Sponsors (4)
Introduced December 2, 2025 by Bill Cassidy · Last progress December 2, 2025
The bill meaningfully strengthens health‑sector cybersecurity—reducing patient data breaches and improving national coordination and workforce capacity—but does so at the cost of increased federal spending, new compliance burdens (especially for small and rural providers), and greater reliance on third‑party vendors that could raise privacy and sustainability risks.
Patients and healthcare providers nationwide will face a lower risk of data breaches and care disruptions because the bill funds cybersecurity upgrades, technical assistance, and required safeguards (encryption, MFA, monitoring).
The legislation grows and professionalizes the healthcare cybersecurity workforce by funding training, aligning credentials, and creating job pathways, particularly benefiting IT and cybersecurity workers in health settings.
Rural, tribal, and Indian Health Service providers get targeted grants, guidance, and technical help that narrow urban–rural security gaps and protect access to care in underserved communities.
Taxpayers may face higher federal spending because the bill authorizes open-ended funding (“such sums as may be necessary”) for multiple years without a cap.
Small, rural, and resource-constrained providers (and some health IT vendors) will bear substantial compliance, implementation, and documentation costs to meet new standards, apply for grants, and adopt recommended practices.
Short grant award periods and reliance on time-limited federal grants risk funding gaps that could leave providers unable to sustain cybersecurity staff or operations after grant expiration.
Based on analysis of 12 sections of legislative text.
Strengthens health‑sector cybersecurity via grants, required minimum security standards, HHS–CISA coordination, workforce development, reporting streamlining, and rural support.
Creates a coordinated federal effort to improve cybersecurity and resilience across the health care and public health sector by funding grants, requiring new minimum cybersecurity standards and regulations, expanding HHS and CISA coordination, producing workforce training and guidance, and streamlining incident reporting. It authorizes multi‑year grants for eligible health providers, directs HHS to update HIPAA/security rules and issue regulations recognizing good security practices, sets deadlines for plans and reports, and requires special guidance and support for rural providers.