BLOG
Unpacking the Healthcare Cybersecurity and Resilience Act: What to Know
Published On March 5, 2026
by Jonathan Elmer, CISSP
Healthcare has long been one of the most targeted sectors in the cybersecurity landscape, and recent legislative action from Capitol Hill reflects a meaningful policy response. On February 27, 2026, the Health Care Cybersecurity and Resiliency Act of 2025 (S. 3315) passed the Senate Health, Education, Labor, and Pensions (HELP) Committee with a 22-1 vote, advancing the most substantive healthcare cybersecurity legislation in years toward a full Senate floor vote [1]. For healthcare leaders, compliance professionals, and security practitioners, the provisions warrant close attention.
The Threat Landscape Driving Legislative Action
The urgency behind this bill is grounded in recent incident data. In 2024 alone, the healthcare sector experienced more than 730 cyber breaches affecting over 270 million Americans[2]. The Change Healthcare ransomware attack exposed the data of 190 million individuals and caused significant disruption to electronic prescribing, claims processing, and patient care delivery across the country[1]. As ASPR Director Charlee Hess noted at a recent industry event, "It wasn't a hospital — it was a company most people have never heard of — and had major impacts on our sector and threatened the liquidity of our entire health care system"[1].
The average cost of a healthcare data breach now stands at $10 million per incident, reflecting not only remediation costs, but prolonged care disruptions that can affect patient safety[2]. This context makes the legislative response timely and appropriate.
Key Provisions of the Bill
The Health Care Cybersecurity and Resiliency Act was sponsored by HELP Committee Chair Sen. Bill Cassidy (R-LA) alongside Senators Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH). It is a bipartisan product of a working group that has been developing recommendations since 2023[2]. Its primary provisions include:
- HHS Incident Response Plan: Requires the Secretary of Health and Human Services to develop a formal cybersecurity incident response plan and submit it to Congress for review[1]
- CISA Partnership: Directs HHS to formally partner with the Cybersecurity and Infrastructure Security Agency (CISA) on cybersecurity oversight across the healthcare and public health sectors[1]
- Sector Risk Management Designation: Designates the Administration for Strategic Preparedness and Response (ASPR) at HHS as the official Sector Risk Management Agency (SRMA) for the Healthcare and Public Health sector[1]
- Rural Healthcare Guidance: Directs development of tailored cybersecurity guidance for rural healthcare providers, who often face resource constraints in building security programs[1]
- Workforce Cybersecurity Literacy: Establishes a plan to build cybersecurity awareness and capability across the healthcare workforce[2]
- HIPAA Modernization: Updates HIPAA to align regulated entities with current cybersecurity practices[1]
- Federal Grant Program: Creates a federal grant program to help hospitals, cancer centers, rural health clinics, the Indian Health Service, academic health centers, and partnering nonprofit organizations adopt cybersecurity best practices[1]
Funding and Resource Impacts
The introduction of a dedicated federal grant program is one of the most operationally significant elements of the bill for under-resourced healthcare organizations[1]. Rural providers, Federally Qualified Health Centers (FQHCs), and safety-net hospitals have consistently struggled to build and sustain mature cybersecurity programs given thin margins and limited IT staffing. By directing federal funding toward these organizations specifically, Congress is acknowledging a longstanding gap: compliance mandates without corresponding resources tend to produce incomplete security programs that expose both patients and organizations to unnecessary risk[2].
For larger health systems, the ASPR SRMA designation provides a clearly defined federal counterpart for threat intelligence sharing, incident coordination, and sector-wide resilience planning. That type of structural clarity was notably absent during the response to the Change Healthcare crisis[1].
Implications for Providers, Payers, and the Industry
Covered Entities and Hospitals
Hospitals and covered entities should expect increased federal attention to their cybersecurity postures as the bill's HIPAA modernization provisions develop. Organizations that have deferred investment in areas such as network segmentation, incident response planning, and third-party risk management will face mounting pressure from both a regulatory and operational standpoint[1].
Payers and Health Plans
For payers, the third-party risk dimensions of this legislation deserve particular attention. The Change Healthcare incident illustrated how deeply a single business associate can be embedded across an entire sector's payment infrastructure[1]. Payers should treat this legislative development as a prompt to revisit vendor risk management programs, review business associate agreements, and map dependencies on concentrated service providers.
Rural and Safety-Net Providers
The targeted provisions for rural healthcare reflect a practical recognition of resource disparities across the sector. Organizations in this category should begin positioning themselves to access grant funding as the program matures, starting with baseline security assessments to identify the most critical gaps[1][2].
Security and Compliance Professionals
For GRC and security practitioners, the bill's passage through committee with a 22-1 vote reflects strong bipartisan consensus. While the legislation still needs to pass the full Senate and House, the political momentum is notable[1]. Practitioners would be well served by beginning to map their programs against the bill's emerging requirements now, particularly around incident response planning, workforce training, and HIPAA alignment.
The HIPAA Security Rule Update: Still Pending
Running parallel to this legislative activity is a long-awaited regulatory update that compliance professionals must also track. The HHS Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) for an overhaul of the HIPAA Security Rule on January 6, 2025, with a public comment period that closed on March 7, 2025[3]. This represents the first major update to the HIPAA Security Rule since the HIPAA Omnibus Rule of 2013[3].
Despite the comment period closing over a year ago, the rule has not yet been finalized. As of late 2025, the rule is scheduled to be finalized in May 2026, meaning that new requirements could take effect before the end of the year[4], although sentiment is mixed on the actual timing of finalization. The current administration at HHS will ultimately determine the final shape and timing of the rule[3].
What the Proposed Rule Requires
The proposed HIPAA Security Rule changes are substantive, eliminating the longstanding "required vs. addressable" implementation specification distinction in favor of mandatory standards across the board[3][5]. Key requirement impacts include:
| Requirement | Prior Status | Proposed Status |
| Encryption of ePHI (at rest and in transit) | Addressable | Required (limited exceptions) |
| Multi-Factor Authentication (MFA) | Addressable | Required (limited exceptions) |
| Annual Penetration Testing | Not required | Required |
| Vulnerability Scanning (every 6 months) | Not required | Required |
| Network Segmentation | Not required | Required |
| 72-Hour System Restoration | Not required | Required |
| Annual Compliance Audits | Not required | Required for CEs and BAs |
| Business Associate Annual Verification | Not required | Required |
| Asset Inventory and Network Maps | Not required | Required |
| Workforce Access Change Notification (24-hour) | Not required | Required |
Table 1: Comparison of Current and Proposed HIPAA Security Rule Requirements[5][6]
Planning in the Absence of a Final Rule
The gap between the comment period closing and final rule publication creates a practical compliance planning challenge. Organizations that have already invested in modernizing their security programs are reasonably well positioned, while those waiting on a final rule to trigger action carry increasing risk in the interim[4]. OCR has clearly signaled that the current Security Rule's flexibility is being replaced with prescriptive, enforceable requirements aligned with current cybersecurity standards[3].
The Legislative and Regulatory Tracks Together
The Health Care Cybersecurity and Resiliency Act and the HIPAA Security Rule update are moving along separate but complementary tracks. The legislation aims to modernize HIPAA through statute, while the NPRM pursues the same objective through the regulatory process[1][3]. Should both advance, covered entities may find themselves subject to overlapping but reinforcing requirements, which, while operationally demanding, represents a substantive step toward a more defensible healthcare sector.
For industry leaders, the direction of travel is consistent regardless of which vehicle ultimately prevails: prescriptive cybersecurity requirements in healthcare are coming. Organizations that use this window to build mature, well-documented security programs will be better positioned to protect patients and manage regulatory expectations as both tracks continue to develop.
Conclusion
Healthcare organizations navigating this evolving regulatory landscape do not need to do so alone. Meditology Services is a leading healthcare security and privacy advisory firm with deep expertise in helping providers, payers, and health IT organizations build and mature their cybersecurity programs in alignment with the requirements that matter most in this sector.
As both the Health Care Cybersecurity and Resiliency Act and the updated HIPAA Security Rule continue to develop, Meditology's team of experienced practitioners can support your organization across the full spectrum of program modernization needs, including:
- HIPAA Security Rule Readiness Assessments: Gap analyses mapped against the proposed rule's new mandatory requirements, helping organizations understand where they stand today and what remediation efforts to prioritize
- Incident Response Program Development: Building and testing incident response plans aligned with HHS expectations and emerging federal requirements
- Third-Party and Vendor Risk Management: Strengthening business associate oversight programs in anticipation of new verification and audit requirements
- Security Program Maturity Advancement: Designing and executing roadmaps that move organizations from compliance-driven programs to risk-based, operationally resilient security postures
- Rural and Safety-Net Provider Support: Helping resource-constrained organizations prepare for new federal grant funding while building foundational security capabilities
Organizations that engage proactively with the changing requirements rather than waiting for enforcement to drive action will be better positioned to protect patients, reduce operational risk, and demonstrate meaningful compliance when regulators come calling.
To learn more about how Meditology Services can support your organization's cybersecurity and compliance journey, contact us now!
About the Author
Jonathan Elmer, CISSP – Director, IT Risk Management and Technical Lead
Jonathan Elmer is a seasoned cybersecurity professional and IT risk management consultant with over a decade of experience. Adept at delivering impactful information security solutions aligned with business objectives, with a proven track record in leading regulatory and compliance focused initiatives and spearheading the implementation of technical security programs. Notable roles include Chief Information Security Officer, Technical Services Lead, Medical Device Security Architect and Director of IT Risk Management Consulting at Meditology Services, demonstrating leadership and expertise in project delivery, strategic direction, and client engagement.