacted in these ways: 

• Increased vulnerability: Many healthcare facilities lack the internal resources and expertise to independently fend off sophisticated attacks. They rely on shared intelligence and coordinated support from information sharing organizations and government partners such as CISA and HHS. 
• Loss of a coordinated defense: Cyberattacks on the healthcare sector often have cascading effects on patient care, safety and business operations. Without the legal cover provided by CISA 2015, the effectiveness of coordinated responses would be diminished. This could result in slower recovery times and greater harm following a breach, from delayed patient treatments to the loss of critical medical records. 

As healthcare organizations prepare for the potential sunsetting of CISA 2015, experts emphasize the importance of proactive planning and investment in cybersecurity resilience. Healthcare facilities can tighten defenses through regular system audits, staff training and participating in trusted information-sharing networks. Healthcare facility managers can take these steps now to better safeguard patient care and maintain operational continuity, even amid an increasingly complex cyber landscape. 

Jeff Wardon, Jr., is the assistant editor of the facilities market.