Health Care Cybersecurity and Resiliency Act of 2026
Summary
What This Bill Does
The Health Care Cybersecurity and Resiliency Act creates a health-sector cybersecurity package. It requires HHS and CISA coordination, gives HHS a designated lead for health care cybersecurity oversight, updates cybersecurity incident response planning, clarifies breach reporting obligations and the number of affected individuals, recognizes security practices and investments, requires updates to HIPAA security regulations, requires rural cybersecurity readiness guidance, authorizes grants for public and nonprofit health-sector entities to adopt cybersecurity best practices, requires health care cybersecurity workforce training with CISA state coordinators and private experts, and convenes a working group to reduce duplicative incident reporting.
Who Benefits and How
Hospitals benefit from grants, guidance, and clearer federal cybersecurity practices for health-sector systems. Rural health clinics benefit from rural cybersecurity readiness guidance tailored to smaller providers. Patients benefit when stronger security and breach reporting reduce risk to health information and care continuity. Health care cybersecurity workers benefit from training and coordination among HHS, CISA, ONCD, and private-sector experts. Public health agencies benefit from a clearer incident-response plan and less duplicative reporting. Healthcare grant recipients benefit from new federal support for adopting best practices.
Who Bears the Burden and How
HHS must lead sector cybersecurity oversight, update regulations, run grants, issue guidance, train the workforce, and convene the working group. CISA must coordinate with HHS and its state cybersecurity coordinators on health-sector readiness. Covered entities must comply with updated HIPAA security regulations and clarified breach reporting. Business associates must meet stronger security expectations and breach-reporting obligations. Healthcare providers must invest in cybersecurity practices and report incidents more consistently. Cybersecurity vendors face stronger demand but also more scrutiny around best-practice implementation.
Key Provisions
- Requires HHS coordination with CISA for health-sector cybersecurity.
- Clarifies HHS cybersecurity leadership and oversight responsibilities.
- Updates cybersecurity incident response planning and breach reporting obligations.
- Requires recognition of security practices and investments.
- Requires HHS to update health information security regulations.
- Provides rural cybersecurity readiness guidance and grants for health-sector cybersecurity best practices.
- Requires cybersecurity workforce training and a working group to streamline incident reporting.
Evidence Chain:
This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers with clause-level evidence links.
At a Glance
What This Bill Does
Strengthens health-sector cybersecurity by coordinating HHS with CISA, clarifying HHS cybersecurity leadership, updating incident and breach reporting, recognizing security investments, requiring security standards, supporting rural readiness, authorizing grants, training the workforce, and convening a reporting coordination working group.
Key Policy Areas
Health Care, Cybersecurity, Public Health
Primary Purpose
Strengthens health-sector cybersecurity by coordinating HHS with CISA, clarifying HHS cybersecurity leadership, updating incident and breach reporting, recognizing security investments, requiring security standards, supporting rural readiness, authorizing grants, training the workforce, and convening a reporting coordination working group.
Policy Domains
Bill provisions
Identified Gains
- Hospitals
- Rural health clinics
- Patients
- Health care cybersecurity workers
- Public health agencies
- Healthcare grant recipients
Identified Costs
- HHS
- CISA
- Covered entities
- Business associates
- Healthcare providers
- Cybersecurity vendors
Sponsors
Legislative Progress
ReportedCommittee on Health, Education, Labor, and Pensions. Reported by Senator …
Placed on Senate Legislative Calendar under General Orders. Calendar No. …
Reported by Mr. Cassidy, with an amendment
Committee on Health, Education, Labor, and Pensions. Ordered to be …
Mr. Cassidy (for himself, Ms. Hassan, Mr. Cornyn, and Mr. …
Introduced in Senate
Read twice and referred to the Committee on Health, Education, …
Stakeholder Effects
cui bono?How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.
Business associates, Covered entities, Healthcare grant recipients
Positive-direction: Healthcare grant recipients, Hospitals, Patients, Rural health clinics
Negative-direction: Business associates, Covered entities
CISA, HHS, Public health agencies
Positive-direction: Public health agencies
Negative-direction: CISA, HHS
Cybersecurity vendors, Health care cybersecurity workers
Bill Structure & Actor Mappings
Who is "The Secretary" in each section?
- "director"
- → Director of the Cybersecurity and Infrastructure Security Agency
- "secretary"
- → Secretary of Health and Human Services
We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.
Learn more about our methodology