S5390-118

Introduced

To require the Secretary of Health and Human Services and the Director of the Cybersecurity and Infrastructure Security Agency to coordinate to improve cybersecurity in the health care and public health sectors, and for other purposes.

118th Congress Introduced Nov 21, 2024

Analysis under review: This bill has generated analysis that may be too generic or incomplete. Clause-level evidence remains available below.

Summary

What This Bill Does

This bill creates a comprehensive framework to improve cybersecurity across the healthcare sector. It requires HHS and CISA to coordinate on cybersecurity efforts, mandates new security standards including multifactor authentication and encryption for health data, and establishes grant programs to help healthcare organizations adopt better cybersecurity practices.

Who Benefits and How

Patients benefit from stronger protections for their health information. Healthcare providers, especially rural and under-resourced facilities, can receive grants to upgrade cybersecurity systems, hire security personnel, and migrate to cloud platforms. Cybersecurity firms and consultants benefit from increased demand for services. Healthcare organizations with strong security practices may face reduced regulatory penalties.

Who Bears the Burden and How

Hospitals, health centers, and other covered entities must implement mandatory multifactor authentication, encryption, and conduct penetration testing - significant compliance costs. Business associates handling health data face the same requirements. HHS must develop new guidance, incident response plans, and grant programs. Organizations must report additional breach information publicly.

Key Provisions

  • Mandates multifactor authentication and encryption for systems with protected health information
  • Creates grants (up to 3 years) for health centers, hospitals, and rural clinics to adopt cybersecurity best practices
  • Requires HHS to develop cybersecurity incident response plan within 1 year
  • Enhances breach reporting portal with corrective action and security practices information

Evidence Chain:

This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers with clause-level evidence links.

At a Glance

What This Bill Does

Improve cybersecurity in the healthcare and public health sectors by requiring coordination between HHS and CISA, establishing mandatory security standards, creating grant programs, and enhancing breach reporting requirements.

Key Policy Areas

Cybersecurity, Healthcare, Public Health, Technology

Primary Purpose

Improve cybersecurity in the healthcare and public health sectors by requiring coordination between HHS and CISA, establishing mandatory security standards, creating grant programs, and enhancing breach reporting requirements.

Policy Domains

Cybersecurity Healthcare Public Health Technology

Health Care Cybersecurity and Resiliency Act of 2024

Identified Gains
  • Patients (health data protection)
  • Rural healthcare facilities
  • Cybersecurity vendors and consultants
  • Healthcare organizations with strong security posture
Model: N/A | Version: bill_summary_v2 | Source: is
Rural healthcare facilities: ,
Patients (health data protection):
Cybersecurity vendors and consultants: ,
Healthcare organizations with strong security posture:
Identified Costs
  • Hospitals and health systems
  • Business associates handling health data
  • HHS (new programs and guidance)
  • Small healthcare providers
Model: N/A | Version: bill_summary_v2 | Source: is
Small healthcare providers:
Hospitals and health systems: ,
HHS (new programs and guidance): ,
Business associates handling health data:

Legislative Progress

Introduced
Introduced Committee Passed
Nov 21, 2024

Mr. Cassidy (for himself, Ms. Hassan, Mr. Cornyn, and Mr. …

Stakeholder Effects

cui bono?

How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.

Healthcare
13 mentions across 9 clauses
+9 positive -4 negative

Academic health centers, Business associates (health IT vendors, billing companies), Covered entities (hospitals, health systems)

Positive-direction: Academic health centers, Federally Qualified Health Centers, Healthcare facility IT staff, Healthcare organizations with strong cybersecurity practices, Healthcare sector entities, Hospitals and cancer centers, Indian Health Service facilities, Rural health clinics, Rural healthcare facilities

Negative-direction: Business associates (health IT vendors, billing companies), Covered entities (hospitals, health systems), Covered entities experiencing breaches, Hospitals and health systems

Government
6 mentions across 5 clauses
-6 negative

Assistant Secretary for Preparedness and Response, CISA, HHS

Technology
3 mentions across 3 clauses
+3 positive

Cybersecurity vendors, Healthcare cybersecurity professionals, IT and cybersecurity consultants

Healthcare Beneficiaries
2 mentions across 2 clauses
+2 positive

Healthcare consumers/patients, Patients

Cloud Computing
1 mention across 1 clause
+1 positive

Cloud service providers

Education
1 mention across 1 clause
+1 positive

Educational institutions with cybersecurity programs

12/14
sections analyzed
Full impact breakdown

Bill Structure & Actor Mappings

Who is "The Secretary" in each section?

Domains
Cybersecurity Healthcare Public Health
Actor Mappings
"the_agency"
→ Cybersecurity and Infrastructure Security Agency
"the_director"
→ Director of the Cybersecurity and Infrastructure Security Agency (CISA)
"the_secretary"
→ Secretary of Health and Human Services

Key Definitions

Terms defined in this bill

3 terms
"Healthcare and Public Health Sector" §2_healthcare_sector

Critical infrastructure sector as defined in Presidential Policy Directive 21

"Cybersecurity risk" §5_cybersecurity_risk

Has the meaning given such term in section 2200 of the Homeland Security Act of 2002

"Cybersecurity incident" §5_cybersecurity_incident

Has the meaning given the term 'incident' in section 3552 of title 44, United States Code

We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.

Learn more about our methodology