A critical cybersecurity shield for healthcare expired. What comes next is uncertain.

The law enabling hospitals to share cyber threats expired September 30. Even if Congress renews it, the sharing system itself may not survive.

By admin

Oct 1, 2025, 10:33 AM

The Cybersecurity Information Sharing Act of 2015 officially expired on September 30, 2025, removing legal protections that for a decade enabled healthcare facilities to share cyber threat data with the federal government without fear of liability.

Four days before expiration, a Department of Homeland Security Inspector General report revealed that the Cybersecurity and Infrastructure Security Agency has not finalized plans for its Automated Indicator Sharing system beyond the deadline—even as Congress debates renewing the law itself.

For healthcare, this creates compounding uncertainty. The law provides liability shields. The AIS platform provides the mechanism for real-time, machine-to-machine threat sharing. Healthcare organizations could lose both, or find themselves with legal authority but no functioning system.

“If CISA 2015 is not reauthorized, it would be a step back for our nation’s cybersecurity posture,” says Errol Weiss, chief security officer at Health-ISAC. “The expiration jeopardizes the legal protections that have enabled public-private partnership collaboration for the past 10 years.”

Hospitals and health systems often lack internal cybersecurity expertise to defend against sophisticated attacks independently, making shared threat intelligence essential for patient safety and operational continuity.

Without legal protections, healthcare organizations may become hesitant to share threat data, disrupting existing relationships and slowing the exchange of indicators critical for defending against cyberattacks, according to the HIPAA Times report. Industry estimates suggest information sharing could drop as much as 80 percent without the law’s protections.

“Cyber adversaries are scaling up. AI is making attacks faster, cheaper, and more precise—just as the nation’s cyber defenses are fracturing. With the expiration of CISA 2015 and the defunding of the Multi-State Information Sharing and Analysis Center, government support for cybersecurity has disappeared overnight, costing the nation vital early warnings against today’s sophisticated threats,” emphasizes Joel Burleson-Davis, CTO at Imprivata. “The result is immediate—especially for critical infrastructure organizations, which have a direct impact on public health and safety. Critical industries like manufacturing and healthcare, for instance, remain top targets for ransomware and supply chain attacks. These industries depend on timely threat intelligence to stay ahead; even small delays can cascade into outages, disrupted supply chains, and patient safety risks.”

The House replacement: WIMWIG

The House Homeland Security Committee advanced the Widespread Information Management for the Welfare of Infrastructure and Government Act—WIMWIG—on September 3, 2025. Chairman Andrew Garbarino’s bill would extend protections for another decade and authorize AI-powered threat detection.

But the Inspector General report exposes operational fragility beneath the legislative debate. While cyber threat indicators surged from approximately one million in 2023 to more than 10 million in 2024, a single private-sector partner now accounts for 89 percent of public collection and 83 percent of federal collection. Total AIS participants have plummeted 65 percent since 2020, from 304 to just 105, according to the report.

The report reveals CISA has not finalized plans for AIS continuation. Program officials told auditors “the decision on whether to maintain the capability will be based on available resources and leadership’s priorities,” with operational costs averaging $1 million monthly. CISA stated it has “no immediate or near-term plan to discontinue the AIS service” but acknowledged the decision depends on funding and priorities.

Congress could renew the legal framework while CISA discontinues the operational platform, leaving healthcare organizations with permission to share threats but no automated system through which to do so.

Senate obstacle

Senate Homeland Security Chairman Rand Paul has blocked straightforward renewal. Paul argues that CISA’s work with social media companies on election-related misinformation amounts to censorship that violates the First Amendment. A 2023 House Judiciary Committee report claims that CISA coordinated with Stanford University to flag posts deemed misinformation to social media platforms leading up to the 2020 election.

“Everybody’s been talking. They want CISA reauthorized. All right, we’ll do it. But we’re going to put in there anti-censorship language,” Paul said in committee in July. He stated he will not support reauthorization unless it includes language prohibiting CISA—the agency—from countering online disinformation.

Senate aides told Axios that Paul is conflating CISA the agency with CISA 2015 the information-sharing law, which share the same acronym. The cybersecurity law authorizes threat sharing between companies and government; it does not govern the agency’s separate activities related to election security or disinformation.

Paul’s draft bill, obtained by Axios, proposes removing liability protections if organizations’ security incidents violated their own user agreements and privacy policies—changes industry sources say would undermine the program. The draft also removes Freedom of Information Act protections, which currently shield shared threat data from public disclosure requests that could expose sensitive security information. Paul scheduled then canceled a committee markup in mid-September.

WIMWIG notably omits the disinformation restrictions Paul demands, with House sponsors seeking to avoid policy battles that could doom reauthorization.

What WIMWIG misses

The House bill maintains CISA 2015’s voluntary framework rather than mandating sharing by critical infrastructure entities like hospitals. It does not fundamentally reimagine threat intelligence sharing.

The Inspector General documented persistent quality problems. Federal and private-sector entities told auditors they struggle to filter threat indicators appropriately for their sectors. Improperly categorized data leads organizations to avoid deploying information, defeating the system’s purpose.

The report also found concerning barriers to participation. Organizations cited lack of organizational resources to support machine-readable indicator sharing, inconsistent vendor support for sharing technologies, and reluctance to dedicate resources to prepare internal threat intelligence for external consumption. Some federal entities stated they lack the maturity to produce unique threat indicators of value to the broader community.

Current sharing focuses on Indicators of Compromise—IP addresses, domains, and file hashes that become stale quickly as attackers pivot infrastructure using AI and automation. The report notes that in an era where threat actors constantly change their infrastructure, these indicators can become outdated within days, hours, or even minutes.

Uncertain path forward

House Republicans included a short-term extension until November 21 in a continuing resolution, though passage remains uncertain. WIMWIG passed the House Homeland Security Committee but awaits full House and Senate action.

For healthcare, the dual uncertainty compounds risk. Even if WIMWIG passes and restores legal protections, organizations could find themselves unable to participate in automated threat sharing if CISA discontinues AIS due to budget constraints.

Manual sharing processes exist but lack the speed and efficiency that make automated systems valuable against fast-moving threats. The potential loss could mean slower recovery times and greater harm following breaches, including delayed patient treatments and lost medical records.

The coming weeks will determine whether Congress can bridge its divisions—and whether CISA will maintain the operational infrastructure—or if a decade of progress in cybersecurity information sharing will unravel precisely when healthcare needs it most.

“With federal protections gone, unity is now more important than ever,” says Burleson-Davis. “Organizations must take action and prioritize collaborating across industries, sharing signals and defending mission-critical systems together. In cybersecurity, urgency and unity are no longer optional, but now the only way to keep systems running, protect data, and safeguard the public.”