A sweeping bipartisan bill aimed at strengthening cybersecurity across the U.S. health care system has cleared a key hurdle in the Senate.
The Health Care Cybersecurity and Resiliency Act advanced out of the Senate Health, Education, Labor and Pensions (HELP) Committee in a decisive 22–1 vote. Only Sen. Rand Paul, R-Ky., opposed the measure.
The legislation, introduced by Sen. Bill Cassidy alongside Sens. Mark Warner, John Cornyn and Maggie Hassan, would significantly reshape cybersecurity practices at the Department of Health and Human Services (HHS).
Incident Response Plan and Federal Coordination
If enacted, the bill would require the HHS secretary to develop a comprehensive cybersecurity incident response plan and submit it to Congress for oversight. It would also mandate closer coordination between HHS and the Cybersecurity and Infrastructure Security Agency (CISA) to strengthen protection of the health care and public health sectors.
Additional provisions would:
- Create tailored cybersecurity guidance for rural health care providers.
- Establish programs to improve cybersecurity literacy across the health workforce.
- Designate the Administration for Strategic Preparedness and Response (ASPR) within HHS as the official Sector Risk Management Agency for health care and public health.
Lawmakers say the reforms are long overdue as hospitals and insurers face escalating ransomware attacks and nation-state cyber threats.
Change Healthcare Attack Sparked Urgency
Sponsors pointed to the massive 2024 cyberattack on Change Healthcare as a catalyst for action. The breach affected hundreds of millions of Americans and disrupted billing systems and care delivery nationwide.
During committee discussions, Cassidy cited more than 730 cyber breaches tied to the incident, exposing sensitive data and delaying medical services.
Health security officials have warned that the attack exposed deep vulnerabilities in third-party service providers, revealing how a single vendor can disrupt vast segments of the medical system.
Modernizing HIPAA and Expanding Grants
The bill would also update the Health Insurance Portability and Accountability Act (HIPAA) to ensure regulated entities adopt modern cybersecurity safeguards aligned with current threats.
To help facilities meet higher standards, the proposal creates a new federal grant program for hospitals, rural clinics, cancer centers, academic medical institutions, the Indian Health Service and nonprofit partners. The funding would support implementation of cybersecurity best practices and infrastructure upgrades.
Supporters argue that smaller and rural providers, often operating with limited budgets and IT staff, are particularly vulnerable to cyberattacks that can halt emergency room operations or expose sensitive patient records.
What Comes Next
With committee approval secured, the legislation now heads to the full Senate for consideration. If passed, it would mark one of the most significant overhauls of federal health care cybersecurity policy in years.
As ransomware and digital threats continue to evolve, lawmakers from both parties say protecting medical systems is no longer optional — it is a matter of national security and patient safety.
