U.S. regulators and lawmakers are proposing new rules to protect hospitals from cyberattacks in 2025 after a bruising year of hacks and software outages, but small healthcare providers worry they can't afford to comply.

Many smaller providers say they are already fighting against hackers every day, and losing. "It's a constant battle.

We do better, they improvise, we have to learn again," said Todd Blum, chief executive of ENT & Allergy Associates of Florida, a group of about 100 ear, nose and throat doctors and other medical professionals.

A bipartisan bill proposed in the Senate in November would require the Department of Health and Human Services to overhaul its own cybersecurity processes, and develop incident-response plans for cyberattacks.

The bill also would add stricter cybersecurity requirements to the Health Insurance Portability and Accountability Act, including mandates for multifactor authentication and regular audits. It says the agency must provide guidance for rural medical providers, and grants, where appropriate, to strengthen cyber defenses.

Separately, HHS submitted HIPAA updates in October, including new requirements for protecting electronic health information, to the White House for review. With approval from the Biden administration, the agency expects to issue proposed rules in December, for public review.