Sponsors (4)
The bill meaningfully strengthens health‑sector cybersecurity — reducing breach risk and improving coordination, especially for rural and tribal providers — but does so through open‑ended federal spending, new technical and reporting mandates, and greater vendor reliance that could strain small providers, raise privacy concerns, and produce significant compliance costs.
Patients and users of health care (including those with chronic conditions) will face a lower risk of data breaches and fewer care interruptions because hospitals, clinics, and federal health systems get strengthened cybersecurity protections, incident plans, and better coordination.
Hospitals, clinics, and health vendors will be required to adopt baseline technical safeguards (multifactor authentication, encryption, monitoring, and penetration testing), raising the overall resilience of health IT systems.
Hospitals and clinics — especially tribal and rural providers — will get grant funding and technical help to hire/train cybersecurity staff and upgrade systems, reducing security gaps for underserved communities.
Taxpayers face higher federal spending because the bill authorizes open-ended funds for FY2026–FY2030 and creates new recurring HHS/CISA responsibilities without a specific appropriation cap.
Small, rural, and resource-constrained providers and vendors will face substantial new compliance and administrative costs (grant applications, reporting, documentation, technical upgrades), which could strain budgets, reduce services, or drive consolidation.
Grant funding is time-limited (generally up to 3 years), risking sustainability gaps for cybersecurity staffing and operations once grant support ends.
Based on analysis of 12 sections of legislative text.
Authorizes grants and training, enacts HHS–CISA coordination, streamlines reporting, and requires HIPAA/security rule updates to mandate minimum cybersecurity practices and improve breach reporting.
Introduced December 2, 2025 by Bill Cassidy · Last progress December 2, 2025
Provides grants, training, coordination, regulatory changes, and reporting requirements to strengthen cybersecurity across the Healthcare and Public Health Sector. It funds multi‑year grants for eligible providers and their partners, directs HHS to develop workforce and capability plans and to coordinate with CISA and other agencies, and requires updates to HIPAA/security rules and breach notifications to improve resilience and information sharing. Requires HHS to issue regulations and guidance (many within 1 year), set minimum, risk‑based cybersecurity standards for covered entities (effective 36 months), and produce annual reports; it also directs targeted rural assistance and a GAO study on rural implementation and interagency coordination.