This bill directs the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate on strengthening cybersecurity across the Healthcare and Public Health Sector. It creates a statutory HHS oversight role, requires HHS to publish an incident response plan, tightens breach reporting and transparency, and authorizes grants and workforce training to raise cyber resiliency.
For compliance and risk teams, the most consequential elements are (1) a mandated update to HIPAA-related privacy and security regulations that will require minimum cybersecurity controls (multifactor authentication, encryption, audits/penetration testing, plus additional standards set by HHS), (2) new disclosure requirements for the HITECH breach portal, and (3) targeted grant and workforce programs aimed at rural and resource‑constrained providers. The bill mixes regulatory obligations with grant funding and guidance — a combination that raises implementation and enforcement questions for providers, vendors, and regulators alike.
At a Glance
What It Does
The bill requires formal coordination between HHS and CISA (including a cooperative agreement option), gives HHS statutory oversight responsibility for healthcare cybersecurity, and directs HHS to update existing regulations to impose baseline cybersecurity requirements for covered entities and business associates. It also mandates updates to breach reporting, issues guidance on recognized security practices, creates grant authority for eligible health providers, and requires workforce and rural-readiness guidance and studies.
Who It Affects
Hospitals, Federally Qualified Health Centers, rural health clinics, Indian Health Service facilities, academic health centers, health-related nonprofit partners, and their business associates will face new regulatory requirements and reporting obligations. HHS, CISA, state cybersecurity coordinators, information sharing organizations, and vendors that provide security services or cloud migrations are also directly implicated.
Why It Matters
This bill marks a statutory push to make baseline cybersecurity controls part of the HIPAA regulatory framework and increases transparency around breaches and enforcement decisions. For compliance officers, it signals likely new rulemaking, a closer HHS–CISA operational relationship, more public breach detail, and grant-funded pathways for security upgrades — especially for rural and under-resourced providers.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill establishes a coordinated federal approach by directing the Secretary of HHS and the Director of CISA to work together to improve cybersecurity in the Healthcare and Public Health Sector. That coordination can include a cooperative agreement and extends to making threat information and tailored resources available to entities that participate in federal or sector information-sharing programs.
The text formalizes a role for HHS — through the Assistant Secretary for Preparedness and Response — to lead internal Department oversight and to serve as a focal point for communication with public and private stakeholders during preparedness and responses to cyber incidents.
On the regulatory front, the bill amends multiple statutes and directives. It expands definitions in the Cybersecurity Act of 2015, requires HHS to develop and implement an internal cybersecurity incident response plan (with consultation from CISA, OMB, and NIST) and to submit a pre-implementation report to congressional committees.
It also directs HHS to update HITECH breach-portal regulations so the public display must include corrective actions taken, whether recognized security practices were considered in investigations, and the number of individuals affected.The bill tasks HHS with updating HIPAA-related security and breach-notification regulations to require specific baseline controls: multifactor authentication (or successor technology), encryption safeguards for protected health information, and periodic audits including penetration testing. HHS must consult the private sector when setting additional minimum standards and set reasonable effective dates to allow entities time to comply.To help resource-constrained providers, the bill authorizes grants for public and nonprofit health centers, hospitals, rural clinics, IHS facilities, cancer centers, academic health centers, and nonprofit partners for up to three years to adopt security best practices — funds may pay for staff, cloud migrations, joining threat‑sharing organizations, reducing legacy systems, or contracting third parties.
The bill also requires HHS to issue guidance for rural cybersecurity readiness and to develop a strategic plan to grow the healthcare cybersecurity workforce, with a GAO study due on rural uptake of the guidance.
The Five Things You Need to Know
HHS must develop and implement a department-wide cybersecurity incident response plan within one year and submit a report to relevant congressional committees at least 60 days before implementation begins.
HITECH breach-portal regulations must be updated within one year to publicly display corrective actions, whether recognized security practices were considered in breach investigations, and the number of individuals affected.
HHS will revise HIPAA privacy/security regulations to require multifactor authentication, encryption of PHI, and regular audits (including penetration testing), and may add other minimum standards after private-sector consultation; effective dates must give entities reasonable lead time.
The bill authorizes competitive grants (up to three years) to specified eligible entities — including FQHCs, hospitals, rural clinics, IHS facilities, cancer centers, and academic health centers — for personnel, cloud migrations, participation in threat-sharing organizations, legacy system replacement, and third-party contractors.
HHS must publish guidance on recognized security practices within one year, explain how those practices affect HHS enforcement/fine determinations, and report annually on every case where such practices were considered.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
HHS–CISA coordination and assistance
This provision requires the Secretary and CISA’s Director to coordinate — including by entering into a cooperative agreement when appropriate — to improve cybersecurity across the Healthcare and Public Health Sector. Practically, that means HHS and CISA will share threat indicators and develop products tailored to healthcare needs, and HHS will help make Agency resources available to information sharing organizations, ISACs, and non-federal entities. Expect operational coordination to cover early-warning, mitigation guidance, and joint outreach to sector stakeholders.
Statutory HHS oversight role (ASPR lead)
The bill adds a new statutory duty for HHS to lead oversight and coordination of Department cybersecurity activities through the Assistant Secretary for Preparedness and Response (ASPR). That creates a single, named office inside HHS responsible for internal coordination, external communication during incidents, and liaison work with CISA and private-sector partners. For HHS organization charts and compliance officers, this centralizes responsibility for healthcare cyber preparedness within ASPR rather than being fragmented across operating divisions.
Cybersecurity incident response plan and statutory definitions
This section amends the Cybersecurity Act to add definitions for ‘cybersecurity incident’ and ‘cybersecurity risk’ and requires HHS to produce a written incident response plan within one year. HHS must consult CISA, OMB, and NIST while drafting the plan and submit a descriptive report to congressional committees 60 days before it begins implementation. The plan must spell out risk assessment, prevention, detection, mitigation, data protection, and recovery strategies for Department-managed information systems.
Breach reporting portal enhancements and reporting details
The bill directs HHS to revise HITECH breach-portal regulations within a year so the public-facing portal includes corrective actions taken against covered entities, whether recognized security practices were considered during breach investigations, and the count of affected individuals. This expands the portal from a notification index to a more informative transparency tool that could influence market and enforcement reactions; covered entities should anticipate increased public visibility into enforcement outcomes.
Recognized security practices guidance and enforcement accounting
HHS must update the recognized-security-practices provision to explicitly include ‘investments’ and issue guidance within a year detailing which practices it will consider in fines, how robust those practices must be to count for enforcement mitigation, and what submissions entities must make for consideration. HHS must also report annually on every instance it considered such practices during audits or fine assessments, introducing an accountability mechanism that could incentivize documented security investments.
Mandatory minimum cybersecurity standards in HIPAA regulations
This is a high-impact regulatory mandate: HHS must update the HIPAA privacy, security, and breach-notification regulations to require multifactor authentication (or successor), encryption of PHI, mandated audits including penetration testing, and any additional minimum standards HHS sets after consulting the private sector. The provision gives HHS discretion to define further standards and requires the agency to set effective dates that allow reasonable compliance timeframes — but the changes trigger formal rulemaking and will drive capital and operational planning for covered entities and vendors.
Rural cybersecurity guidance and GAO study
HHS must issue guidance tailored to rural providers on improving cyber readiness (infrastructure, technical safeguards, workforce training, and incident reporting). The bill defines ‘rural’ by HRSA standards and directs the Comptroller General to study and report within three years on how rural entities implemented the guidance, including challenges, federal coordination gaps, and public-private collaboration opportunities — a future accountability check on whether guidance translated into improved security on the ground.
Grants and workforce development
The bill authorizes grant funding for eligible public and nonprofit health centers, hospitals, rural clinics, IHS facilities, cancer centers, academic health centers, and qualifying nonprofit partners to adopt cybersecurity best practices. Approved uses include hiring/training staff, cloud migration, joining threat-sharing organizations, reducing legacy systems, and contracting third parties; grants may run up to three years and require baseline metrics in applications. Separately, HHS (via HRSA) must produce a strategic plan to grow the healthcare cybersecurity workforce and develop training for asset owners and operators, emphasizing cross-agency collaboration and public-private opportunities.
This bill is one of many.
Codify tracks hundreds of bills on Healthcare across all five countries.
Explore Healthcare in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Rural and resource‑constrained providers — Eligible entities can access grant funding for security upgrades (staffing, cloud migration, legacy replacement), and targeted rural guidance plus a future GAO study aims to surface and address implementation barriers.
- Patients and clinical operations — Stronger baseline controls (MFA, encryption, audits) and a departmental incident response plan should reduce downtime, data exposure, and the clinical disruption that follows major incidents.
- Security vendors and integrators — The mandate for audits, penetration testing, cloud migrations, and other minimum standards expands demand for third‑party security services, managed-security providers, and migration/cyber hygiene vendors.
- Information Sharing Organizations and ISACs — The bill formalizes resource flows and cooperation with HHS/CISA, increasing the relevance and reach of sector-specific threat sharing products and defensive measures.
- HHS and CISA — Clear statutory responsibilities and coordination pathways should improve federal operational efficiency during incidents and help centralize sector leadership.
Who Bears the Cost
- Hospitals, FQHCs, rural health clinics, and business associates — These covered entities must implement MFA, encryption, periodic audits (including penetration testing), and comply with expanded breach-reporting transparency, incurring capital, staffing, and third‑party costs.
- Small and rural providers without grant awards — Despite grant availability, many providers may face short-term financial and operational burdens to meet new regulatory baselines before assistance arrives or grants are awarded.
- HHS and CISA operational units — Implementing coordination mechanisms, producing plans and guidance, conducting reviews of recognized security practices, and administering grants will require staffing and systems investments within federal agencies.
- Health IT vendors and cloud providers — Must support stronger baseline controls and potentially new compliance attestations, and may face contractual and remediation obligations when integrating legacy systems or responding to audits.
- State agencies and Cybersecurity State Coordinators — Increased federal reporting, coordination, and incident expectations will raise workload for state coordinators who participate in federal-state information exchange and incident responses.
Key Issues
The Core Tension
The central dilemma is familiar: impose mandatory baseline cybersecurity controls to raise the floor across the sector — improving patient safety and reducing systemic risk — while avoiding imposing compliance costs that are unaffordable for smaller, rural, or safety-net providers. The bill attempts to thread that needle with grants and guidance, but the tension between immediate security benefits and near-term financial and operational burdens has no easy technical or policy fix.
The bill blends prescriptive regulatory changes (mandatory MFA, encryption, audits) with softer tools (guidance, grants, coordination). That mixture raises implementation sequencing questions: the statute requires HHS to promulgate regulatory updates and guidance within defined windows, but those rulemakings will trigger Administrative Procedure Act processes, stakeholder comment periods, and potential litigation — all of which will extend timelines beyond statutory target dates.
For providers, timing matters: grant awards and workforce programs will not immediately offset capital requirements if HHS sets aggressive effective dates for new standards.
The governance design creates overlapping authorities and potential friction points. HHS is asked to both lead sector oversight and rely on CISA for operational expertise and threat intelligence; the instruments for reconciling differing priorities (e.g., disclosure vs. protection of sensitive threat information) are left to interagency coordination.
The requirement to make portal disclosures about corrective actions and whether recognized security practices were considered improves transparency but could chill voluntary information sharing or create reputational and contractual harms for entities whose remediation status is publicly posted. Finally, the bill authorizes ‘such sums as necessary’ for grants but does not set explicit appropriation levels, so the practical reach of grant assistance depends on future budgeting choices.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.