The Senate Health, Education, Labor, and Pensions (HELP) Committee has made significant progress in addressing cybersecurity challenges in the healthcare sector. With a decisive 22-1 vote, the committee approved the Health Care Cybersecurity and Resiliency Act, marking an essential step forward for the legislation, which aims to bolster cybersecurity across healthcare organizations.
A Bipartisan Push for Cybersecurity Standards
Initially introduced in November 2025 and reintroduced with minimal changes in December 2025, the bipartisan bill has garnered support from HELP Committee Chair Sen. Bill Cassidy (R-LA) as well as Sens. Mark Warner (D-VA), Maggie Hassan (D-NH), and John Cornyn (R-TX). The proposed legislation outlines measures to improve healthcare cybersecurity practices while addressing concerns over rising cyberthreats targeting the industry.
Key provisions of the bill include establishing minimum cybersecurity standards for entities regulated under the Health Insurance Portability and Accountability Act (HIPAA). These standards include requirements for multifactor authentication, data encryption, penetration testing, and regular security audits. The proposed legislation also updates breach reporting requirements, mandating that all regulated entities disclose the number of individuals impacted by cybersecurity incidents. Additionally, the Department of Health and Human Services (HHS) would be required to publish corrective actions and recognized security practices adopted by organizations following data breaches.
sbb-itb-02f5876
Financial Assistance for Resource-Strapped Providers
A notable aspect of the Health Care Cybersecurity and Resiliency Act is its focus on assisting resource-limited healthcare providers in implementing these new requirements. Hospitals, cancer centers, rural health clinics, facilities operated by the Indian Health Service, and academic health centers are among the entities eligible for financial aid under the proposed bill. These funds are intended to help offset the costs of meeting cybersecurity standards, which have been a key criticism of earlier proposals, like the HIPAA Security Rule update.
The legislation also directs the HHS to issue specific guidance tailored to rural healthcare entities, including best practices for preventing breaches, improving resilience, and coordinating with federal agencies during cybersecurity incidents.
Collaboration and Strategic Planning
The Health Care Cybersecurity and Resiliency Act emphasizes collaboration between federal agencies to strengthen the healthcare sector’s cybersecurity framework. It assigns the Administration for Strategic Preparedness and Response as the Sector Risk Management Agency for healthcare and requires greater coordination between the HHS and the Cybersecurity and Infrastructure Security Agency (CISA). Additionally, the HHS would develop a cybersecurity incident response plan and produce an annual report on its compliance with the cybersecurity measures outlined in the Consolidated Appropriations Act of 2021.
Balancing Burden and Security
While the proposed measures aim to enhance cybersecurity, the bill was crafted to avoid the backlash faced by the HIPAA Security Rule update. The earlier proposal had drawn criticism from healthcare providers and associations for its perceived burden and costs, which opponents argued would detract from patient care. The new bill seeks to strike a balance by providing financial support and focusing on practical, achievable standards for cybersecurity.
Next Steps for the Legislation
Although advancing past the HELP Committee is a significant milestone, the future of the Health Care Cybersecurity and Resiliency Act remains uncertain. The bill must pass through the House and ultimately be signed into law by the President. Whether it will gain enough momentum to clear these hurdles and become law is yet to be determined.
