Health Care Cybersecurity and Resiliency Act of 2025
Sponsored By: Senator Bill Cassidy
Introduced
Summary
Stronger cybersecurity standards for the health sector. This bill directs the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency to coordinate, set minimum technical standards, improve breach reporting, and fund grants and training to boost resiliency.
Show full summary
- Families and patients: Systems holding protected health information must use encryption and multifactor authentication. Breach reports must include the number of people affected and the public breach portal will show corrective actions and whether recognized security practices were considered.
- Health providers and hospitals: HHS will require regular audits and penetration testing and may set other baseline standards with private sector input. Grants can pay for staff training, cloud migration, threat information sharing, and replacing legacy systems. Eligible entities include community health centers, hospitals, Indian Health Service facilities, cancer centers, and rural clinics.
- Rural providers and workforce: The Secretary must issue rural cybersecurity guidance within one year and the Government Accountability Office will assess implementation within three years. The bill directs a strategic workforce plan via the Health Resources and Services Administration and authorizes grant funding for FY2025–2030.
Bill Overview
Analyzed Economic Effects
5 provisions identified: 5 benefits, 0 costs, 0 mixed.
Grants to boost health cybersecurity
This bill would create an HHS grant program to help public and nonprofit health providers improve cybersecurity. Eligible recipients would include community health centers, IHS facilities, hospitals, cancer centers, rural clinics, academic health centers, and nonprofit referral partners. Grants could pay for hiring and training staff, system upgrades (including cloud migration), reducing legacy systems, joining threat-sharing groups, and contracting cybersecurity services. Grants may last up to 3 years and the bill authorizes "such sums as may be necessary" for FY2025 through FY2030.
New minimum rules for patient data
This bill would direct the HHS Secretary to update HIPAA rules to require baseline cybersecurity practices. Covered entities and business associates would need multifactor authentication for access to systems with protected health information, encryption of PHI, and regular security audits including penetration testing. The Secretary would set effective dates and give reasonable time for compliance. Additional minimum standards would be developed in consultation with private-sector experts based on threat analysis.
Federal health cyber coordination and transparency
This bill would require HHS and CISA to coordinate and share threat indicators, defensive measures, and sector-specific products for the Healthcare and Public Health Sector. The HHS Assistant Secretary for Preparedness and Response would lead department-wide cybersecurity oversight. HHS must develop a department-wide cybersecurity incident response plan within 1 year and send Congress a report 60 days before implementation. The bill would also expand breach reporting to require the number of people affected, add "investments" to recognized security practices, require guidance on those practices within 1 year, update the public breach portal within 1 year, and begin reporting annually on how recognized practices were considered.
Healthcare cyber training and workforce plan
This bill would require HHS, working with CISA and private-sector experts, to provide cybersecurity training to health sector asset owners and operators upon enactment. The HRSA Administrator would develop a strategic plan within 1 year to grow the healthcare cybersecurity workforce. The plan would include recommendations for education programs, training materials, best practices, and public-private collaboration.
Rural health cyber guidance and study
This bill would require the HHS Secretary to issue cyber readiness guidance for rural health entities within 1 year. The guidance would cover infrastructure, adopting Secretary-issued technical standards, staff training, and policies to support incident reporting. The Comptroller General (GAO) would report to Congress within 3 years on how rural providers implemented the guidance, challenges they faced, and steps to strengthen resilience.
Sponsors & CoSponsors
Sponsor
Bill Cassidy
LA • R
Cosponsors
Maggie Hassan
NH • D
Sponsored 12/2/2025
John Cornyn
TX • R
Sponsored 12/2/2025
Mark Warner
VA • D
Sponsored 12/2/2025
Roll Call Votes
No roll call votes available for this bill.
View on Congress.govRelated Bills
S1748 — Kids Online Safety Act
Protecting minors online is the core aim of the Kids Online Safety Act, which would make platforms that serve young users adopt a legal duty of care, add parental controls and safeguards, and force more transparency about recommendation algorithms. The bill targets design features that boost minor engagement and limits certain research on children to reduce mental-health and harassment risks. - Families and minors: The bill would define a "child" as under 13 and a "minor" as under 17, require verifiable parental consent for known children, and give parents tools to control privacy, purchases, and autoplay for streaming. - Platforms and products: Covered services would face limits on personalized design features, a ban on market research involving children under 13, and public reporting and independent audits of safeguards, including detailed de-identified data on minor usage for platforms with over 10 million monthly U.S. users. - Regulators, schools, and tech oversight: The Federal Trade Commission would enforce the rules with state attorneys general able to act as well, a Kids Online Safety Council of 11 members would advise and report within 1 and 3 years, and a separate title would force notice and opt-outs for "opaque" algorithms and let users switch to input-transparent systems.
S1241 — Sanctioning Russia Act of 2025
Harsh, automatic sanctions and trade penalties would be triggered if Russia refuses to negotiate with Ukraine, violates a peace deal, invades again, or seeks to subvert Ukraine's government. The bill would require visa and property-blocking sanctions, target major Russian banks, ban U.S. energy exports to Russia, restrict U.S. investments and listings tied to Russia, and force duties of at least 500% on Russian imports.
S1816 — Improving Seniors’ Timely Access to Care Act of 2025
This bill would force Medicare Advantage plans to adopt a standardized, electronic prior authorization system and publish detailed approval and denial data to speed patient access and enable oversight. It sets deadlines for transparency and electronic processing and creates reporting and real-time decision rules to shrink delays and reveal how plans use automation.
S558 — Antisemitism Awareness Act of 2025
Anchors Title VI enforcement to the IHRA working definition of antisemitism. This bill would direct the Department of Education to consider the International Holocaust Remembrance Alliance's working definition and examples when reviewing complaints of discrimination based on race, color, or national origin in programs that receive federal funds. - Jewish students: Jewish K‑12 and college students would have a clearer, uniform standard for when harassment or discrimination is evaluated as antisemitic under civil rights law. - Schools and colleges: Institutions that receive federal funds would be assessed using the IHRA definition as part of Title VI investigations. - Department of Education: The department would formally apply the IHRA definition and its examples when deciding whether alleged conduct was motivated by antisemitism. - Legal protections: The bill includes rules to preserve First Amendment protections and existing harassment standards while guiding how investigators use the antisemitism definition.
S1032 — Major Richard Star Act
Allows full concurrent receipt of military retired pay and veterans' disability compensation for combat-related disabilities. This bill would prevent the usual 38 U.S.C. 5304 and 5305 offsets when calculating Combat-Related Special Compensation and add a monthly rule for Chapter 61 disability retirees. - Combat-disabled retirees: Would allow Combat-Related Special Compensation recipients to have their retired pay treated so it is not reduced by 38 U.S.C. 5304 or 5305 when figuring concurrent payments. - Chapter 61 disability retirees: Would let members retired under Chapter 61 who also receive veterans' disability compensation for a combat-related disability be paid both benefits for the same month without those 38 U.S.C. offsets. - Administrative and timing changes: Would remove phase-in language, update headings and cross references, and take effect the first day of the month after enactment for payments beginning that month.
S3345 — PBM Price Transparency and Accountability Act
Holds pharmacy benefit managers to new accountability standards and forces drug price transparency across Medicaid and Medicare Part D. The bill would set national monthly benchmarks for pharmacy acquisition costs, ban spread pricing for federal Medicaid matching, and impose broad PBM reporting, audit, disgorgement, and governance rules.
Take It Personal
Get Your Personalized Policy View
Create a free account to save research, track policy impacts, and unlock your personalized versions of these pages.
Already have an account? Sign in