Senate Advances Bipartisan Health Care Cybersecurity and Resiliency Act

Key Takeaways

• The bipartisan Health Care Cybersecurity and Resiliency Act would formalize coordination between US Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) and require a federal health sector cybersecurity incident response plan.
• The bill mandates updated the Health Insurance Portability and Accountability Act (HIPAA) security standards, including multifactor authentication, encryption, enhanced audits, and expanded breach reporting transparency.
• It also authorizes grants, rural guidance, and workforce initiatives aimed at strengthening cybersecurity resilience across providers, payers, and the broader health care ecosystem.

The Senate Health, Education, Labor, and Pensions (HELP) Committee recently advanced the Health Care Cybersecurity and Resiliency Act of 2025 in a strong bipartisan vote, signaling growing congressional consensus around strengthening cybersecurity protections across the health care sector.¹

Lawmakers described the bill as a response to escalating cyberattacks that have disrupted patient care, claims processing, and health system operations nationwide.^1,2

For payers, managed care organizations (MCOs), and health IT stakeholders, the legislation could reshape compliance expectations under HIPAA and introduce more formalized federal oversight mechanisms.

What the Bill Would Do

1. Formalize HHS–CISA Coordination

The legislation would require the Secretary of HHS and the Director of CISA to coordinate—potentially through a cooperative agreement—to improve cybersecurity in the health care and public health sector.³

This coordination includes:

• Making cybersecurity resources available to sector entities
• Developing sector-specific products and guidance
• Sharing cyber threat indicators and defensive measures

The bill also clarifies that HHS, through the Assistant Secretary for Preparedness and Response, would lead oversight of cybersecurity resiliency within the department and coordinate with public and private entities.³

Why it matters for managed care:
Federal coordination could standardize threat-sharing expectations and influence how payers engage during sector-wide cyber incidents.

2. Establish a Federal Cybersecurity Incident Response Plan

Within one year of enactment, the Secretary of HHS would be required to develop and implement a formal cybersecurity incident response plan.

The plan must include strategies for the following:

• Assessing cybersecurity risks
• Preventing and detecting incidents
• Minimizing damage and protecting data
• Expediting recovery following incidents

HHS must consult with CISA, the Office of Management and Budget OMB, and the National Institute of Standards and Technology (NIST), and report to Congress prior to implementation.

Implication:
Federal response frameworks could shape expectations for payer-level incident planning and reporting alignment.

3. Update HIPAA Security Requirements

One of the most operationally significant provisions would require HHS to update HIPAA privacy, security, and breach notification regulations to mandate minimum cybersecurity practices.³

Covered entities and business associates would be required to adopt the following:

• Multifactor authentication (MFA)
• Encryption safeguards for protected health information (PHI)
• Security audits, including penetration testing
• Additional minimum cybersecurity standards based on emerging vulnerabilities

Effective dates must allow reasonable time for compliance.³

These provisions reinforce and potentially accelerate broader modernization of the HIPAA Security Rule.¹

For payers and MCOs:
Enterprise-wide MFA enforcement, encryption validation, and third-party penetration testing may become explicit regulatory obligations rather than best practices.

4. Enhance Breach Reporting Transparency

The legislation would update the HHS breach reporting portal to include:

• Information on corrective actions taken against entities
• Whether recognized security practices were considered during investigations
• Additional breach information as required by the Secretary

It would also require reporting of the number of individuals affected by a breach.³

Operational impact:
Increased public reporting may elevate reputational and contractual risk following breach events.

5. Recognize Security Investments in Enforcement

The bill strengthens recognition of “recognized security practices” when HHS evaluates audits and fines and requires the Secretary to issue guidance on how those practices will be considered. An annual report would detail each case in which such practices were considered in enforcement decisions.³

Managed care takeaway:
Documented alignment with recognized cybersecurity frameworks may carry greater weight in enforcement mitigation.

6. Support Rural and Underserved Providers

The Act requires HHS to issue cybersecurity guidance tailored to rural entities and mandates a U.S. Government Accountability Office (GAO) study examining implementation challenges and opportunities for public-private collaboration.

Additionally, the bill authorizes grant funding for hospitals, rural health clinics, Federally Qualified Health Centers (FQHCs), academic health centers, and other eligible entities. Grant funds may be used to:

• Hire and train cybersecurity personnel
• Modernize data systems and reduce legacy infrastructure
• Participate in information sharing organizations

Funding would be authorized for fiscal years 2025-2030.³

Bipartisan sponsors framed these provisions as essential for smaller providers that lack the resources of larger systems.²

The Bottom Line

While the bill is not yet law, its bipartisan advancement indicates that federal cybersecurity modernization in health care remains a legislative priority.

Managed care organizations should monitor:

• Pending HIPAA regulatory updates
• Evolving breach reporting expectations
• Vendor risk management implications
• Opportunities to align with recognized security frameworks
• Grant programs that may strengthen network-wide resilience

Cybersecurity risk in health care increasingly affects claims continuity, member data protection, and provider network stability. The Health Care Cybersecurity and Resiliency Act reflects Congress’s effort to treat cybersecurity as a core component of health system infrastructure.

References

1. Crowell & Moring LLP. Senate advances bipartisan health care cybersecurity reform. Published February 27, 2026. Accessed March 13, 2026. https://www.crowell.com/en/insights/client-alerts/senate-advances-bipartisan-health-care-cybersecurity-reform
2. Miliard M. Bipartisan healthcare cyber legislation advances in Senate. Healthcare IT News. Published February 27, 2026. Accessed March 13, 2026. https://www.healthcareitnews.com/news/bipartisan-healthcare-cyber-legislation-advances-senate
3. Health Care Cybersecurity and Resiliency Act of 2025, S. ___, 119th Cong (2025).