S. 3315: Health Care Cybersecurity and Resiliency Act of 2025

This bill, known as the Health Care Cybersecurity and Resiliency Act of 2025, is aimed at enhancing cybersecurity within the healthcare and public health sectors. It designates the Secretary of Health and Human Services (HHS) and the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to work together to improve cybersecurity standards and practices. Key components of the bill include:

Coordination and Cooperation

The bill requires the Secretary and the Director to coordinate through cooperative agreements to strengthen cybersecurity measures. This involves sharing resources and information to help healthcare entities tackle cybersecurity threats.

Cybersecurity Oversight

The Secretary is tasked with overseeing cybersecurity activities within HHS. This includes collaborating with other public and private organizations to prepare for and respond to cybersecurity incidents.

Incident Response Planning

Within one year of the bill's enactment, the Secretary must develop a cybersecurity incident response plan. This plan will outline procedures for preparing and responding to cybersecurity incidents, including risk assessment, prevention, detection, damage control, data protection, and recovery strategies.

Breaching Reporting Enhancements

The bill updates regulations regarding breach reporting in the healthcare sector. It mandates the establishment of a public breach reporting portal that must include:

• Details of corrective actions taken after breaches
• Considerations of recognized security practices during breach investigations
• Any additional information deemed necessary by the Secretary

Clarification of Breach Reporting Obligations

The bill clarifies that entities must report the number of individuals affected by any data breach.

Cybersecurity Standards

The Secretary is required to update privacy and security regulations, mandating covered entities adopt robust cybersecurity practices, such as:

• Multifactor authentication for access to sensitive information systems
• Encryption of protected health information
• Regular audits and penetration testing
• Additional standards based on an analysis of emerging threats

Guidance for Rural Entities

Specific guidance will be provided to rural healthcare entities on enhancing cybersecurity, emphasizing technical safeguards, best practices, and employee training.

Grants for Cybersecurity Improvement

The bill authorizes grants to eligible entities, such as nonprofit health centers and hospitals, to adopt cybersecurity best practices. These grants can be used for hiring trained personnel, updating information systems, participating in threat information sharing, and reducing reliance on outdated technology.

Cybersecurity Workforce Development

The bill emphasizes the need to train healthcare and public health personnel on cybersecurity risks and defenses. It calls for a strategic plan aimed at developing the cybersecurity workforce, which includes educational resources and collaborative opportunities between public and private sectors.

Annual Reporting

Once enacted, the Secretary will also have to produce annual reports detailing the implementation of the cybersecurity measures set forth in the bill.

Effective Dates

The bill stipulates that the new cybersecurity regulations will provide a reasonable period for compliance, making the transition smoother for affected entities.

Funding Authorizations

It authorizes appropriations to support the implementation of the act for fiscal years 2025 through 2030.

Relevant Companies

• HCA Healthcare (HCA) - As a major healthcare provider, HCA would need to enhance its cybersecurity measures and may apply for federal grants to improve its cybersecurity infrastructure.
• UnitedHealth Group (UNH) - A large health insurance provider, UnitedHealth would be affected by new regulations concerning data protection and breach reporting, potentially leading to changes in operational practices.
• Anthem Inc. (ANTM) - As a health benefits company, Anthem would also need to comply with stricter cybersecurity standards and may benefit from grants aimed at enhancing cybersecurity practices.