Senate Moves Closer to Passing Health Care Cyber Reforms 

The Health Care Cybersecurity and Resiliency Act of 2025 advanced out of the Senate Health, Education, Labor, and Pensions (HELP) Committee on a 22–1 vote in late February; it will now be considered in the full chamber. If enacted, the legislation would require the Secretary of Health and Human Services (HHS) to develop a department-wide cybersecurity incident response plan and submit it to Congress.  

It would also direct HHS to coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) to strengthen oversight of cybersecurity across the healthcare and public health sectors. Additional provisions include tailored cybersecurity guidance for rural providers and a strategy to improve cybersecurity literacy within the healthcare workforce. 

The bill was introduced in December 2025 by Committee Chair Sen. Bill Cassidy (R-La.) along with Sens. Mark Warner (D-Va.), John Cornyn (R-Texas), and Maggie Hassan (D-N.H.), with Sen. Rand Paul (R-Ky.) casting the lone opposing vote. 

The Change Healthcare Attack Serves as Catalyst 

Lawmakers pointed to the 2024 ransomware attack on Change Healthcare as a major driver behind the bill. During committee proceedings, members cited more than 730 reported cyber breaches last year affecting over 270 million Americans. The Change Healthcare incident alone exposed data associated with approximately 190 million individuals and disrupted claims processing and patient services nationwide. 

Officials from the Administration for Strategic Preparedness and Response (ASPR) noted publicly that the attack demonstrated how a third-party vendor can significantly impact the broader healthcare system. 

Key Provisions of the Legislation 

1. Stronger Federal Coordination. The bill would formalize ASPR as the Sector Risk Management Agency for Healthcare and Public Health and require closer coordination between HHS and CISA. It also mandates a department-wide cybersecurity response plan. 
2. Updates to HIPAA Security Requirements. The legislation directs HHS to modernize regulations under the Health Insurance Portability and Accountability Act (HIPAA). This aligns with HHS’s proposed updates to the HIPAA Security Rule, which include requirements such as multifactor authentication, stronger encryption, penetration testing, vulnerability management, asset inventories, and enhanced vendor oversight. 
3. Support for Rural and Small Providers. The bill calls for cybersecurity guidance tailored to rural clinics and small providers and establishes a federal grant program to help hospitals, rural facilities, cancer centers, Indian Health Service facilities, academic health centers, and nonprofit partners strengthen cybersecurity programs. 
4. Workforce Cybersecurity Training and Literacy Requirements. The legislation calls for CISA to develop cybersecurity training resources for healthcare staff and aims to improve cybersecurity literacy across the workforce. This includes both general awareness training and broader efforts to strengthen sector-wide cybersecurity knowledge. PrivaPlan provides HIPAA Compliance Training, which includes a cybersecurity literacy component. 
5. Enhanced Breach Reporting. The bill includes requirements to improve transparency in reporting the number of individuals affected by breaches and to clarify how recognized security practices are evaluated. Organizations may face more structured reporting expectations following incidents.

In related news, CISA announced virtual town halls for March and April 2026 to solicit additional input on refining the scope and burden of the Cyber Incident Reporting for Critical Infrastructure (CIRCIA) Notice of Proposed Rulemaking. CIRCIA, expected to roll out in May 2026, would require critical infrastructure sectors (including health care, energy, and finance) to report cyberattacks within 72 hours and ransomware payments within 24 hours. 

What Healthcare Organizations Should Consider Now 

Although the bill has not yet become law, it signals regulatory priorities. Healthcare organizations may benefit from: 

• Reviewing third-party vendor risk management processes 
• Evaluating the use of MFA, encryption, and vulnerability management tools 
• Updating incident response and business continuity plans 
• Assessing cybersecurity workforce capabilities and training needs 
• Monitoring developments related to HIPAA Security Rule updates 

The Health Care Cybersecurity and Resiliency Act of 2025 reflects continued federal focus on healthcare cybersecurity. For providers and the workforce, it underscores the growing importance of strengthening safeguards to protect patient information and maintain continuity of care.