Sponsors (4)
The bill meaningfully strengthens cybersecurity across the healthcare sector—especially for rural and tribal providers—through funding, standards, and coordination, but does so at increased federal and provider cost while introducing privacy, implementation, and compliance risks that could disproportionately burden smaller providers and affect patients.
Nearly all patients and healthcare providers (hospitals, health systems, clinicians) will get stronger, sector‑wide cybersecurity protections — including standardized technical practices, coordinated threat sharing, and incident recovery planning — which should reduce the frequency and impact of data breaches and service disruptions.
Rural, tribal, and smaller nonprofit providers will receive prioritized grant funding, tailored guidance, and technical assistance to close capacity gaps and improve equity in cybersecurity readiness.
Healthcare workers and prospective cybersecurity professionals will gain standardized training and workforce-development programs aligned with NIST/NICE, expanding the sector’s skilled cybersecurity workforce and improving incident response.
U.S. taxpayers will fund new appropriations, federal programs, and staffing for HHS/CISA coordination, increasing federal spending over FY2026–FY2030.
Smaller, rural, and nonprofit providers face significant administrative and compliance burdens and up‑front costs to apply for grants, implement standards (encryption, MFA, pen testing), document recognized practices, and meet reporting requirements.
Providers may pass implementation and compliance costs onto patients or reduce services, which could raise healthcare costs for patients and families.
Based on analysis of 12 sections of legislative text.
Introduced December 2, 2025 by Bill Cassidy · Last progress December 2, 2025
Provides federal grants, planning, rulemaking, and coordination to strengthen cybersecurity across the Healthcare and Public Health sector. It funds multi-year grants for health centers, rural clinics, Indian Health Service facilities, and nonprofit hospitals to hire staff, upgrade systems, and improve incident response; requires HHS to build workforce training and strategic plans; directs HHS and CISA to coordinate threat sharing and joint incident response planning; updates HHS emergency plans and breach reporting; and mandates updated HHS security regulations that set minimum, risk-based cybersecurity practices with a 36-month compliance window. The law also requires rural-specific guidance and a GAO study on rural implementation.