The Senate Health, Education, Labor, and Pensions (HELP) Committee submitted the Health Care Cybersecurity and Resiliency Act with a 22-1 vote, moving forward bipartisan legislation that proposes cybersecurity requirements and federal coordination measures for the healthcare sector.
Legislative Action by Senate HELP Committee
The Senate Health, Education, Labor, and Pensions (HELP) Committee voted 22-1 on the Health Care Cybersecurity and Resiliency Act. The legislation proposes cybersecurity requirements intended to strengthen cybersecurity across the healthcare sector. The bill was first introduced in November 2025 and later reintroduced in December 2025 with minimal changes.
The legislation was proposed by a bipartisan group of senators that includes Senate Health, Education, Labor, and Pensions (HELP) Committee Chair Sen. Bill Cassidy (R-LA), Sen. Mark Warner (D-VA), Sen. Maggie Hassan (D-NH), and Sen. John Cornyn (R-TX). The legislation originates from a bipartisan healthcare cybersecurity working group that was launched in 2023.
Cybersecurity Requirements for HIPAA-Regulated Entities
The Health Care Cybersecurity and Resiliency Act proposes cybersecurity requirements for entities covered under the Health Insurance Portability and Accountability Act (HIPAA). The bill proposes minimum cybersecurity standards that include multifactor authentication, data encryption, penetration testing, and regular security audits.
The legislation also introduces reporting requirements related to cybersecurity incidents. Regulated entities would be required to report the number of individuals affected by a cybersecurity incident. The Department of Health and Human Services (HHS) would publish information regarding corrective actions and recognized security practices applied by regulated entities after a data breach.
Federal Coordination and Incident Response Planning
The legislation proposes increased coordination between the HHS and the Cybersecurity and Infrastructure Security Agency (CISA) in response to cyber threats affecting healthcare organizations. The bill requires the HHS to develop a cybersecurity incident response plan.
The legislation also designates the Administration for Strategic Preparedness and Response as the Sector Risk Management Agency for the healthcare sector.
The HHS would also produce an annual report describing how the agency is complying with requirements in the Consolidated Appropriations Act of 2021 related to the adoption of recognized security practices by HIPAA-regulated entities.
Financial Assistance and Rural Healthcare Guidance
The legislation includes financial assistance for under-resourced healthcare providers that need to improve cybersecurity protections. Eligible recipients include hospitals, cancer centers, rural health clinics, health facilities operated by the Indian Health Service, and academic health centers.
The bill requires the HHS to issue guidance for rural entities and rural health clinics on cybersecurity breach prevention practices, resilience planning, and coordination with federal agencies.
Additional legislative objectives include providing grants and training to healthcare entities to improve cyberattack prevention and response capabilities.
Context of Healthcare Cybersecurity Risks
Cyberattacks on healthcare organizations have increased over the past decade with a noticeable increase in recent years. More than 700 data breaches have been reported to the Department of Health and Human Services Office for Civil Rights in each of the past four years.
Large data breaches occur at approximately twice the volume compared to the levels recorded in 2016, 2017, and 2018. Cyber incidents within the healthcare sector have exposed private medical information and disrupted care operations, including delays in emergency department services and electronic prescribing.
One example referenced in legislative materials involved a cyberattack on Change Healthcare that exposed the data of more than 190 million people and resulted in delays in care and electronic prescribing.
Legislative Status
Advancement through the Senate Health, Education, Labor, and Pensions (HELP) Committee represents a step in the legislative process for the Health Care Cybersecurity and Resiliency Act. Whether the legislation will pass a vote in the House of Representatives and reach the President for signature into law has not been determined.
