Senate committee advances healthcare cybersecurity overhaul bill

The bipartisan Health Care Cybersecurity and Resiliency Act passed the Senate Health, Education and Labor (HELP) Committee 22-1, moving the legislation closer to overhauling cybersecurity practices at the Department of Health and Human Services (HHS).

What happened

The Senate HELP Committee advanced the Health Care Cybersecurity and Resiliency Act on Thursday with a 22-1 vote. Sen. Rand Paul cast the sole dissenting vote. Committee chair Sen. Bill Cassidy sponsored the bill alongside Sens. Mark Warner, John Cornyn, and Maggie Hassan.

The legislation would require the HHS Secretary to develop a cybersecurity incident response plan and present it to Congress. It would also direct HHS to partner with the Cybersecurity and Infrastructure Security Agency (CISA) on health sector cybersecurity oversight, create specific guidance for rural healthcare providers, and launch a plan to improve cybersecurity literacy across the healthcare workforce.

The bill would update the Health Insurance Portability and Accountability Act (HIPAA) to require regulated entities to adopt modern cybersecurity practices and establish a new federal grant program to help hospitals, cancer centers, rural health clinics, the Indian Health Service, academic health centers, and partnering nonprofits adopt cybersecurity best practices.

Going deeper

One provision designates the Administration for Strategic Preparedness and Response (ASPR) at HHS as the Sector Risk Management Agency for the Healthcare and Public Health sectors. Senators cited the 2024 Change Healthcare cyberattack as the primary driver behind the legislation, calling it emblematic of a sector under constant siege from cybercriminals, ransomware actors, and nation-states.

According to the American Hospital Association's Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness for Individual Health Care Organizations and as a Field, most hospital enterprise risk management programs failed to identify their dependency on Change Healthcare as a risk. The report notes that restrictive exclusivity clauses further compounded the problem, leaving organizations without the vendor redundancy needed to weather the outage.

What was said

At the hearing's opening, Sen. Cassidy cited the scale of the fallout from a single attack, "Last year there were more than 730 cyber breaches affecting over 270 million Americans [connected to] Change Healthcare, exposing 190 million people's data and delaying access to care."

Sen. Hassan noted the burden on smaller healthcare systems, "Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs – and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks."

Why it matters

Rural hospitals and clinics operate on thin margins with limited IT staff, making them high-value targets for ransomware groups who know recovery resources are scarce. By creating targeted guidance and a federal grant program for these facilities, the legislation addresses a gap that broad federal cybersecurity frameworks have historically overlooked.

Current HIPAA security rules were written with an older threat landscape in mind. As ransomware, double-extortion attacks, and supply-chain compromises have become standard tactics, the gap between HIPAA's requirements and what's actually needed to protect patients has grown.

The bottom line

A 22-1 committee vote signals strong bipartisan support for healthcare cybersecurity reform. If enacted, this bill would update HIPAA, establish clearer agency responsibilities, and create new funding pathways for the most vulnerable providers. Healthcare organizations should monitor this legislation closely and begin assessing where their cybersecurity practices may fall short of the modernized standards it would require.

FAQs

What is a Sector Risk Management Agency and why does it matter?

A Sector Risk Management Agency is a federal body designated to oversee cybersecurity risk for a specific critical infrastructure sector.

What makes rural healthcare providers vulnerable to cyberattacks?

Rural hospitals and clinics operate with smaller IT teams, tighter budgets, and less vendor redundancy, making it harder to prevent attacks.

What is third-party cyber risk?

Third-party cyber risk refers to the vulnerabilities introduced when healthcare organizations rely on outside vendors for critical functions.

What is HIPAA and why hasn't it kept pace with modern cyber threats?

HIPAA is the federal law governing the privacy and security of patient health information, and its security standards were written before ransomware, double-extortion attacks, and supply-chain compromises became the dominant tactics used against healthcare.