[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 3315 Reported in Senate (RS)]
<DOC>
Calendar No. 365
119th CONGRESS
2d Session
S. 3315
To require the Secretary of Health and Human Services and the Director
of the Cybersecurity and Infrastructure Security Agency to coordinate
to improve cybersecurity in the health care and public health sectors,
and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
December 2, 2025
Mr. Cassidy (for himself, Ms. Hassan, Mr. Cornyn, and Mr. Warner)
introduced the following bill; which was read twice and referred to the
Committee on Health, Education, Labor, and Pensions
March 23, 2026
Reported by Mr. Cassidy, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To require the Secretary of Health and Human Services and the Director
of the Cybersecurity and Infrastructure Security Agency to coordinate
to improve cybersecurity in the health care and public health sectors,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Health Care Cybersecurity
and Resiliency Act of 2025''.</DELETED>
<DELETED>SEC. 2. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Agency.--The term ``Agency'' means the
Cybersecurity and Infrastructure Security Agency.</DELETED>
<DELETED> (2) Cybersecurity incident.--The term
``cybersecurity incident'' has the meaning given the term
``incident'' in section 3552 of title 44, United States
Code.</DELETED>
<DELETED> (3) Cybersecurity state coordinator.--The term
``Cybersecurity State Coordinator'' means a Cybersecurity State
Coordinator appointed under section 2217(a) of the Homeland
Security Act of 2002 (6 U.S.C. 665c(a)).</DELETED>
<DELETED> (4) Director.--The term ``Director'' means the
Director of the Agency.</DELETED>
<DELETED> (5) Healthcare and public health sector.--The term
``Healthcare and Public Health Sector'' means the Healthcare
and Public Health sector, as identified in Presidential Policy
Directive 21 (February 12, 2013; relating to critical
infrastructure security and resilience).</DELETED>
<DELETED> (6) Information sharing and analysis
organization.--The term ``Information Sharing and Analysis
Organization'' has the meaning given such term in section 2200
of the Homeland Security Act of 2002 (6 U.S.C. 650).</DELETED>
<DELETED> (7) Information system.--The term ``information
system'' has the meaning given such term in section 102 of the
Cybersecurity Information Sharing Act of 2015 (6 U.S.C.
1501).</DELETED>
<DELETED> (8) Secretary.--The term ``Secretary'' means the
Secretary of Health and Human Services.</DELETED>
<DELETED>SEC. 3. DEPARTMENT COORDINATION WITH THE AGENCY.</DELETED>
<DELETED> (a) In General.--The Secretary and the Director shall
coordinate, including by entering into a cooperative agreement, as
appropriate, to improve cybersecurity in the Healthcare and Public
Health Sector.</DELETED>
<DELETED> (b) Assistance.--</DELETED>
<DELETED> (1) In general.--The Secretary shall coordinate
with the Director to make resources available to entities that
are receiving information shared through programs managed by
the Director or the Secretary, including Information Sharing
and Analysis Organizations, information sharing and analysis
centers, and non-Federal entities.</DELETED>
<DELETED> (2) Scope.--The coordination under paragraph (1)
shall include--</DELETED>
<DELETED> (A) developing products specific to the
needs of Healthcare and Public Health Sector entities;
and</DELETED>
<DELETED> (B) sharing information relating to cyber
threat indicators and appropriate defensive
measures.</DELETED>
<DELETED>SEC. 4. CLARIFYING CYBERSECURITY RESPONSIBILITIES AT THE
DEPARTMENT OF HEALTH AND HUMAN SERVICES.</DELETED>
<DELETED> Part A of title III of the Public Health Service Act (42
U.S.C. 241 et seq.) is amended by adding at the end the
following:</DELETED>
<DELETED>``SEC. 310C. OVERSIGHT OF CYBERSECURITY ACTIVITIES.</DELETED>
<DELETED> ``The Secretary, acting through the Assistant Secretary
for Preparedness and Response, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency pursuant to section
2218 of the Homeland Security Act of 2002, shall lead oversight and
coordination of activities within the Department of Health and Human
Services to support cybersecurity resiliency within the Healthcare and
Public Health Sector (as defined in section 2 of the Health Care
Cybersecurity and Resiliency Act of 2025), including coordination and
communication with other public and private entities related to
preparedness for, and responses to, cybersecurity incidents, consistent
with applicable provisions of this Act, other applicable laws, and
Presidential Policy Directive 21 (February 12, 2013; relating to
critical infrastructure security and resilience).''.</DELETED>
<DELETED>SEC. 5. CYBERSECURITY INCIDENT RESPONSE PLAN.</DELETED>
<DELETED> Section 405 of the Cybersecurity Act of 2015 (6 U.S.C.
1533) is amended--</DELETED>
<DELETED> (1) in subsection (a)--</DELETED>
<DELETED> (A) in paragraph (4)--</DELETED>
<DELETED> (i) in the paragraph heading, by
inserting ``information system;'' after
``Federal entity;''; and</DELETED>
<DELETED> (ii) by inserting ```information
system','' after ```Federal
entity','';</DELETED>
<DELETED> (B) by redesignating paragraphs (4)
through (7) as paragraphs (6) through (9),
respectively; and</DELETED>
<DELETED> (C) by inserting after paragraph (3) the
following:</DELETED>
<DELETED> ``(4) Cybersecurity incident.--The term
`cybersecurity incident' has the meaning given the term
`incident' in section 3552 of title 44, United States
Code.</DELETED>
<DELETED> ``(5) Cybersecurity risk.--The term `cybersecurity
risk' has the meaning given such term in section 2200 of the
Homeland Security Act of 2002 (6 U.S.C. 650).''; and</DELETED>
<DELETED> (2) in subsection (d), by adding at the end the
following:</DELETED>
<DELETED> ``(4) Plan.--</DELETED>
<DELETED> ``(A) In general.--Not later than 1 year
after the date of enactment of the Health Care
Cybersecurity and Resiliency Act of 2025, the Secretary
shall develop and implement a cybersecurity incident
response plan to inform applicable personnel within the
Department of Health and Human Services of processes
and protocols to prepare for, and respond to,
cybersecurity incidents involving information,
including hardware, software, databases, and networks,
used or maintained by, or on behalf of, the Department,
including strategies--</DELETED>
<DELETED> ``(i) to assess cybersecurity
risks;</DELETED>
<DELETED> ``(ii) to prevent cybersecurity
incidents;</DELETED>
<DELETED> ``(iii) to detect and identify
cybersecurity incidents;</DELETED>
<DELETED> ``(iv) to minimize damage in the
event of a cybersecurity incident;</DELETED>
<DELETED> ``(v) to protect data;
and</DELETED>
<DELETED> ``(vi) to recover from any
cybersecurity incidents
expeditiously.</DELETED>
<DELETED> ``(B) Consultation.--In developing the
plan under subparagraph (A), the Secretary shall
consult with the Director of the Cybersecurity and
Infrastructure Security Agency, the Director of the
Office of Management and Budget, and the Director of
the National Institute of Standards and Technology, and
relevant experts, as appropriate.</DELETED>
<DELETED> ``(C) Report.--Not later than 60 days
before the date on which the Secretary begins
implementing the plan under subparagraph (A), the
Secretary shall submit to the Committee on Health,
Education, Labor, and Pensions and the Committee on
Homeland Security and Governmental Affairs of the
Senate and the Committee on Energy and Commerce, the
Committee on Oversight and Reform, and the Committee on
Homeland Security of the House of Representatives a
report that describes such plan.''.</DELETED>
<DELETED>SEC. 6. BREACH REPORTING PORTAL.</DELETED>
<DELETED> (a) Updates to Breach Reporting Portal.--Section 13402 of
the HITECH Act (42 U.S.C. 17932) is amended by adding at the end the
following:</DELETED>
<DELETED> ``(k) Updates to Regulations.--Not later than 1 year after
the date of enactment of the Health Care Cybersecurity and Resiliency
Act of 2025, the Secretary shall update the regulations promulgated
pursuant to subsection (j) to require that information required to be
publicly displayed in the breach reporting portal established pursuant
to this section includes--</DELETED>
<DELETED> ``(1) information on any corrective action taken
against a covered entity that provided notification of a breach
under this section;</DELETED>
<DELETED> ``(2) information on whether and to what extent,
as appropriate, recognized security practices (as defined in
section 13412(b)(1)) were considered in the investigation of
such a breach; and</DELETED>
<DELETED> ``(3) such additional information about such a
breach as the Secretary may require.''.</DELETED>
<DELETED>SEC. 7. CLARIFYING BREACH REPORTING OBLIGATIONS.</DELETED>
<DELETED> Section 13402(f) of the HITECH Act (42 U.S.C. 17932(f)) is
amended by adding at the end the following:</DELETED>
<DELETED> ``(6) The number of individuals affected by the
breach.''.</DELETED>
<DELETED>SEC. 8. ENHANCING RECOGNITION OF SECURITY PRACTICES.</DELETED>
<DELETED> (a) Recognized Security Practices.--Section 13412(b)(1) of
the HITECH Act (42 U.S.C. 17941(b)(1)) is amended, in the first
sentence, by inserting ``, investments,'' after ``other
programs''.</DELETED>
<DELETED> (b) Guidance.--Not later than 1 year after the date of
enactment of this Act, the Secretary shall issue guidance on the
implementation of section 13412 of the HITECH Act (42 U.S.C. 17941),
which shall include--</DELETED>
<DELETED> (1) recognized security practices (as defined in
subsection (b)(1) of such section) that the Secretary may
consider when determining fines under such section;</DELETED>
<DELETED> (2) the extent to which such recognized security
practices should be in place for consideration by the
Secretary; and</DELETED>
<DELETED> (3) procedural requirements or information that
shall be submitted by a covered entity or business associate
(as such terms are defined in section 13400 of the HITECH Act
(42 U.S.C. 17921)) to the Secretary for
consideration.</DELETED>
<DELETED> (c) Annual Report.--Not later than 2 years after the date
of enactment of this Act, and annually thereafter, the Secretary shall
include in the annual report required under section 13424(a) of the
HITECH Act (42 U.S.C. 17953(a)) information on implementation of
section 13412 of such Act (42 U.S.C. 17941), including an accounting of
every case in which the Secretary considered recognized security
practices (as defined in subsection (b)(1) of such section) when
effectuating audits and assessing fines under such section.</DELETED>
<DELETED>SEC. 9. REQUIRED CYBERSECURITY STANDARDS.</DELETED>
<DELETED> (a) In General.--The Secretary shall update the privacy,
security, and breach notification regulations under parts 160 and 164
of title 45, Code of Federal Regulations (or any successor regulation)
to require covered entities and business associates to adopt the
following cybersecurity practices:</DELETED>
<DELETED> (1) Multifactor authentication, or a successor
technology, for access to any information systems that may
include protected health information.</DELETED>
<DELETED> (2) Safeguards to encrypt protected health
information.</DELETED>
<DELETED> (3) Requirements to conduct audits, including
penetration testing, to maintain the protections of information
systems.</DELETED>
<DELETED> (4) Other minimum cybersecurity standards, as
determined by the Secretary, in consultation with private
sector entities, based on landscape analysis of emerging and
existing cybersecurity vulnerabilities and consensus-based best
practices.</DELETED>
<DELETED> (b) Effective Dates.--The Secretary shall specify in the
regulations the effective date for each of the new requirements under
the regulations updated in accordance with subsection (a). Each such
effective date shall provide reasonable time for the entities subject
to the requirement to come into compliance.</DELETED>
<DELETED>SEC. 10. GUIDANCE ON RURAL CYBERSECURITY READINESS.</DELETED>
<DELETED> Section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C.
1533(d)) (as amended by section 5(2)) is amended by adding at the end
the following:</DELETED>
<DELETED> ``(5) Rural cybersecurity guidance.--</DELETED>
<DELETED> ``(A) Definition of rural.--In this
paragraph, the term `rural' has the meaning given such
term by the Health Resources and Services
Administration.</DELETED>
<DELETED> ``(B) Guidance on rural cybersecurity
readiness.--Not later than 1 year after the date of
enactment of the Health Care Cybersecurity and
Resiliency Act of 2025, the Secretary shall issue
guidance to rural entities on best practices to improve
cyber readiness, including strategies--</DELETED>
<DELETED> ``(i) to improve cyber
infrastructure, including any technical
safeguards to mitigate cybersecurity
risk;</DELETED>
<DELETED> ``(ii) to integrate best practices
issued by the Secretary to improve
cybersecurity preparedness;</DELETED>
<DELETED> ``(iii) to improve employee
preparation to mitigate any cybersecurity
risks, including existing public-private
programs to support educational initiatives;
and</DELETED>
<DELETED> ``(iv) to implement policies to
facilitate mandatory cybersecurity incident
reporting requirements under law.</DELETED>
<DELETED> ``(C) GAO study and report.--</DELETED>
<DELETED> ``(i) In general.--Not later than
3 years after the date of enactment of the
Health Care Cybersecurity and Resiliency Act of
2025, the Comptroller General of the United
States shall conduct, and submit to the
Committee on Health, Education, Labor, and
Pensions of the Senate and the Committee on
Energy and Commerce of the House of
Representatives a report that describes the
results of, a study to examine how rural
entities have implemented the recommendations
included in the guidance under subparagraph
(B).</DELETED>
<DELETED> ``(ii) Requirements.--The study
under clause (i) shall assess--</DELETED>
<DELETED> ``(I) how rural entities
have implemented any technical
safeguards and any challenges faced by
such rural entities in areas for which
safeguards were not
implemented;</DELETED>
<DELETED> ``(II) steps to further
support cyber resilience for rural
entities;</DELETED>
<DELETED> ``(III) areas to improve
coordination between Federal agencies,
including for the purposes of required
cyber reporting; and</DELETED>
<DELETED> ``(IV) any opportunities
to support public-private collaboration
in the area of cyber
readiness.''.</DELETED>
<DELETED>SEC. 11. GRANTS TO ENHANCE CYBERSECURITY IN THE HEALTH AND
PUBLIC HEALTH SECTORS.</DELETED>
<DELETED> Part P of title III of the Public Health Service Act (42
U.S.C. 280g et seq.) is amended by adding at the end the
following:</DELETED>
<DELETED>``SEC. 399V-8. GRANTS.</DELETED>
<DELETED> ``(a) In General.--The Secretary may award grants to
eligible entities for the adoption and use of cybersecurity best
practices.</DELETED>
<DELETED> ``(b) Eligible Entity.--To be eligible to receive a grant
under subsection (a) an entity shall be--</DELETED>
<DELETED> ``(1) a public or nonprofit private health center
(including a Federally qualified health center (as defined in
section 1861(aa)(4) of the Social Security Act));</DELETED>
<DELETED> ``(2) a health facility operated by or pursuant to
a contract with the Indian Health Service;</DELETED>
<DELETED> ``(3) a hospital;</DELETED>
<DELETED> ``(4) a cancer center;</DELETED>
<DELETED> ``(5) a rural health clinic;</DELETED>
<DELETED> ``(6) an academic health center; or</DELETED>
<DELETED> ``(7) a nonprofit entity that enters into a
partnership or coordinates referrals with an entity described
in any of paragraphs (1) through (6).</DELETED>
<DELETED> ``(c) Use of Funds.--In adopting and using cybersecurity
best practices pursuant to a grant under subsection (a), an eligible
entity may use grant funds--</DELETED>
<DELETED> ``(1) to hire and train personnel in such
cybersecurity best practices;</DELETED>
<DELETED> ``(2) to update electronic data systems, such as
by migrating to cloud based platforms;</DELETED>
<DELETED> ``(3) to join and participate in health
cybersecurity threat information sharing
organizations;</DELETED>
<DELETED> ``(4) to reduce the use of legacy systems;
and</DELETED>
<DELETED> ``(5) to contract with third parties to assist
with the activities described in paragraphs (1) through
(5).</DELETED>
<DELETED> ``(d) Grant Period.--The Secretary may award a grant under
this section for a period of not more than 3 years.</DELETED>
<DELETED> ``(e) Application.--An eligible entity seeking a grant
under subsection (a) shall submit to the Secretary an application at
such time, in such manner, and containing such information as the
Secretary may require including, at a minimum a description of how the
eligible entity will establish baseline measures and benchmarks that
meet the Secretary's requirements to evaluate program
outcomes.</DELETED>
<DELETED> ``(f) Authorization of Appropriations.--There are
authorized to be appropriated to carry out this section such sums as
may be necessary for each of fiscal years 2025 through
2030.''.</DELETED>
<DELETED>SEC. 12. HEALTHCARE CYBERSECURITY WORKFORCE.</DELETED>
<DELETED> (a) Training for Healthcare Experts.--The Secretary, in
coordination with the Cybersecurity State Coordinators of the Agency
and private sector health care experts, as appropriate, shall provide
training to Healthcare and Public Health Sector asset owners and
operators on--</DELETED>
<DELETED> (1) cybersecurity risks to information systems
within the Healthcare and Public Health Sector; and</DELETED>
<DELETED> (2) ways to mitigate the risks to information
systems in the Healthcare and Public Health Sector.</DELETED>
<DELETED> (b) Cross-Agency Educational Tools.--</DELETED>
<DELETED> (1) In general.--Not later than 1 year after the
date of enactment of this Act, the Secretary, acting through
the Administrator of the Health Resources and Services
Administration, in coordination with the Agency, shall develop
a strategic plan to support growing the cybersecurity workforce
for health care entities.</DELETED>
<DELETED> (2) Inclusions.--The strategic plan under
paragraph (1) shall include--</DELETED>
<DELETED> (A) recommendations for existing
educational programs that can be used to support
cybersecurity training;</DELETED>
<DELETED> (B) dissemination and development of
educational materials on how to improve cybersecurity
resilience;</DELETED>
<DELETED> (C) development of best practices to train
the health care workforce on cybersecurity best
practices; and</DELETED>
<DELETED> (D) opportunities for public-private
collaboration to strengthen the cybersecurity
workforce.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Health Care Cybersecurity and
Resiliency Act of 2026''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``Agency'' means the Cybersecurity
and Infrastructure Security Agency.
(2) Business associate.--The term ``business associate''
has the meaning given such term in section 160.103 of title 45,
Code of Federal Regulations (or a successor regulation).
(3) Covered entity.--The term ``covered entity'' has the
meaning given such term in section 160.103 of title 45, Code of
Federal Regulations (or a successor regulation).
(4) Cybersecurity incident.--The term ``cybersecurity
incident'' has the meaning given the term ``incident'' in
section 3552 of title 44, United States Code.
(5) Cybersecurity state coordinator.--The term
``Cybersecurity State Coordinator'' means a Cybersecurity State
Coordinator appointed under section 2217(a) of the Homeland
Security Act of 2002 (6 U.S.C. 665c(a)).
(6) Director.--The term ``Director'' means the Director of
the Agency.
(7) Healthcare and public health sector.--The term
``Healthcare and Public Health Sector'' means the Healthcare
and Public Health sector, as identified in National Security
Memorandum-22 (April 30, 2024; relating to critical
infrastructure security and resilience).
(8) Information sharing and analysis organization.--The
term ``Information Sharing and Analysis Organization'' has the
meaning given such term in section 2200 of the Homeland
Security Act of 2002 (6 U.S.C. 650).
(9) Information system.--The term ``information system''
has the meaning given such term in section 2200 of the Homeland
Security Act of 2002 (6 U.S.C. 650).
(10) Recognized security practices.--The term ``recognized
security practices'' has the meaning given such term in section
13412(b)(1) of the HITECH Act (42 U.S.C. 17941(b)(1)).
(11) Secretary.--The term ``Secretary'' means the Secretary
of Health and Human Services.
SEC. 3. DEPARTMENT COORDINATION WITH THE AGENCY.
(a) In General.--The Secretary and the Director shall coordinate,
including by entering into a cooperative agreement, as appropriate, to
improve cybersecurity in the Healthcare and Public Health Sector.
(b) Assistance.--
(1) In general.--The Secretary shall coordinate with the
Director to make resources available to entities that are
receiving information shared through programs managed by the
Director or the Secretary, including Information Sharing and
Analysis Organizations, sector coordinating councils, and non-
Federal entities.
(2) Scope.--The coordination under paragraph (1) shall
include--
(A) developing products specific to the needs of
Healthcare and Public Health Sector entities;
(B) sharing information relating to cyber threat
indicators and appropriate defensive measures,
including automating cyber threat information sharing,
in a manner that adequately protects against
unauthorized access or disclosure; and
(C) providing technical assistance to covered
entities and business associates to improve
cybersecurity preparedness.
(c) Joint Cybersecurity Planning.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Secretary and the Director shall
establish a joint cybersecurity capability plan to coordinate
responses to significant cybersecurity incidents affecting the
Healthcare and Public Health Sector.
(2) Elements.--The joint cybersecurity capability plan
established under paragraph (1) shall include--
(A) protocols for rapid information sharing during
sector-wide cybersecurity incidents;
(B) coordination mechanisms with the sector
coordinating council for the Healthcare and Public
Health Sector; and
(C) coordination with Cybersecurity State
Coordinators for incidents affecting multiple States.
(3) Submission to congress.--
(A) In general.--Not later than 1 year after the
date of enactment of this Act, the Secretary shall
submit to the Committee on Health, Education, Labor,
and Pensions of the Senate and the Committee on Energy
and Commerce of the House of Representatives the final
joint cybersecurity capability plan prepared under
paragraph (1) and a description of how such plan
implements the elements required under paragraph (2).
(B) Updates.--If the Secretary and the Director
update the joint cybersecurity capability plan required
under this subsection, the Secretary shall submit to
the Committee on Health, Education, Labor, and Pensions
of the Senate and the Committee on Energy and Commerce
of the House of Representatives such updated plan and a
description of how such plan implements the elements
required under paragraph (2).
SEC. 4. CLARIFYING CYBERSECURITY RESPONSIBILITIES AT THE DEPARTMENT OF
HEALTH AND HUMAN SERVICES.
(a) In General.--The Secretary shall delegate a representative to
lead oversight and coordination of activities within the Department of
Health and Human Services to support internal and external
cybersecurity resilience within the Healthcare and Public Health
Sector, including coordination and communication with other public and
private entities related to preparedness for, and responses to,
cybersecurity incidents, consistent with applicable provisions of the
Public Health Service Act (42 U.S.C. 201 et seq.), other applicable
laws, and National Security Memorandum-22 (April 30, 2024; relating to
critical infrastructure security and resilience). Such activities shall
not include implementation or enforcement of part 160 and subparts A
and C of part 164 of title 45, Code of Federal Regulations (or
successor regulations) (commonly known as the ``HIPAA Security Rule'').
(b) Reports.--
(1) Report on delegation.--Not later than 60 days after
delegating a representative under subsection (a), and any time
a new representative is delegated under such subsection, the
Secretary shall submit to the Committee on Health, Education,
Labor, and Pensions of the Senate and the Committee on Energy
and Commerce of the House of Representatives a report that
describes how such representative will implement steps to
improve internal and external cybersecurity resilience within
the Healthcare and Public Health Sector.
(2) Annual report.--Not later than 1 year after the date of
enactment of this Act, and annually thereafter, the Secretary
shall submit to the Committee on Health, Education, Labor, and
Pensions of the Senate and the Committee on Energy and Commerce
of the House of Representatives a report on the state of
cybersecurity in the Healthcare and Public Health Sector,
including--
(A) an assessment of the most significant
cybersecurity threats and vulnerabilities facing the
Healthcare and Public Health Sector;
(B) a summary of major cybersecurity incidents
affecting the Healthcare and Public Health Sector
during the preceding year;
(C) an assessment of the overall cybersecurity
posture of the Healthcare and Public Health Sector;
(D) a description of actions taken by the
Department of Health and Human Services to improve
cybersecurity; and
(E) recommendations to improve Healthcare and
Public Health Sector cybersecurity.
SEC. 5. CYBERSECURITY INCIDENT RESPONSE PLAN.
Section 405 of the Cybersecurity Act of 2015 (6 U.S.C. 1533) is
amended--
(1) in subsection (a)--
(A) in paragraph (4)--
(i) in the paragraph heading, by inserting
``information system;'' after ``federal
entity;''; and
(ii) by inserting ```information system',''
after ```Federal entity','';
(B) by redesignating paragraphs (4) through (7) as
paragraphs (6) through (9), respectively; and
(C) by inserting after paragraph (3) the following:
``(4) Cybersecurity incident.--The term `cybersecurity
incident' has the meaning given the term `incident' in section
3552 of title 44, United States Code.
``(5) Cybersecurity risk.--The term `cybersecurity risk'
has the meaning given such term in section 2200 of the Homeland
Security Act of 2002 (6 U.S.C. 650).''; and
(2) in subsection (d), by adding at the end the following:
``(4) Plan.--
``(A) In general.--Not later than 1 year after the
date of enactment of the Health Care Cybersecurity and
Resiliency Act of 2026, the Secretary shall expand and
implement the Cyber Annex of the All Hazards Plan of
the Department of Health and Human Services to inform
applicable personnel within the Department of Health
and Human Services of processes and protocols to
prepare for, and respond to, cybersecurity incidents.
``(B) Scope.--The plan under subparagraph (A) shall
address cybersecurity incidents involving information
systems, including hardware, software, databases, and
networks, used or maintained by, or on behalf of, the
Department.
``(C) Elements.--The plan under subparagraph (A)
shall include strategies--
``(i) to assess cybersecurity risks;
``(ii) to prevent cybersecurity incidents;
``(iii) to detect and identify
cybersecurity incidents;
``(iv) to minimize damage in the event of a
cybersecurity incident;
``(v) to protect data;
``(vi) to recover from any cybersecurity
incidents expeditiously; and
``(vii) to communicate and share non-
sensitive information about cybersecurity
incidents with entities in the Healthcare and
Public Health Sector (as defined in section 2
of the Health Care Cybersecurity and Resiliency
Act of 2026).
``(D) Consultation.--In developing the plan under
subparagraph (A), the Secretary shall consult with the
Director of the Cybersecurity and Infrastructure
Security Agency, the Director of the Office of
Management and Budget, the Director of the National
Institute of Standards and Technology, and relevant
experts, as appropriate.
``(E) Updates.--The Secretary shall review and
update the plan under subparagraph (A)--
``(i) not less frequently than once every 2
years; and
``(ii) after any significant cybersecurity
incident affecting the Department of Health and
Human Services or a Federal health program.
``(F) Report.--Not later than 60 days before the
date on which the Secretary begins implementing the
plan under subparagraph (A), the Secretary shall submit
to the Committee on Health, Education, Labor, and
Pensions and the Committee on Homeland Security and
Governmental Affairs of the Senate and the Committee on
Energy and Commerce, the Committee on Oversight and
Reform, and the Committee on Homeland Security of the
House of Representatives a report that describes such
plan.''.
SEC. 6. CLARIFYING BREACH REPORTING OBLIGATIONS.
Section 13402(f) of the HITECH Act (42 U.S.C. 17932(f)) is amended
by adding at the end the following:
``(6) The number of individuals affected by the breach.''.
SEC. 7. ENHANCING RECOGNITION OF SECURITY PRACTICES.
(a) Recognized Security Practices.--Section 13412(b)(1) of the
HITECH Act (42 U.S.C. 17941(b)(1)) is amended, in the first sentence,
by inserting ``, investments,'' after ``other programs''.
(b) Regulation.--Not later than 1 year after the date of enactment
of this Act, the Secretary shall promulgate regulations implementing
section 13412 of the HITECH Act (42 U.S.C. 17941), which shall
include--
(1) recognized security practices that the Secretary may
consider when determining fines under such section;
(2) the extent to which such recognized security practices
should be in place for consideration by the Secretary;
(3) procedural requirements or information that shall be
submitted by a covered entity or business associate to the
Secretary for consideration; and
(4) how the Secretary will take into account such
recognized security practices when determining fines, earlier
favorable termination of audits, or mitigating remedies that
would otherwise be agreed to in any agreement with respect to
resolving potential violations of part 160 and subparts A and C
of part 164 of title 45, Code of Federal Regulations (or
successor regulations) (commonly known as the ``HIPAA Security
Rule'') between the covered entity or business associate and
the Department of Health and Human Services.
(c) Annual Report.--Not later than 2 years after the date of
enactment of this Act, and annually thereafter, the Secretary shall
include in the annual report required under section 13424(a) of the
HITECH Act (42 U.S.C. 17953(a)) information on implementation of
section 13412 of such Act (42 U.S.C. 17941), including an accounting of
every case in which the Secretary considered recognized security
practices when effectuating audits and assessing fines under such
section.
SEC. 8. REQUIRED CYBERSECURITY STANDARDS.
(a) In General.--The Secretary shall update the security
regulations under part 160 and subparts A and C of part 164 of title
45, Code of Federal Regulations (or any successor regulation), to
require non-governmental entities in the Healthcare and Public Health
Sector and covered entities and business associates to adopt minimum
risk-based cybersecurity practices, including--
(1) multifactor authentication, or a successor technology;
(2) encryption of protected health information, or a
successor technology;
(3) requirements to conduct monitoring, including
penetration testing, to maintain the protections of information
systems; and
(4) other minimum cybersecurity standards, as reflected in
national cybersecurity frameworks.
(b) Requirements.--The minimum risk-based cybersecurity practices
adopted pursuant to subsection (a) shall be based on--
(1) national cybersecurity frameworks, as appropriate, such
as--
(A) the National Institute of Standards and
Technology Risk Management Framework (or a successor
framework);
(B) the National Institute of Standards and
Technology Cybersecurity Framework (or a successor
framework);
(C) the National Institute of Standards and
Technology SP 800-53 r5 Security and Privacy Controls
for Information Systems and Organizations (or a
successor special publication), with relevant
components of the National Institute of Standards and
Technology Privacy Framework; or
(D) the National Institute of Standards and
Technology Artificial Intelligence Risk Management
Framework;
(2) the Health Sector Coordinating Council Cybersecurity
Healthcare and Public Health Cybersecurity Performance Goals;
and
(3) the health care-specific cybersecurity performance
goals of the Cybersecurity and Infrastructure Security Agency.
(c) Effective Dates.--The regulations updated in accordance with
subsection (a), including each new requirement established, shall take
effect on the date that is 36 months after the date of enactment of
this Act.
(d) Enforcement.--The Secretary may exercise enforcement discretion
for entities experiencing extraordinary circumstances in complying with
the requirements of subsection (a).
SEC. 9. GUIDANCE ON RURAL CYBERSECURITY READINESS.
Section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C. 1533(d))
(as amended by section 5(2)) is amended by adding at the end the
following:
``(5) Rural cybersecurity guidance.--
``(A) Definition of rural.--In this paragraph, the
term `rural' has the meaning given such term by the
Federal Office of Rural Health Policy.
``(B) Guidance on rural cybersecurity readiness.--
Not later than 1 year after the date of enactment of
the Health Care Cybersecurity and Resiliency Act of
2026, the Secretary shall issue guidance to rural
entities on best practices to improve cybersecurity
readiness, including strategies--
``(i) to improve cybersecurity
infrastructure, including any technical
safeguards to mitigate cybersecurity risk;
``(ii) to integrate best practices issued
by the Secretary to improve cybersecurity
preparedness;
``(iii) to improve workforce preparation to
mitigate any cybersecurity risks, including
existing public-private programs to support
educational initiatives;
``(iv) to implement policies to facilitate
mandatory cybersecurity incident reporting
requirements under law; and
``(v) to explore and recommend best
practices, including--
``(I) outsourcing information
technology and chief information
security officer functions to third
parties on a part-time basis;
``(II) participating in regional
rural health care information
technology management sharing programs;
and
``(III) migrating data to secure
cloud-based platforms.
``(C) Technical assistance.--The Secretary shall
provide technical assistance to rural entities to
implement the recommendations included in the guidance
under subparagraph (B).
``(D) GAO study and report.--
``(i) In general.--Not later than 3 years
after the date of enactment of the Health Care
Cybersecurity and Resiliency Act of 2026, the
Comptroller General of the United States shall
conduct a study, and submit to the Committee on
Health, Education, Labor, and Pensions of the
Senate and the Committee on Energy and Commerce
of the House of Representatives a report, on
how rural entities have implemented the
recommendations included in the guidance under
subparagraph (B).
``(ii) Contents.--The study under clause
(i) shall assess--
``(I) how rural entities have
implemented any technical safeguards
and any challenges faced by such rural
entities in areas for which safeguards
were not implemented;
``(II) steps to further support
cybersecurity resilience for rural
entities;
``(III) areas to improve
coordination between Federal agencies,
including for the purposes of required
cyber reporting; and
``(IV) any opportunities to support
public-private collaboration in the
area of cybersecurity readiness.''.
SEC. 10. GRANTS TO ENHANCE CYBERSECURITY IN THE HEALTH AND PUBLIC
HEALTH SECTORS.
(a) In General.--The Secretary may award grants to eligible
entities for the adoption and implementation of cybersecurity best
practices.
(b) Eligible Entity.--To be eligible to receive a grant under
subsection (a), an entity shall be--
(1) a Federally qualified health center (as defined in
section 1861(aa)(4) of the Social Security Act (42 U.S.C.
1395x(aa)(4)));
(2) a health facility operated by or pursuant to a contract
with the Indian Health Service;
(3) a nonprofit hospital;
(4) a rural health clinic (as defined in section
1861(aa)(2) of the Social Security Act (42 U.S.C.
1395x(aa)(2))); or
(5) a nonprofit entity that enters into a partnership or
coordinates referrals with an entity described in any of
paragraphs (1) through (4).
(c) Use of Funds.--In adopting and implementing cybersecurity best
practices pursuant to a grant under subsection (a), an eligible entity
may use grant funds--
(1) to hire individuals with demonstrated cybersecurity
expertise and train personnel in such cybersecurity best
practices;
(2) to update electronic data systems, such as by migrating
to cloud-based platforms;
(3) to join and participate in health cybersecurity threat
information sharing organizations;
(4) to contract with third parties to assist the eligible
entity in carrying out the activities described in this
subsection;
(5) to conduct cybersecurity risk assessments and
vulnerability assessments; and
(6) to develop or improve cybersecurity incident response
plans.
(d) Grant Period.--A grant awarded under this section shall be for
a period of not more than 3 years.
(e) Priority.--In awarding grants under this section, the Secretary
may give consideration to the demonstrated need of eligible entities.
(f) Application.--An eligible entity seeking a grant under
subsection (a) shall submit to the Secretary an application at such
time, in such manner, and containing such information as the Secretary
may require, including--
(1) a description of how the eligible entity will establish
baseline measures and benchmarks that meet the Secretary's
requirements to evaluate performance outcomes; and
(2) a strategic plan for how, after the end of the grant
period, the eligible entity will sustain the activities funded
under the grant and continue to adopt cybersecurity best
practices.
(g) Authorization of Appropriations.--There are authorized to be
appropriated to carry out this section such sums as may be necessary
for each of fiscal years 2026 through 2030.
SEC. 11. HEALTHCARE CYBERSECURITY WORKFORCE.
(a) Training for Healthcare Experts.--The Secretary, in
coordination with the Cybersecurity State Coordinators of the Agency,
the Office of the National Cyber Director, and private sector health
care experts, as appropriate, shall provide training to Healthcare and
Public Health Sector entities on--
(1) cybersecurity risks to information systems within the
Healthcare and Public Health Sector; and
(2) ways to mitigate the risks to information systems in
the Healthcare and Public Health Sector.
(b) Strategic Plan.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Secretary, acting through the
Administrator of the Health Resources and Services
Administration, in coordination with the Agency, shall develop
a strategic plan to support growing the cybersecurity workforce
for health care entities.
(2) Contents.--The strategic plan under paragraph (1) shall
include--
(A) recommendations for existing educational
programs that can be used to support cybersecurity
training;
(B) dissemination and development of educational
materials on how to improve cybersecurity resilience;
(C) development of best practices to train the
health care workforce on cybersecurity best practices;
(D) development of recommendations specific to
rural facilities;
(E) development of best practices to leverage
artificial intelligence to support cybersecurity
preparedness;
(F) opportunities for public-private collaboration
to strengthen the cybersecurity workforce; and
(G) alignment with the National Initiative for
Cybersecurity Education Workforce Framework.
SEC. 12. CYBERSECURITY INCIDENT REPORTING COORDINATION WORKING GROUP.
(a) Working Group.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Secretary shall convene a working
group to examine how to streamline and reduce duplicative
reporting for cybersecurity incidents.
(2) Membership.--The working group described in paragraph
(1) shall include representatives of--
(A) the Cybersecurity and Infrastructure Security
Agency;
(B) the Securities and Exchange Commission;
(C) the Office of the National Cyber Director;
(D) the Federal Bureau of Investigation;
(E) the Federal Trade Commission;
(F) State attorneys general;
(G) State health departments; and
(H) private sector health care entities.
(3) Conclusion.--The working group shall conclude not later
than 18 months after the date of the first meeting of the
working group.
(b) Report.--Not later than 1 year after the conclusion of the
working group under subsection (a)(3), the Secretary shall submit to
the Committee on Health, Education, Labor, and Pensions of the Senate
and the Committee on Energy and Commerce of the House of
Representatives a report that--
(1) identifies areas the working group has identified to
streamline and reduce duplicative reporting;
(2) includes recommendations to Congress on further
streamlining such reporting; and
(3) addresses coordination with State breach notification
laws.
Calendar No. 365
119th CONGRESS
2d Session
S. 3315
_______________________________________________________________________
A BILL
To require the Secretary of Health and Human Services and the Director
of the Cybersecurity and Infrastructure Security Agency to coordinate
to improve cybersecurity in the health care and public health sectors,
and for other purposes.
_______________________________________________________________________
March 23, 2026
Reported with an amendment