S 3315
· 119th Congress
· Health
Health Care Cybersecurity and Resiliency Act of 2026
Sponsor
Latest action
Placed on Senate Legislative Calendar under General Orders. Calendar No. 365.
Action timeline
Every recorded action on this bill, newest first. Stage badges color-code the legislative path.
Mar 23, 2026
committee
Committee on Health, Education, Labor, and Pensions. Reported by Senator Cassidy with an amendment in the nature of a substitute. Without written report.
Health, Education, Labor, and Pensions Committee
Mar 23, 2026
other
Placed on Senate Legislative Calendar under General Orders. Calendar No. 365.
Feb 26, 2026
committee
Committee on Health, Education, Labor, and Pensions. Ordered to be reported with an amendment in the nature of a substitute favorably.
Health, Education, Labor, and Pensions Committee
Dec 02, 2025
introduced
Introduced in Senate
Dec 02, 2025
introduced
Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
Health, Education, Labor, and Pensions Committee
Text versions
Each stage of the bill — official text published by GPO. Click any format to read on congress.gov / govinfo.
Changelog
ⓘ
How a bill moves through Congress. Each stage produces a new official text. The diff between them shows what changed at that step.
ih / is — Introduced in House / Senate. First filed version.rfh / rfs — Referred to a committee for review.rh / rs — Reported back by the committee to the floor (often with amendments — this is where most language changes happen).pcs / pch — Placed on Calendar for floor consideration.eh / es — Engrossed. Passed by the originating chamber. Text is now what was actually voted on.rdh / rds — Received by the other chamber.eah / eas — Engrossed Amendment. The other chamber passed an amended version.ath / ats — Agreed to. Both chambers settled on the same text.enr — Enrolled. Final reconciled text, sent to the President.pl — Public Law. Signed by the President. It's now law.pp — Public Print. Official printing post-enactment.
Most bills die before eh/es. Going from pcs → enr is the full path through both chambers.
ⓘ
How a bill moves through Congress. Each stage produces a new official text. The diff between them shows what changed at that step.
ih/is— Introduced in House / Senate. First filed version.rfh/rfs— Referred to a committee for review.rh/rs— Reported back by the committee to the floor (often with amendments — this is where most language changes happen).pcs/pch— Placed on Calendar for floor consideration.eh/es— Engrossed. Passed by the originating chamber. Text is now what was actually voted on.rdh/rds— Received by the other chamber.eah/eas— Engrossed Amendment. The other chamber passed an amended version.ath/ats— Agreed to. Both chambers settled on the same text.enr— Enrolled. Final reconciled text, sent to the President.pl— Public Law. Signed by the President. It's now law.pp— Public Print. Official printing post-enactment.
Most bills die before eh/es. Going from pcs → enr is the full path through both chambers.
Line-level diff between text versions of this bill — what actually changed at each legislative stage.
+787
−209
137 unchanged
--- Introduced (Senate)
+++ Reported (Senate)
@@ -1,10 +1,11 @@
[From the U.S. Government Publishing Office]
-[S. 3315 Introduced in Senate (IS)]
+[S. 3315 Reported in Senate (RS)]
<DOC>
+Calendar No. 365
119th CONGRESS
-1st Session
+2d Session
S. 3315
To require the Secretary of Health and Human Services and the Director
@@ -22,6 +23,12 @@
introduced the following bill; which was read twice and referred to the
Committee on Health, Education, Labor, and Pensions
+March 23, 2026
+
+Reported by Mr. Cassidy, with an amendment
+[Strike out all after the enacting clause and insert the part printed
+in italic]
+
_______________________________________________________________________
A BILL
@@ -34,69 +41,75 @@
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
-SECTION 1. SHORT TITLE.
-
-This Act may be cited as the ``Health Care Cybersecurity and
-Resiliency Act of 2025''.
-
-SEC. 2. DEFINITIONS.
-
-In this Act:
-(1) Agency.--The term ``Agency'' means the Cybersecurity
-and Infrastructure Security Agency.
-(2) Cybersecurity incident.--The term ``cybersecurity
-incident'' has the meaning given the term ``incident'' in
-section 3552 of title 44, United States Code.
-(3) Cybersecurity state coordinator.--The term
+<DELETED>SECTION 1. SHORT TITLE.</DELETED>
+
+<DELETED> This Act may be cited as the ``Health Care Cybersecurity
+and Resiliency Act of 2025''.</DELETED>
+
+<DELETED>SEC. 2. DEFINITIONS.</DELETED>
+
+<DELETED> In this Act:</DELETED>
+<DELETED> (1) Agency.--The term ``Agency'' means the
+Cybersecurity and Infrastructure Security Agency.</DELETED>
+<DELETED> (2) Cybersecurity incident.--The term
+``cybersecurity incident'' has the meaning given the term
+``incident'' in section 3552 of title 44, United States
+Code.</DELETED>
+<DELETED> (3) Cybersecurity state coordinator.--The term
``Cybersecurity State Coordinator'' means a Cybersecurity State
Coordinator appointed under section 2217(a) of the Homeland
-Security Act of 2002 (6 U.S.C. 665c(a)).
-(4) Director.--The term ``Director'' means the Director of
-the Agency.
-(5) Healthcare and public health sector.--The term
+Security Act of 2002 (6 U.S.C. 665c(a)).</DELETED>
+<DELETED> (4) Director.--The term ``Director'' means the
+Director of the Agency.</DELETED>
+<DELETED> (5) Healthcare and public health sector.--The term
``Healthcare and Public Health Sector'' means the Healthcare
and Public Health sector, as identified in Presidential Policy
Directive 21 (February 12, 2013; relating to critical
-infrastructure security and resilience).
-(6) Information sharing and analysis organization.--The
-term ``Information Sharing and Analysis Organization'' has the
-meaning given such term in section 2200 of the Homeland
-Security Act of 2002 (6 U.S.C. 650).
-(7) Information system.--The term ``information system''
-has the meaning given such term in section 102 of the
-Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
-(8) Secretary.--The term ``Secretary'' means the Secretary
-of Health and Human Services.
-
-SEC. 3. DEPARTMENT COORDINATION WITH THE AGENCY.
-
-(a) In General.--The Secretary and the Director shall coordinate,
-including by entering into a cooperative agreement, as appropriate, to
-improve cybersecurity in the Healthcare and Public Health Sector.
-(b) Assistance.--
-(1) In general.--The Secretary shall coordinate with the
-Director to make resources available to entities that are
-receiving information shared through programs managed by the
-Director or the Secretary, including Information Sharing and
-Analysis Organizations, information sharing and analysis
-centers, and non-Federal entities.
-(2) Scope.--The coordination under paragraph (1) shall
-include--
-(A) developing products specific to the needs of
-Healthcare and Public Health Sector entities; and
-(B) sharing information relating to cyber threat
-indicators and appropriate defensive measures.
-
-SEC. 4. CLARIFYING CYBERSECURITY RESPONSIBILITIES AT THE DEPARTMENT OF
-HEALTH AND HUMAN SERVICES.
-
-Part A of title III of the Public Health Service Act (42 U.S.C. 241
-et seq.) is amended by adding at the end the following:
-
-``SEC. 310C. OVERSIGHT OF CYBERSECURITY ACTIVITIES.
-
-``The Secretary, acting through the Assistant Secretary for
-Preparedness and Response, in coordination with the Director of the
+infrastructure security and resilience).</DELETED>
+<DELETED> (6) Information sharing and analysis
+organization.--The term ``Information Sharing and Analysis
+Organization'' has the meaning given such term in section 2200
+of the Homeland Security Act of 2002 (6 U.S.C. 650).</DELETED>
+<DELETED> (7) Information system.--The term ``information
+system'' has the meaning given such term in section 102 of the
+Cybersecurity Information Sharing Act of 2015 (6 U.S.C.
+1501).</DELETED>
+<DELETED> (8) Secretary.--The term ``Secretary'' means the
+Secretary of Health and Human Services.</DELETED>
+
+<DELETED>SEC. 3. DEPARTMENT COORDINATION WITH THE AGENCY.</DELETED>
+
+<DELETED> (a) In General.--The Secretary and the Director shall
+coordinate, including by entering into a cooperative agreement, as
+appropriate, to improve cybersecurity in the Healthcare and Public
+Health Sector.</DELETED>
+<DELETED> (b) Assistance.--</DELETED>
+<DELETED> (1) In general.--The Secretary shall coordinate
+with the Director to make resources available to entities that
+are receiving information shared through programs managed by
+the Director or the Secretary, including Information Sharing
+and Analysis Organizations, information sharing and analysis
+centers, and non-Federal entities.</DELETED>
+<DELETED> (2) Scope.--The coordination under paragraph (1)
+shall include--</DELETED>
+<DELETED> (A) developing products specific to the
+needs of Healthcare and Public Health Sector entities;
+and</DELETED>
+<DELETED> (B) sharing information relating to cyber
+threat indicators and appropriate defensive
+measures.</DELETED>
+
+<DELETED>SEC. 4. CLARIFYING CYBERSECURITY RESPONSIBILITIES AT THE
+DEPARTMENT OF HEALTH AND HUMAN SERVICES.</DELETED>
+
+<DELETED> Part A of title III of the Public Health Service Act (42
+U.S.C. 241 et seq.) is amended by adding at the end the
+following:</DELETED>
+
+<DELETED>``SEC. 310C. OVERSIGHT OF CYBERSECURITY ACTIVITIES.</DELETED>
+
+<DELETED> ``The Secretary, acting through the Assistant Secretary
+for Preparedness and Response, in coordination with the Director of the
Cybersecurity and Infrastructure Security Agency pursuant to section
2218 of the Homeland Security Act of 2002, shall lead oversight and
coordination of activities within the Department of Health and Human
@@ -107,7 +120,460 @@
preparedness for, and responses to, cybersecurity incidents, consistent
with applicable provisions of this Act, other applicable laws, and
Presidential Policy Directive 21 (February 12, 2013; relating to
-critical infrastructure security and resilience).''.
+critical infrastructure security and resilience).''.</DELETED>
+
+<DELETED>SEC. 5. CYBERSECURITY INCIDENT RESPONSE PLAN.</DELETED>
+
+<DELETED> Section 405 of the Cybersecurity Act of 2015 (6 U.S.C.
+1533) is amended--</DELETED>
+<DELETED> (1) in subsection (a)--</DELETED>
+<DELETED> (A) in paragraph (4)--</DELETED>
+<DELETED> (i) in the paragraph heading, by
+inserting ``information system;'' after
+``Federal entity;''; and</DELETED>
+<DELETED> (ii) by inserting ```information
+system','' after ```Federal
+entity','';</DELETED>
+<DELETED> (B) by redesignating paragraphs (4)
+through (7) as paragraphs (6) through (9),
+respectively; and</DELETED>
+<DELETED> (C) by inserting after paragraph (3) the
+following:</DELETED>
+<DELETED> ``(4) Cybersecurity incident.--The term
+`cybersecurity incident' has the meaning given the term
+`incident' in section 3552 of title 44, United States
+Code.</DELETED>
+<DELETED> ``(5) Cybersecurity risk.--The term `cybersecurity
+risk' has the meaning given such term in section 2200 of the
+Homeland Security Act of 2002 (6 U.S.C. 650).''; and</DELETED>
+<DELETED> (2) in subsection (d), by adding at the end the
+following:</DELETED>
+<DELETED> ``(4) Plan.--</DELETED>
+<DELETED> ``(A) In general.--Not later than 1 year
+after the date of enactment of the Health Care
+Cybersecurity and Resiliency Act of 2025, the Secretary
+shall develop and implement a cybersecurity incident
+response plan to inform applicable personnel within the
+Department of Health and Human Services of processes
+and protocols to prepare for, and respond to,
+cybersecurity incidents involving information,
+including hardware, software, databases, and networks,
+used or maintained by, or on behalf of, the Department,
+including strategies--</DELETED>
+<DELETED> ``(i) to assess cybersecurity
+risks;</DELETED>
+<DELETED> ``(ii) to prevent cybersecurity
+incidents;</DELETED>
+<DELETED> ``(iii) to detect and identify
+cybersecurity incidents;</DELETED>
+<DELETED> ``(iv) to minimize damage in the
+event of a cybersecurity incident;</DELETED>
+<DELETED> ``(v) to protect data;
+and</DELETED>
+<DELETED> ``(vi) to recover from any
+cybersecurity incidents
+expeditiously.</DELETED>
+<DELETED> ``(B) Consultation.--In developing the
+plan under subparagraph (A), the Secretary shall
+consult with the Director of the Cybersecurity and
+Infrastructure Security Agency, the Director of the
+Office of Management and Budget, and the Director of
+the National Institute of Standards and Technology, and
+relevant experts, as appropriate.</DELETED>
+<DELETED> ``(C) Report.--Not later than 60 days
+before the date on which the Secretary begins
+implementing the plan under subparagraph (A), the
+Secretary shall submit to the Committee on Health,
+Education, Labor, and Pensions and the Committee on
+Homeland Security and Governmental Affairs of the
+Senate and the Committee on Energy and Commerce, the
+Committee on Oversight and Reform, and the Committee on
+Homeland Security of the House of Representatives a
+report that describes such plan.''.</DELETED>
+
+<DELETED>SEC. 6. BREACH REPORTING PORTAL.</DELETED>
+
+<DELETED> (a) Updates to Breach Reporting Portal.--Section 13402 of
+the HITECH Act (42 U.S.C. 17932) is amended by adding at the end the
+following:</DELETED>
+<DELETED> ``(k) Updates to Regulations.--Not later than 1 year after
+the date of enactment of the Health Care Cybersecurity and Resiliency
+Act of 2025, the Secretary shall update the regulations promulgated
+pursuant to subsection (j) to require that information required to be
+publicly displayed in the breach reporting portal established pursuant
+to this section includes--</DELETED>
+<DELETED> ``(1) information on any corrective action taken
+against a covered entity that provided notification of a breach
+under this section;</DELETED>
+<DELETED> ``(2) information on whether and to what extent,
+as appropriate, recognized security practices (as defined in
+section 13412(b)(1)) were considered in the investigation of
+such a breach; and</DELETED>
+<DELETED> ``(3) such additional information about such a
+breach as the Secretary may require.''.</DELETED>
+
+<DELETED>SEC. 7. CLARIFYING BREACH REPORTING OBLIGATIONS.</DELETED>
+
+<DELETED> Section 13402(f) of the HITECH Act (42 U.S.C. 17932(f)) is
+amended by adding at the end the following:</DELETED>
+<DELETED> ``(6) The number of individuals affected by the
+breach.''.</DELETED>
+
+<DELETED>SEC. 8. ENHANCING RECOGNITION OF SECURITY PRACTICES.</DELETED>
+
+<DELETED> (a) Recognized Security Practices.--Section 13412(b)(1) of
+the HITECH Act (42 U.S.C. 17941(b)(1)) is amended, in the first
+sentence, by inserting ``, investments,'' after ``other
+programs''.</DELETED>
+<DELETED> (b) Guidance.--Not later than 1 year after the date of
+enactment of this Act, the Secretary shall issue guidance on the
+implementation of section 13412 of the HITECH Act (42 U.S.C. 17941),
+which shall include--</DELETED>
+<DELETED> (1) recognized security practices (as defined in
+subsection (b)(1) of such section) that the Secretary may
+consider when determining fines under such section;</DELETED>
+<DELETED> (2) the extent to which such recognized security
+practices should be in place for consideration by the
+Secretary; and</DELETED>
+<DELETED> (3) procedural requirements or information that
+shall be submitted by a covered entity or business associate
+(as such terms are defined in section 13400 of the HITECH Act
+(42 U.S.C. 17921)) to the Secretary for
+consideration.</DELETED>
+<DELETED> (c) Annual Report.--Not later than 2 years after the date
+of enactment of this Act, and annually thereafter, the Secretary shall
+include in the annual report required under section 13424(a) of the
+HITECH Act (42 U.S.C. 17953(a)) information on implementation of
+section 13412 of such Act (42 U.S.C. 17941), including an accounting of
+every case in which the Secretary considered recognized security
+practices (as defined in subsection (b)(1) of such section) when
+effectuating audits and assessing fines under such section.</DELETED>
+
+<DELETED>SEC. 9. REQUIRED CYBERSECURITY STANDARDS.</DELETED>
+
+<DELETED> (a) In General.--The Secretary shall update the privacy,
+security, and breach notification regulations under parts 160 and 164
+of title 45, Code of Federal Regulations (or any successor regulation)
+to require covered entities and business associates to adopt the
+following cybersecurity practices:</DELETED>
+<DELETED> (1) Multifactor authentication, or a successor
+technology, for access to any information systems that may
+include protected health information.</DELETED>
+<DELETED> (2) Safeguards to encrypt protected health
+information.</DELETED>
+<DELETED> (3) Requirements to conduct audits, including
+penetration testing, to maintain the protections of information
+systems.</DELETED>
+<DELETED> (4) Other minimum cybersecurity standards, as
+determined by the Secretary, in consultation with private
+sector entities, based on landscape analysis of emerging and
+existing cybersecurity vulnerabilities and consensus-based best
+practices.</DELETED>
+<DELETED> (b) Effective Dates.--The Secretary shall specify in the
+regulations the effective date for each of the new requirements under
+the regulations updated in accordance with subsection (a). Each such
+effective date shall provide reasonable time for the entities subject
+to the requirement to come into compliance.</DELETED>
+
+<DELETED>SEC. 10. GUIDANCE ON RURAL CYBERSECURITY READINESS.</DELETED>
+
+<DELETED> Section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C.
+1533(d)) (as amended by section 5(2)) is amended by adding at the end
+the following:</DELETED>
+<DELETED> ``(5) Rural cybersecurity guidance.--</DELETED>
+<DELETED> ``(A) Definition of rural.--In this
+paragraph, the term `rural' has the meaning given such
+term by the Health Resources and Services
+Administration.</DELETED>
+<DELETED> ``(B) Guidance on rural cybersecurity
+readiness.--Not later than 1 year after the date of
+enactment of the Health Care Cybersecurity and
+Resiliency Act of 2025, the Secretary shall issue
+guidance to rural entities on best practices to improve
+cyber readiness, including strategies--</DELETED>
+<DELETED> ``(i) to improve cyber
+infrastructure, including any technical
+safeguards to mitigate cybersecurity
+risk;</DELETED>
+<DELETED> ``(ii) to integrate best practices
+issued by the Secretary to improve
+cybersecurity preparedness;</DELETED>
+<DELETED> ``(iii) to improve employee
+preparation to mitigate any cybersecurity
+risks, including existing public-private
+programs to support educational initiatives;
+and</DELETED>
+<DELETED> ``(iv) to implement policies to
+facilitate mandatory cybersecurity incident
+reporting requirements under law.</DELETED>
+<DELETED> ``(C) GAO study and report.--</DELETED>
+<DELETED> ``(i) In general.--Not later than
+3 years after the date of enactment of the
+Health Care Cybersecurity and Resiliency Act of
+2025, the Comptroller General of the United
+States shall conduct, and submit to the
+Committee on Health, Education, Labor, and
+Pensions of the Senate and the Committee on
+Energy and Commerce of the House of
+Representatives a report that describes the
+results of, a study to examine how rural
+entities have implemented the recommendations
+included in the guidance under subparagraph
+(B).</DELETED>
+<DELETED> ``(ii) Requirements.--The study
+under clause (i) shall assess--</DELETED>
+<DELETED> ``(I) how rural entities
+have implemented any technical
+safeguards and any challenges faced by
+such rural entities in areas for which
+safeguards were not
+implemented;</DELETED>
+<DELETED> ``(II) steps to further
+support cyber resilience for rural
+entities;</DELETED>
+<DELETED> ``(III) areas to improve
+coordination between Federal agencies,
+including for the purposes of required
+cyber reporting; and</DELETED>
+<DELETED> ``(IV) any opportunities
+to support public-private collaboration
+in the area of cyber
+readiness.''.</DELETED>
+
+<DELETED>SEC. 11. GRANTS TO ENHANCE CYBERSECURITY IN THE HEALTH AND
+PUBLIC HEALTH SECTORS.</DELETED>
+
+<DELETED> Part P of title III of the Public Health Service Act (42
+U.S.C. 280g et seq.) is amended by adding at the end the
+following:</DELETED>
+
+<DELETED>``SEC. 399V-8. GRANTS.</DELETED>
+
+<DELETED> ``(a) In General.--The Secretary may award grants to
+eligible entities for the adoption and use of cybersecurity best
+practices.</DELETED>
+<DELETED> ``(b) Eligible Entity.--To be eligible to receive a grant
+under subsection (a) an entity shall be--</DELETED>
+<DELETED> ``(1) a public or nonprofit private health center
+(including a Federally qualified health center (as defined in
+section 1861(aa)(4) of the Social Security Act));</DELETED>
+<DELETED> ``(2) a health facility operated by or pursuant to
+a contract with the Indian Health Service;</DELETED>
+<DELETED> ``(3) a hospital;</DELETED>
+<DELETED> ``(4) a cancer center;</DELETED>
+<DELETED> ``(5) a rural health clinic;</DELETED>
+<DELETED> ``(6) an academic health center; or</DELETED>
+<DELETED> ``(7) a nonprofit entity that enters into a
+partnership or coordinates referrals with an entity described
+in any of paragraphs (1) through (6).</DELETED>
+<DELETED> ``(c) Use of Funds.--In adopting and using cybersecurity
+best practices pursuant to a grant under subsection (a), an eligible
+entity may use grant funds--</DELETED>
+<DELETED> ``(1) to hire and train personnel in such
+cybersecurity best practices;</DELETED>
+<DELETED> ``(2) to update electronic data systems, such as
+by migrating to cloud based platforms;</DELETED>
+<DELETED> ``(3) to join and participate in health
+cybersecurity threat information sharing
+organizations;</DELETED>
+<DELETED> ``(4) to reduce the use of legacy systems;
+and</DELETED>
+<DELETED> ``(5) to contract with third parties to assist
+with the activities described in paragraphs (1) through
+(5).</DELETED>
+<DELETED> ``(d) Grant Period.--The Secretary may award a grant under
+this section for a period of not more than 3 years.</DELETED>
+<DELETED> ``(e) Application.--An eligible entity seeking a grant
+under subsection (a) shall submit to the Secretary an application at
+such time, in such manner, and containing such information as the
+Secretary may require including, at a minimum a description of how the
+eligible entity will establish baseline measures and benchmarks that
+meet the Secretary's requirements to evaluate program
+outcomes.</DELETED>
+<DELETED> ``(f) Authorization of Appropriations.--There are
+authorized to be appropriated to carry out this section such sums as
+may be necessary for each of fiscal years 2025 through
+2030.''.</DELETED>
+
+<DELETED>SEC. 12. HEALTHCARE CYBERSECURITY WORKFORCE.</DELETED>
+
+<DELETED> (a) Training for Healthcare Experts.--The Secretary, in
+coordination with the Cybersecurity State Coordinators of the Agency
+and private sector health care experts, as appropriate, shall provide
+training to Healthcare and Public Health Sector asset owners and
+operators on--</DELETED>
+<DELETED> (1) cybersecurity risks to information systems
+within the Healthcare and Public Health Sector; and</DELETED>
+<DELETED> (2) ways to mitigate the risks to information
+systems in the Healthcare and Public Health Sector.</DELETED>
+<DELETED> (b) Cross-Agency Educational Tools.--</DELETED>
+<DELETED> (1) In general.--Not later than 1 year after the
+date of enactment of this Act, the Secretary, acting through
+the Administrator of the Health Resources and Services
+Administration, in coordination with the Agency, shall develop
+a strategic plan to support growing the cybersecurity workforce
+for health care entities.</DELETED>
+<DELETED> (2) Inclusions.--The strategic plan under
+paragraph (1) shall include--</DELETED>
+<DELETED> (A) recommendations for existing
+educational programs that can be used to support
+cybersecurity training;</DELETED>
+<DELETED> (B) dissemination and development of
+educational materials on how to improve cybersecurity
+resilience;</DELETED>
+<DELETED> (C) development of best practices to train
+the health care workforce on cybersecurity best
+practices; and</DELETED>
+<DELETED> (D) opportunities for public-private
+collaboration to strengthen the cybersecurity
+workforce.</DELETED>
+
+SECTION 1. SHORT TITLE.
+
+This Act may be cited as the ``Health Care Cybersecurity and
+Resiliency Act of 2026''.
+
+SEC. 2. DEFINITIONS.
+
+In this Act:
+(1) Agency.--The term ``Agency'' means the Cybersecurity
+and Infrastructure Security Agency.
+(2) Business associate.--The term ``business associate''
+has the meaning given such term in section 160.103 of title 45,
+Code of Federal Regulations (or a successor regulation).
+(3) Covered entity.--The term ``covered entity'' has the
+meaning given such term in section 160.103 of title 45, Code of
+Federal Regulations (or a successor regulation).
+(4) Cybersecurity incident.--The term ``cybersecurity
+incident'' has the meaning given the term ``incident'' in
+section 3552 of title 44, United States Code.
+(5) Cybersecurity state coordinator.--The term
+``Cybersecurity State Coordinator'' means a Cybersecurity State
+Coordinator appointed under section 2217(a) of the Homeland
+Security Act of 2002 (6 U.S.C. 665c(a)).
+(6) Director.--The term ``Director'' means the Director of
+the Agency.
+(7) Healthcare and public health sector.--The term
+``Healthcare and Public Health Sector'' means the Healthcare
+and Public Health sector, as identified in National Security
+Memorandum-22 (April 30, 2024; relating to critical
+infrastructure security and resilience).
+(8) Information sharing and analysis organization.--The
+term ``Information Sharing and Analysis Organization'' has the
+meaning given such term in section 2200 of the Homeland
+Security Act of 2002 (6 U.S.C. 650).
+(9) Information system.--The term ``information system''
+has the meaning given such term in section 2200 of the Homeland
+Security Act of 2002 (6 U.S.C. 650).
+(10) Recognized security practices.--The term ``recognized
+security practices'' has the meaning given such term in section
+13412(b)(1) of the HITECH Act (42 U.S.C. 17941(b)(1)).
+(11) Secretary.--The term ``Secretary'' means the Secretary
+of Health and Human Services.
+
+SEC. 3. DEPARTMENT COORDINATION WITH THE AGENCY.
+
+(a) In General.--The Secretary and the Director shall coordinate,
+including by entering into a cooperative agreement, as appropriate, to
+improve cybersecurity in the Healthcare and Public Health Sector.
+(b) Assistance.--
+(1) In general.--The Secretary shall coordinate with the
+Director to make resources available to entities that are
+receiving information shared through programs managed by the
+Director or the Secretary, including Information Sharing and
+Analysis Organizations, sector coordinating councils, and non-
+Federal entities.
+(2) Scope.--The coordination under paragraph (1) shall
+include--
+(A) developing products specific to the needs of
+Healthcare and Public Health Sector entities;
+(B) sharing information relating to cyber threat
+indicators and appropriate defensive measures,
+including automating cyber threat information sharing,
+in a manner that adequately protects against
+unauthorized access or disclosure; and
+(C) providing technical assistance to covered
+entities and business associates to improve
+cybersecurity preparedness.
+(c) Joint Cybersecurity Planning.--
+(1) In general.--Not later than 1 year after the date of
+enactment of this Act, the Secretary and the Director shall
+establish a joint cybersecurity capability plan to coordinate
+responses to significant cybersecurity incidents affecting the
+Healthcare and Public Health Sector.
+(2) Elements.--The joint cybersecurity capability plan
+established under paragraph (1) shall include--
+(A) protocols for rapid information sharing during
+sector-wide cybersecurity incidents;
+(B) coordination mechanisms with the sector
+coordinating council for the Healthcare and Public
+Health Sector; and
+(C) coordination with Cybersecurity State
+Coordinators for incidents affecting multiple States.
+(3) Submission to congress.--
+(A) In general.--Not later than 1 year after the
+date of enactment of this Act, the Secretary shall
+submit to the Committee on Health, Education, Labor,
+and Pensions of the Senate and the Committee on Energy
+and Commerce of the House of Representatives the final
+joint cybersecurity capability plan prepared under
+paragraph (1) and a description of how such plan
+implements the elements required under paragraph (2).
+(B) Updates.--If the Secretary and the Director
+update the joint cybersecurity capability plan required
+under this subsection, the Secretary shall submit to
+the Committee on Health, Education, Labor, and Pensions
+of the Senate and the Committee on Energy and Commerce
+of the House of Representatives such updated plan and a
+description of how such plan implements the elements
+required under paragraph (2).
+
+SEC. 4. CLARIFYING CYBERSECURITY RESPONSIBILITIES AT THE DEPARTMENT OF
+HEALTH AND HUMAN SERVICES.
+
+(a) In General.--The Secretary shall delegate a representative to
+lead oversight and coordination of activities within the Department of
+Health and Human Services to support internal and external
+cybersecurity resilience within the Healthcare and Public Health
+Sector, including coordination and communication with other public and
+private entities related to preparedness for, and responses to,
+cybersecurity incidents, consistent with applicable provisions of the
+Public Health Service Act (42 U.S.C. 201 et seq.), other applicable
+laws, and National Security Memorandum-22 (April 30, 2024; relating to
+critical infrastructure security and resilience). Such activities shall
+not include implementation or enforcement of part 160 and subparts A
+and C of part 164 of title 45, Code of Federal Regulations (or
+successor regulations) (commonly known as the ``HIPAA Security Rule'').
+(b) Reports.--
+(1) Report on delegation.--Not later than 60 days after
+delegating a representative under subsection (a), and any time
+a new representative is delegated under such subsection, the
+Secretary shall submit to the Committee on Health, Education,
+Labor, and Pensions of the Senate and the Committee on Energy
+and Commerce of the House of Representatives a report that
+describes how such representative will implement steps to
+improve internal and external cybersecurity resilience within
+the Healthcare and Public Health Sector.
+(2) Annual report.--Not later than 1 year after the date of
+enactment of this Act, and annually thereafter, the Secretary
+shall submit to the Committee on Health, Education, Labor, and
+Pensions of the Senate and the Committee on Energy and Commerce
+of the House of Representatives a report on the state of
+cybersecurity in the Healthcare and Public Health Sector,
+including--
+(A) an assessment of the most significant
+cybersecurity threats and vulnerabilities facing the
+Healthcare and Public Health Sector;
+(B) a summary of major cybersecurity incidents
+affecting the Healthcare and Public Health Sector
+during the preceding year;
+(C) an assessment of the overall cybersecurity
+posture of the Healthcare and Public Health Sector;
+(D) a description of actions taken by the
+Department of Health and Human Services to improve
+cybersecurity; and
+(E) recommendations to improve Healthcare and
+Public Health Sector cybersecurity.
SEC. 5. CYBERSECURITY INCIDENT RESPONSE PLAN.
@@ -116,7 +582,7 @@
(1) in subsection (a)--
(A) in paragraph (4)--
(i) in the paragraph heading, by inserting
-``information system;'' after ``Federal
+``information system;'' after ``federal
entity;''; and
(ii) by inserting ```information system',''
after ```Federal entity','';
@@ -133,31 +599,49 @@
``(4) Plan.--
``(A) In general.--Not later than 1 year after the
date of enactment of the Health Care Cybersecurity and
-Resiliency Act of 2025, the Secretary shall develop and
-implement a cybersecurity incident response plan to
-inform applicable personnel within the Department of
-Health and Human Services of processes and protocols to
-prepare for, and respond to, cybersecurity incidents
-involving information, including hardware, software,
-databases, and networks, used or maintained by, or on
-behalf of, the Department, including strategies--
+Resiliency Act of 2026, the Secretary shall expand and
+implement the Cyber Annex of the All Hazards Plan of
+the Department of Health and Human Services to inform
+applicable personnel within the Department of Health
+and Human Services of processes and protocols to
+prepare for, and respond to, cybersecurity incidents.
+``(B) Scope.--The plan under subparagraph (A) shall
+address cybersecurity incidents involving information
+systems, including hardware, software, databases, and
+networks, used or maintained by, or on behalf of, the
+Department.
+``(C) Elements.--The plan under subparagraph (A)
+shall include strategies--
``(i) to assess cybersecurity risks;
``(ii) to prevent cybersecurity incidents;
``(iii) to detect and identify
cybersecurity incidents;
``(iv) to minimize damage in the event of a
cybersecurity incident;
-``(v) to protect data; and
+``(v) to protect data;
``(vi) to recover from any cybersecurity
-incidents expeditiously.
-``(B) Consultation.--In developing the plan under
+incidents expeditiously; and
+``(vii) to communicate and share non-
+sensitive information about cybersecurity
+incidents with entities in the Healthcare and
+Public Health Sector (as defined in section 2
+of the Health Care Cybersecurity and Resiliency
+Act of 2026).
+``(D) Consultation.--In developing the plan under
subparagraph (A), the Secretary shall consult with the
Director of the Cybersecurity and Infrastructure
Security Agency, the Director of the Office of
-Management and Budget, and the Director of the National
+Management and Budget, the Director of the National
Institute of Standards and Technology, and relevant
experts, as appropriate.
-``(C) Report.--Not later than 60 days before the
+``(E) Updates.--The Secretary shall review and
+update the plan under subparagraph (A)--
+``(i) not less frequently than once every 2
+years; and
+``(ii) after any significant cybersecurity
+incident affecting the Department of Health and
+Human Services or a Federal health program.
+``(F) Report.--Not later than 60 days before the
date on which the Secretary begins implementing the
plan under subparagraph (A), the Secretary shall submit
to the Committee on Health, Education, Labor, and
@@ -168,85 +652,95 @@
House of Representatives a report that describes such
plan.''.
-SEC. 6. BREACH REPORTING PORTAL.
-
-(a) Updates to Breach Reporting Portal.--Section 13402 of the
-HITECH Act (42 U.S.C. 17932) is amended by adding at the end the
-following:
-``(k) Updates to Regulations.--Not later than 1 year after the date
-of enactment of the Health Care Cybersecurity and Resiliency Act of
-2025, the Secretary shall update the regulations promulgated pursuant
-to subsection (j) to require that information required to be publicly
-displayed in the breach reporting portal established pursuant to this
-section includes--
-``(1) information on any corrective action taken against a
-covered entity that provided notification of a breach under
-this section;
-``(2) information on whether and to what extent, as
-appropriate, recognized security practices (as defined in
-section 13412(b)(1)) were considered in the investigation of
-such a breach; and
-``(3) such additional information about such a breach as
-the Secretary may require.''.
-
-SEC. 7. CLARIFYING BREACH REPORTING OBLIGATIONS.
+SEC. 6. CLARIFYING BREACH REPORTING OBLIGATIONS.
Section 13402(f) of the HITECH Act (42 U.S.C. 17932(f)) is amended
by adding at the end the following:
``(6) The number of individuals affected by the breach.''.
-SEC. 8. ENHANCING RECOGNITION OF SECURITY PRACTICES.
+SEC. 7. ENHANCING RECOGNITION OF SECURITY PRACTICES.
(a) Recognized Security Practices.--Section 13412(b)(1) of the
HITECH Act (42 U.S.C. 17941(b)(1)) is amended, in the first sentence,
by inserting ``, investments,'' after ``other programs''.
-(b) Guidance.--Not later than 1 year after the date of enactment of
-this Act, the Secretary shall issue guidance on the implementation of
+(b) Regulation.--Not later than 1 year after the date of enactment
+of this Act, the Secretary shall promulgate regulations implementing
section 13412 of the HITECH Act (42 U.S.C. 17941), which shall
include--
-(1) recognized security practices (as defined in subsection
-(b)(1) of such section) that the Secretary may consider when
-determining fines under such section;
+(1) recognized security practices that the Secretary may
+consider when determining fines under such section;
(2) the extent to which such recognized security practices
-should be in place for consideration by the Secretary; and
+should be in place for consideration by the Secretary;
(3) procedural requirements or information that shall be
-submitted by a covered entity or business associate (as such
-terms are defined in section 13400 of the HITECH Act (42 U.S.C.
-17921)) to the Secretary for consideration.
+submitted by a covered entity or business associate to the
+Secretary for consideration; and
+(4) how the Secretary will take into account such
+recognized security practices when determining fines, earlier
+favorable termination of audits, or mitigating remedies that
+would otherwise be agreed to in any agreement with respect to
+resolving potential violations of part 160 and subparts A and C
+of part 164 of title 45, Code of Federal Regulations (or
+successor regulations) (commonly known as the ``HIPAA Security
+Rule'') between the covered entity or business associate and
+the Department of Health and Human Services.
(c) Annual Report.--Not later than 2 years after the date of
enactment of this Act, and annually thereafter, the Secretary shall
include in the annual report required under section 13424(a) of the
HITECH Act (42 U.S.C. 17953(a)) information on implementation of
section 13412 of such Act (42 U.S.C. 17941), including an accounting of
every case in which the Secretary considered recognized security
-practices (as defined in subsection (b)(1) of such section) when
-effectuating audits and assessing fines under such section.
-
-SEC. 9. REQUIRED CYBERSECURITY STANDARDS.
-
-(a) In General.--The Secretary shall update the privacy, security,
-and breach notification regulations under parts 160 and 164 of title
-45, Code of Federal Regulations (or any successor regulation) to
-require covered entities and business associates to adopt the following
-cybersecurity practices:
-(1) Multifactor authentication, or a successor technology,
-for access to any information systems that may include
-protected health information.
-(2) Safeguards to encrypt protected health information.
-(3) Requirements to conduct audits, including penetration
-testing, to maintain the protections of information systems.
-(4) Other minimum cybersecurity standards, as determined by
-the Secretary, in consultation with private sector entities,
-based on landscape analysis of emerging and existing
-cybersecurity vulnerabilities and consensus-based best
-practices.
-(b) Effective Dates.--The Secretary shall specify in the
-regulations the effective date for each of the new requirements under
-the regulations updated in accordance with subsection (a). Each such
-effective date shall provide reasonable time for the entities subject
-to the requirement to come into compliance.
-
-SEC. 10. GUIDANCE ON RURAL CYBERSECURITY READINESS.
+practices when effectuating audits and assessing fines under such
+section.
+
+SEC. 8. REQUIRED CYBERSECURITY STANDARDS.
+
+(a) In General.--The Secretary shall update the security
+regulations under part 160 and subparts A and C of part 164 of title
+45, Code of Federal Regulations (or any successor regulation), to
+require non-governmental entities in the Healthcare and Public Health
+Sector and covered entities and business associates to adopt minimum
+risk-based cybersecurity practices, including--
+(1) multifactor authentication, or a successor technology;
+(2) encryption of protected health information, or a
+successor technology;
+(3) requirements to conduct monitoring, including
+penetration testing, to maintain the protections of information
+systems; and
+(4) other minimum cybersecurity standards, as reflected in
+national cybersecurity frameworks.
+(b) Requirements.--The minimum risk-based cybersecurity practices
+adopted pursuant to subsection (a) shall be based on--
+(1) national cybersecurity frameworks, as appropriate, such
+as--
+(A) the National Institute of Standards and
+Technology Risk Management Framework (or a successor
+framework);
+(B) the National Institute of Standards and
+Technology Cybersecurity Framework (or a successor
+framework);
+(C) the National Institute of Standards and
+Technology SP 800-53 r5 Security and Privacy Controls
+for Information Systems and Organizations (or a
+successor special publication), with relevant
+components of the National Institute of Standards and
+Technology Privacy Framework; or
+(D) the National Institute of Standards and
+Technology Artificial Intelligence Risk Management
+Framework;
+(2) the Health Sector Coordinating Council Cybersecurity
+Healthcare and Public Health Cybersecurity Performance Goals;
+and
+(3) the health care-specific cybersecurity performance
+goals of the Cybersecurity and Infrastructure Security Agency.
+(c) Effective Dates.--The regulations updated in accordance with
+subsection (a), including each new requirement established, shall take
+effect on the date that is 36 months after the date of enactment of
+this Act.
+(d) Enforcement.--The Secretary may exercise enforcement discretion
+for entities experiencing extraordinary circumstances in complying with
+the requirements of subsection (a).
+
+SEC. 9. GUIDANCE ON RURAL CYBERSECURITY READINESS.
Section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C. 1533(d))
(as amended by section 5(2)) is amended by adding at the end the
@@ -254,124 +748,148 @@
``(5) Rural cybersecurity guidance.--
``(A) Definition of rural.--In this paragraph, the
term `rural' has the meaning given such term by the
-Health Resources and Services Administration.
+Federal Office of Rural Health Policy.
``(B) Guidance on rural cybersecurity readiness.--
Not later than 1 year after the date of enactment of
the Health Care Cybersecurity and Resiliency Act of
-2025, the Secretary shall issue guidance to rural
-entities on best practices to improve cyber readiness,
-including strategies--
-``(i) to improve cyber infrastructure,
-including any technical safeguards to mitigate
-cybersecurity risk;
+2026, the Secretary shall issue guidance to rural
+entities on best practices to improve cybersecurity
+readiness, including strategies--
+``(i) to improve cybersecurity
+infrastructure, including any technical
+safeguards to mitigate cybersecurity risk;
``(ii) to integrate best practices issued
by the Secretary to improve cybersecurity
preparedness;
-``(iii) to improve employee preparation to
+``(iii) to improve workforce preparation to
mitigate any cybersecurity risks, including
existing public-private programs to support
-educational initiatives; and
+educational initiatives;
``(iv) to implement policies to facilitate
mandatory cybersecurity incident reporting
-requirements under law.
-``(C) GAO study and report.--
+requirements under law; and
+``(v) to explore and recommend best
+practices, including--
+``(I) outsourcing information
+technology and chief information
+security officer functions to third
+parties on a part-time basis;
+``(II) participating in regional
+rural health care information
+technology management sharing programs;
+and
+``(III) migrating data to secure
+cloud-based platforms.
+``(C) Technical assistance.--The Secretary shall
+provide technical assistance to rural entities to
+implement the recommendations included in the guidance
+under subparagraph (B).
+``(D) GAO study and report.--
``(i) In general.--Not later than 3 years
after the date of enactment of the Health Care
-Cybersecurity and Resiliency Act of 2025, the
+Cybersecurity and Resiliency Act of 2026, the
Comptroller General of the United States shall
-conduct, and submit to the Committee on Health,
-Education, Labor, and Pensions of the Senate
-and the Committee on Energy and Commerce of the
-House of Representatives a report that
-describes the results of, a study to examine
+conduct a study, and submit to the Committee on
+Health, Education, Labor, and Pensions of the
+Senate and the Committee on Energy and Commerce
+of the House of Representatives a report, on
how rural entities have implemented the
recommendations included in the guidance under
subparagraph (B).
-``(ii) Requirements.--The study under
-clause (i) shall assess--
+``(ii) Contents.--The study under clause
+(i) shall assess--
``(I) how rural entities have
implemented any technical safeguards
and any challenges faced by such rural
entities in areas for which safeguards
were not implemented;
``(II) steps to further support
-cyber resilience for rural entities;
+cybersecurity resilience for rural
+entities;
``(III) areas to improve
coordination between Federal agencies,
including for the purposes of required
cyber reporting; and
``(IV) any opportunities to support
public-private collaboration in the
-area of cyber readiness.''.
-
-SEC. 11. GRANTS TO ENHANCE CYBERSECURITY IN THE HEALTH AND PUBLIC
+area of cybersecurity readiness.''.
+
+SEC. 10. GRANTS TO ENHANCE CYBERSECURITY IN THE HEALTH AND PUBLIC
HEALTH SECTORS.
-Part P of title III of the Public Health Service Act (42 U.S.C.
-280g et seq.) is amended by adding at the end the following:
-
-``SEC. 399V-8. GRANTS.
-
-``(a) In General.--The Secretary may award grants to eligible
-entities for the adoption and use of cybersecurity best practices.
-``(b) Eligible Entity.--To be eligible to receive a grant under
-subsection (a) an entity shall be--
-``(1) a public or nonprofit private health center
-(including a Federally qualified health center (as defined in
-section 1861(aa)(4) of the Social Security Act));
-``(2) a health facility operated by or pursuant to a
-contract with the Indian Health Service;
-``(3) a hospital;
-``(4) a cancer center;
-``(5) a rural health clinic;
-``(6) an academic health center; or
-``(7) a nonprofit entity that enters into a partnership or
+(a) In General.--The Secretary may award grants to eligible
+entities for the adoption and implementation of cybersecurity best
+practices.
+(b) Eligible Entity.--To be eligible to receive a grant under
+subsection (a), an entity shall be--
+(1) a Federally qualified health center (as defined in
+section 1861(aa)(4) of the Social Security Act (42 U.S.C.
+1395x(aa)(4)));
+(2) a health facility operated by or pursuant to a contract
+with the Indian Health Service;
+(3) a nonprofit hospital;
+(4) a rural health clinic (as defined in section
+1861(aa)(2) of the Social Security Act (42 U.S.C.
+1395x(aa)(2))); or
+(5) a nonprofit entity that enters into a partnership or
coordinates referrals with an entity described in any of
-paragraphs (1) through (6).
-``(c) Use of Funds.--In adopting and using cybersecurity best
+paragraphs (1) through (4).
+(c) Use of Funds.--In adopting and implementing cybersecurity best
practices pursuant to a grant under subsection (a), an eligible entity
may use grant funds--
-``(1) to hire and train personnel in such cybersecurity
-best practices;
-``(2) to update electronic data systems, such as by
-migrating to cloud based platforms;
-``(3) to join and participate in health cybersecurity
-threat information sharing organizations;
-``(4) to reduce the use of legacy systems; and
-``(5) to contract with third parties to assist with the
-activities described in paragraphs (1) through (5).
-``(d) Grant Period.--The Secretary may award a grant under this
-section for a period of not more than 3 years.
-``(e) Application.--An eligible entity seeking a grant under
+(1) to hire individuals with demonstrated cybersecurity
+expertise and train personnel in such cybersecurity best
+practices;
+(2) to update electronic data systems, such as by migrating
+to cloud-based platforms;
+(3) to join and participate in health cybersecurity threat
+information sharing organizations;
+(4) to contract with third parties to assist the eligible
+entity in carrying out the activities described in this
+subsection;
+(5) to conduct cybersecurity risk assessments and
+vulnerability assessments; and
+(6) to develop or improve cybersecurity incident response
+plans.
+(d) Grant Period.--A grant awarded under this section shall be for
+a period of not more than 3 years.
+(e) Priority.--In awarding grants under this section, the Secretary
+may give consideration to the demonstrated need of eligible entities.
+(f) Application.--An eligible entity seeking a grant under
subsection (a) shall submit to the Secretary an application at such
time, in such manner, and containing such information as the Secretary
-may require including, at a minimum a description of how the eligible
-entity will establish baseline measures and benchmarks that meet the
-Secretary's requirements to evaluate program outcomes.
-``(f) Authorization of Appropriations.--There are authorized to be
+may require, including--
+(1) a description of how the eligible entity will establish
+baseline measures and benchmarks that meet the Secretary's
+requirements to evaluate performance outcomes; and
+(2) a strategic plan for how, after the end of the grant
+period, the eligible entity will sustain the activities funded
+under the grant and continue to adopt cybersecurity best
+practices.
+(g) Authorization of Appropriations.--There are authorized to be
appropriated to carry out this section such sums as may be necessary
-for each of fiscal years 2025 through 2030.''.
-
-SEC. 12. HEALTHCARE CYBERSECURITY WORKFORCE.
+for each of fiscal years 2026 through 2030.
+
+SEC. 11. HEALTHCARE CYBERSECURITY WORKFORCE.
(a) Training for Healthcare Experts.--The Secretary, in
-coordination with the Cybersecurity State Coordinators of the Agency
-and private sector health care experts, as appropriate, shall provide
-training to Healthcare and Public Health Sector asset owners and
-operators on--
+coordination with the Cybersecurity State Coordinators of the Agency,
+the Office of the National Cyber Director, and private sector health
+care experts, as appropriate, shall provide training to Healthcare and
+Public Health Sector entities on--
(1) cybersecurity risks to information systems within the
Healthcare and Public Health Sector; and
(2) ways to mitigate the risks to information systems in
the Healthcare and Public Health Sector.
-(b) Cross-Agency Educational Tools.--
+(b) Strategic Plan.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, the Secretary, acting through the
Administrator of the Health Resources and Services
Administration, in coordination with the Agency, shall develop
a strategic plan to support growing the cybersecurity workforce
for health care entities.
-(2) Inclusions.--The strategic plan under paragraph (1)
-shall include--
+(2) Contents.--The strategic plan under paragraph (1) shall
+include--
(A) recommendations for existing educational
programs that can be used to support cybersecurity
training;
@@ -379,7 +897,67 @@
materials on how to improve cybersecurity resilience;
(C) development of best practices to train the
health care workforce on cybersecurity best practices;
-and
-(D) opportunities for public-private collaboration
-to strengthen the cybersecurity workforce.
-<all>
+(D) development of recommendations specific to
+rural facilities;
+(E) development of best practices to leverage
+artificial intelligence to support cybersecurity
+preparedness;
+(F) opportunities for public-private collaboration
+to strengthen the cybersecurity workforce; and
+(G) alignment with the National Initiative for
+Cybersecurity Education Workforce Framework.
+
+SEC. 12. CYBERSECURITY INCIDENT REPORTING COORDINATION WORKING GROUP.
+
+(a) Working Group.--
+(1) In general.--Not later than 1 year after the date of
+enactment of this Act, the Secretary shall convene a working
+group to examine how to streamline and reduce duplicative
+reporting for cybersecurity incidents.
+(2) Membership.--The working group described in paragraph
+(1) shall include representatives of--
+(A) the Cybersecurity and Infrastructure Security
+Agency;
+(B) the Securities and Exchange Commission;
+(C) the Office of the National Cyber Director;
+(D) the Federal Bureau of Investigation;
+(E) the Federal Trade Commission;
+(F) State attorneys general;
+(G) State health departments; and
+(H) private sector health care entities.
+(3) Conclusion.--The working group shall conclude not later
+than 18 months after the date of the first meeting of the
+working group.
+(b) Report.--Not later than 1 year after the conclusion of the
+working group under subsection (a)(3), the Secretary shall submit to
+the Committee on Health, Education, Labor, and Pensions of the Senate
+and the Committee on Energy and Commerce of the House of
+Representatives a report that--
+(1) identifies areas the working group has identified to
+streamline and reduce duplicative reporting;
+(2) includes recommendations to Congress on further
+streamlining such reporting; and
+(3) addresses coordination with State breach notification
+laws.
+Calendar No. 365
+
+119th CONGRESS
+
+2d Session
+
+S. 3315
+
+_______________________________________________________________________
+
+A BILL
+
+To require the Secretary of Health and Human Services and the Director
+of the Cybersecurity and Infrastructure Security Agency to coordinate
+to improve cybersecurity in the health care and public health sectors,
+and for other purposes.
+
+_______________________________________________________________________
+
+March 23, 2026
+
+Reported with an amendment
Lobbying activity
Organizations whose LDA filings reference this bill, ranked by filing count. Position not disclosed — LDA does not require lobbyists to report support / oppose / monitor. Bill-number references can be stale (lobbyists sometimes copy text year-over-year), so verify against the filing description.
3
filings · 2026 Q4
1
filings · 2026 Q1
1
filings · 2026 Q1
1
filings · 2026 Q1
1
filings · 2026 Q1
1
filings · 2026 Q1
1
filings · 2026 Q1
via Senate LDA · self-reported quarterly. Filing count = filings mentioning this bill (no position required), not money spent on it. Click a client to see all bills they've filed on.
Cosponsors (3)
Members who signed on to support this bill.