Bill > S3315

This bill, the Health Care Cybersecurity and Resiliency Act of 2026, aims to bolster cybersecurity within the healthcare and public health sectors by fostering collaboration between the Secretary of Health and Human Services (HHS) and the Director of the Cybersecurity and Infrastructure Security Agency (CISA). Key provisions include requiring these agencies to coordinate, potentially through a cooperative agreement, to improve cybersecurity, and to make resources available to entities that share information on cyber threats and defensive measures. The bill mandates the creation of a joint cybersecurity capability plan to coordinate responses to significant cyber incidents affecting the sector, which will include protocols for rapid information sharing and coordination with state-level cybersecurity coordinators. HHS will also designate a representative to lead internal and external cybersecurity resilience efforts within the department, excluding direct enforcement of the HIPAA Security Rule. Furthermore, the bill amends existing laws to clarify definitions related to cybersecurity incidents and risks, requires HHS to develop and implement a comprehensive cybersecurity incident response plan for the department, and mandates that the number of individuals affected by a breach be reported. It also enhances the recognition of "recognized security practices" by HHS when determining fines or remedies for potential HIPAA Security Rule violations, and requires HHS to update its security regulations to mandate minimum risk-based cybersecurity practices for non-governmental entities, including multi-factor authentication and encryption, based on national cybersecurity frameworks. The bill also directs HHS to issue guidance and provide technical assistance for rural healthcare entities to improve their cybersecurity readiness, and authorizes grants for eligible healthcare providers to adopt and implement cybersecurity best practices, such as hiring cybersecurity experts, updating systems, and developing incident response plans. Finally, it calls for training programs for healthcare professionals on cybersecurity risks and mitigation strategies, the development of a strategic plan to grow the healthcare cybersecurity workforce, and the establishment of a working group to streamline and reduce duplicative reporting requirements for cybersecurity incidents.