Health Care Cybersecurity and Resiliency Act of 2026
Sponsored By: Senator Bill Cassidy
In Committee
Summary
Creates a coordinated federal effort to strengthen cybersecurity across the Healthcare and Public Health Sector, combining mandatory standards, grants, workforce training, and coordinated incident response planning to protect patient data and keep care running during attacks. This bill would require HHS and CISA to build joint plans, update security rules, fund grants, and run workforce and reporting programs to reduce cyber risk in hospitals, clinics, and other health providers.
Show full summary
- Health care providers and business associates will face new minimum, risk-based security rules such as multifactor authentication, encryption, and monitoring. Those regulations take effect 36 months after enactment and include guidance on how recognized security practices count in enforcement decisions.
- Rural clinics, Federally Qualified Health Centers, nonprofit hospitals, and Indian Health Service facilities gain access to grants for hiring cyber staff, cloud updates, threat sharing, and training. Grants may last up to 3 years and priority can go to applicants showing need.
- Patients and the public get clearer reporting and coordination. Breach reports must state how many individuals were affected, and the bill requires joint incident plans and a working group to reduce duplicate reporting.
*Authorizes unspecified appropriations for FY2026–2030 to support grants and related activities.*
Your PRIA Score
Personalized for You
How does this bill affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this bill and every other piece of legislation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Bill Overview
Analyzed Economic Effects
5 provisions identified: 4 benefits, 0 costs, 1 mixed.
New mandatory cybersecurity rules
If enacted, HHS would be required to update HIPAA-related security rules so covered health entities and business associates adopt minimum risk-based cybersecurity practices. Required elements would include multifactor authentication, encryption of protected health information, monitoring and penetration testing, and other baseline standards based on NIST and sector frameworks. Those updated regulations would take effect 36 months after enactment, though the Secretary could use enforcement discretion in extraordinary circumstances.
Grants for health cybersecurity
If enacted, HHS would be authorized to award grants (up to 3 years each) to eligible health centers, Indian Health Service facilities, nonprofit hospitals, rural clinics, and nonprofit partners. Grants could pay for hiring and training cybersecurity staff, updating systems and cloud migration, joining threat-sharing groups, contracting outside cybersecurity help, risk assessments, and incident response planning. Applicants would need to show baseline measures and a plan to sustain activities after the grant ends. Congress could fund these grants for fiscal years 2026 through 2030 as necessary.
HHS and CISA coordination plan
If enacted, HHS and CISA would be required to coordinate on Healthcare and Public Health Sector cybersecurity. They would share threat information, make resources available, and provide technical help to health entities. They would have to issue a joint cybersecurity capability plan within 1 year and send it to Congress. HHS would also expand and implement its Cyber Annex within 1 year and report to Congress 60 days before using it, and the Secretary would name a representative and report within 60 days on that role with annual sector reports starting within 1 year.
Breach transparency and enforcement rules
If enacted, HHS would have to write rules within 1 year saying that security investments can count as "recognized security practices" when deciding fines, audits, or remedies. HHS would also have to include, starting 2 years after enactment and annually, an accounting of cases where those practices were considered. The bill would also require breach reports to include the number of individuals affected when covered entities send HITECH breach notifications.
Rural guidance and workforce training
If enacted, HHS would be required to issue rural cybersecurity guidance within 1 year and provide technical assistance to rural health entities to implement it. The guidance would cover infrastructure improvements, part-time outsourcing of IT/CISO functions, regional IT sharing, cloud migration, workforce preparation, and policies to facilitate incident reporting. HHS would also develop a strategic plan within 1 year to grow the health cybersecurity workforce, covering education, training best practices, rural facility needs, AI for preparedness, and alignment with the national workforce framework. The Government Accountability Office would study rural implementation and report to Congress within 3 years.
Sponsors & CoSponsors
Sponsor
Bill Cassidy
LA • R
Cosponsors
Maggie Hassan
NH • D
Sponsored 12/2/2025
John Cornyn
TX • R
Sponsored 12/2/2025
Mark Warner
VA • D
Sponsored 12/2/2025
Roll Call Votes
No roll call votes available for this bill.
View on Congress.govTake It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in