Health Care Cybersecurity and Resiliency Act of 2026

This Act may be cited as the Health Care Cybersecurity and Resiliency Act of 2025.

In this Act:

The term Agency means the Cybersecurity and Infrastructure Security Agency.

The term cybersecurity incident has the meaning given the term incident in section 3552 of title 44, United States Code.

The term Cybersecurity State Coordinator means a Cybersecurity State Coordinator appointed under section 2217(a) of the Homeland Security Act of 2002 (6 U.S.C. 665c(a)).

The term Director means the Director of the Agency.

The term Healthcare and Public Health Sector means the Healthcare and Public Health sector, as identified in Presidential Policy Directive 21 (February 12, 2013; relating to critical infrastructure security and resilience).

The term Information Sharing and Analysis Organization has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

The term information system has the meaning given such term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

The term Secretary means the Secretary of Health and Human Services.

The Secretary and the Director shall coordinate, including by entering into a cooperative agreement, as appropriate, to improve cybersecurity in the Healthcare and Public Health Sector.

The Secretary shall coordinate with the Director to make resources available to entities that are receiving information shared through programs managed by the Director or the Secretary, including Information Sharing and Analysis Organizations, information sharing and analysis centers, and non-Federal entities.

The coordination under paragraph (1) shall include—

(A) developing products specific to the needs of Healthcare and Public Health Sector entities; and

(B) sharing information relating to cyber threat indicators and appropriate defensive measures.

Part A of title III of the Public Health Service Act (42 U.S.C. 241 et seq.) is amended by adding at the end the following:

The Secretary, acting through the Assistant Secretary for Preparedness and Response, in coordination with the Director of the Cybersecurity and Infrastructure Security Agency pursuant to section 2218 of the Homeland Security Act of 2002, shall lead oversight and coordination of activities within the Department of Health and Human Services to support cybersecurity resiliency within the Healthcare and Public Health Sector (as defined in section 2 of the Health Care Cybersecurity and Resiliency Act of 2025), including coordination and communication with other public and private entities related to preparedness for, and responses to, cybersecurity incidents, consistent with applicable provisions of this Act, other applicable laws, and Presidential Policy Directive 21 (February 12, 2013; relating to critical infrastructure security and resilience).

.

Section 405 of the Cybersecurity Act of 2015 (6 U.S.C. 1533) is amended—

(1) in subsection (a)—

(A) in paragraph (4)—

(i) in the paragraph heading, by inserting information system; after Federal entity;; and

(ii) by inserting information system, after Federal entity,;

(B) by redesignating paragraphs (4) through (7) as paragraphs (6) through (9), respectively; and

(C) by inserting after paragraph (3) the following:

The term cybersecurity incident has the meaning given the term incident in section 3552 of title 44, United States Code.

The term cybersecurity risk has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

(C) ; and

(2) in subsection (d), by adding at the end the following:

Not later than 1 year after the date of enactment of the Health Care Cybersecurity and Resiliency Act of 2025, the Secretary shall develop and implement a cybersecurity incident response plan to inform applicable personnel within the Department of Health and Human Services of processes and protocols to prepare for, and respond to, cybersecurity incidents involving information, including hardware, software, databases, and networks, used or maintained by, or on behalf of, the Department, including strategies—

(i) to assess cybersecurity risks;

(ii) to prevent cybersecurity incidents;

(iii) to detect and identify cybersecurity incidents;

(iv) to minimize damage in the event of a cybersecurity incident;

(v) to protect data; and

(vi) to recover from any cybersecurity incidents expeditiously.

In developing the plan under subparagraph (A), the Secretary shall consult with the Director of the Cybersecurity and Infrastructure Security Agency, the Director of the Office of Management and Budget, and the Director of the National Institute of Standards and Technology, and relevant experts, as appropriate.

Not later than 60 days before the date on which the Secretary begins implementing the plan under subparagraph (A), the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions and the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Energy and Commerce, the Committee on Oversight and Reform, and the Committee on Homeland Security of the House of Representatives a report that describes such plan.

(2) .

Section 13402 of the HITECH Act (42 U.S.C. 17932) is amended by adding at the end the following:

Not later than 1 year after the date of enactment of the Health Care Cybersecurity and Resiliency Act of 2025, the Secretary shall update the regulations promulgated pursuant to subsection (j) to require that information required to be publicly displayed in the breach reporting portal established pursuant to this section includes—

(1) information on any corrective action taken against a covered entity that provided notification of a breach under this section;

(2) information on whether and to what extent, as appropriate, recognized security practices (as defined in section 13412(b)(1)) were considered in the investigation of such a breach; and

(3) such additional information about such a breach as the Secretary may require.

.

Section 13402(f) of the HITECH Act (42 U.S.C. 17932(f)) is amended by adding at the end the following:

(6) The number of individuals affected by the breach.

.

Section 13412(b)(1) of the HITECH Act (42 U.S.C. 17941(b)(1)) is amended, in the first sentence, by inserting, investments, after other programs.

Not later than 1 year after the date of enactment of this Act, the Secretary shall issue guidance on the implementation of section 13412 of the HITECH Act (42 U.S.C. 17941), which shall include—

(1) recognized security practices (as defined in subsection (b)(1) of such section) that the Secretary may consider when determining fines under such section;

(2) the extent to which such recognized security practices should be in place for consideration by the Secretary; and

(3) procedural requirements or information that shall be submitted by a covered entity or business associate (as such terms are defined in section 13400 of the HITECH Act (42 U.S.C. 17921)) to the Secretary for consideration.

Not later than 2 years after the date of enactment of this Act, and annually thereafter, the Secretary shall include in the annual report required under section 13424(a) of the HITECH Act (42 U.S.C. 17953(a)) information on implementation of section 13412 of such Act (42 U.S.C. 17941), including an accounting of every case in which the Secretary considered recognized security practices (as defined in subsection (b)(1) of such section) when effectuating audits and assessing fines under such section.

The Secretary shall update the privacy, security, and breach notification regulations under parts 160 and 164 of title 45, Code of Federal Regulations (or any successor regulation) to require covered entities and business associates to adopt the following cybersecurity practices:

(1) Multifactor authentication, or a successor technology, for access to any information systems that may include protected health information.

(2) Safeguards to encrypt protected health information.

(3) Requirements to conduct audits, including penetration testing, to maintain the protections of information systems.

(4) Other minimum cybersecurity standards, as determined by the Secretary, in consultation with private sector entities, based on landscape analysis of emerging and existing cybersecurity vulnerabilities and consensus-based best practices.

The Secretary shall specify in the regulations the effective date for each of the new requirements under the regulations updated in accordance with subsection (a). Each such effective date shall provide reasonable time for the entities subject to the requirement to come into compliance.

Section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C. 1533(d)) (as amended by section 5(2)) is amended by adding at the end the following:

In this paragraph, the term rural has the meaning given such term by the Health Resources and Services Administration.

Not later than 1 year after the date of enactment of the Health Care Cybersecurity and Resiliency Act of 2025, the Secretary shall issue guidance to rural entities on best practices to improve cyber readiness, including strategies—

(i) to improve cyber infrastructure, including any technical safeguards to mitigate cybersecurity risk;

(ii) to integrate best practices issued by the Secretary to improve cybersecurity preparedness;

(iii) to improve employee preparation to mitigate any cybersecurity risks, including existing public-private programs to support educational initiatives; and

(iv) to implement policies to facilitate mandatory cybersecurity incident reporting requirements under law.

Not later than 3 years after the date of enactment of the Health Care Cybersecurity and Resiliency Act of 2025, the Comptroller General of the United States shall conduct, and submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that describes the results of, a study to examine how rural entities have implemented the recommendations included in the guidance under subparagraph (B).

The study under clause (i) shall assess—

(I) how rural entities have implemented any technical safeguards and any challenges faced by such rural entities in areas for which safeguards were not implemented;

(II) steps to further support cyber resilience for rural entities;

(III) areas to improve coordination between Federal agencies, including for the purposes of required cyber reporting; and

(IV) any opportunities to support public-private collaboration in the area of cyber readiness.

.

Part P of title III of the Public Health Service Act (42 U.S.C. 280g et seq.) is amended by adding at the end the following:

The Secretary may award grants to eligible entities for the adoption and use of cybersecurity best practices.

To be eligible to receive a grant under subsection (a) an entity shall be—

(1) a public or nonprofit private health center (including a Federally qualified health center (as defined in section 1861(aa)(4) of the Social Security Act));

(2) a health facility operated by or pursuant to a contract with the Indian Health Service;

(3) a hospital;

(4) a cancer center;

(5) a rural health clinic;

(6) an academic health center; or

(7) a nonprofit entity that enters into a partnership or coordinates referrals with an entity described in any of paragraphs (1) through (6).

In adopting and using cybersecurity best practices pursuant to a grant under subsection (a), an eligible entity may use grant funds—

(1) to hire and train personnel in such cybersecurity best practices;

(2) to update electronic data systems, such as by migrating to cloud based platforms;

(3) to join and participate in health cybersecurity threat information sharing organizations;

(4) to reduce the use of legacy systems; and

(5) to contract with third parties to assist with the activities described in paragraphs (1) through (5).

The Secretary may award a grant under this section for a period of not more than 3 years.

An eligible entity seeking a grant under subsection (a) shall submit to the Secretary an application at such time, in such manner, and containing such information as the Secretary may require including, at a minimum a description of how the eligible entity will establish baseline measures and benchmarks that meet the Secretary’s requirements to evaluate program outcomes.

There are authorized to be appropriated to carry out this section such sums as may be necessary for each of fiscal years 2025 through 2030.

.

The Secretary, in coordination with the Cybersecurity State Coordinators of the Agency and private sector health care experts, as appropriate, shall provide training to Healthcare and Public Health Sector asset owners and operators on—

(1) cybersecurity risks to information systems within the Healthcare and Public Health Sector; and

(2) ways to mitigate the risks to information systems in the Healthcare and Public Health Sector.

Not later than 1 year after the date of enactment of this Act, the Secretary, acting through the Administrator of the Health Resources and Services Administration, in coordination with the Agency, shall develop a strategic plan to support growing the cybersecurity workforce for health care entities.

The strategic plan under paragraph (1) shall include—

(A) recommendations for existing educational programs that can be used to support cybersecurity training;

(B) dissemination and development of educational materials on how to improve cybersecurity resilience;

(C) development of best practices to train the health care workforce on cybersecurity best practices; and

(D) opportunities for public-private collaboration to strengthen the cybersecurity workforce.

This Act may be cited as the Health Care Cybersecurity and Resiliency Act of 2026.

In this Act:

The term Agency means the Cybersecurity and Infrastructure Security Agency.

The term business associate has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations (or a successor regulation).

The term covered entity has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations (or a successor regulation).

The term cybersecurity incident has the meaning given the term incident in section 3552 of title 44, United States Code.

The term Cybersecurity State Coordinator means a Cybersecurity State Coordinator appointed under section 2217(a) of the Homeland Security Act of 2002 (6 U.S.C. 665c(a)).

The term Director means the Director of the Agency.

The term Healthcare and Public Health Sector means the Healthcare and Public Health sector, as identified in National Security Memorandum–22 (April 30, 2024; relating to critical infrastructure security and resilience).

The term Information Sharing and Analysis Organization has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

The term information system has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

The term recognized security practices has the meaning given such term in section 13412(b)(1) of the HITECH Act (42 U.S.C. 17941(b)(1)).

The term Secretary means the Secretary of Health and Human Services.

The Secretary and the Director shall coordinate, including by entering into a cooperative agreement, as appropriate, to improve cybersecurity in the Healthcare and Public Health Sector.

The Secretary shall coordinate with the Director to make resources available to entities that are receiving information shared through programs managed by the Director or the Secretary, including Information Sharing and Analysis Organizations, sector coordinating councils, and non-Federal entities.

The coordination under paragraph (1) shall include—

(A) developing products specific to the needs of Healthcare and Public Health Sector entities;

(B) sharing information relating to cyber threat indicators and appropriate defensive measures, including automating cyber threat information sharing, in a manner that adequately protects against unauthorized access or disclosure; and

(C) providing technical assistance to covered entities and business associates to improve cybersecurity preparedness.

Not later than 1 year after the date of enactment of this Act, the Secretary and the Director shall establish a joint cybersecurity capability plan to coordinate responses to significant cybersecurity incidents affecting the Healthcare and Public Health Sector.

The joint cybersecurity capability plan established under paragraph (1) shall include—

(A) protocols for rapid information sharing during sector-wide cybersecurity incidents;

(B) coordination mechanisms with the sector coordinating council for the Healthcare and Public Health Sector; and

(C) coordination with Cybersecurity State Coordinators for incidents affecting multiple States.

Not later than 1 year after the date of enactment of this Act, the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives the final joint cybersecurity capability plan prepared under paragraph (1) and a description of how such plan implements the elements required under paragraph (2).

If the Secretary and the Director update the joint cybersecurity capability plan required under this subsection, the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives such updated plan and a description of how such plan implements the elements required under paragraph (2).

The Secretary shall delegate a representative to lead oversight and coordination of activities within the Department of Health and Human Services to support internal and external cybersecurity resilience within the Healthcare and Public Health Sector, including coordination and communication with other public and private entities related to preparedness for, and responses to, cybersecurity incidents, consistent with applicable provisions of the Public Health Service Act (42 U.S.C. 201 et seq.), other applicable laws, and National Security Memorandum–22 (April 30, 2024; relating to critical infrastructure security and resilience). Such activities shall not include implementation or enforcement of part 160 and subparts A and C of part 164 of title 45, Code of Federal Regulations (or successor regulations) (commonly known as the HIPAA Security Rule).

Not later than 60 days after delegating a representative under subsection (a), and any time a new representative is delegated under such subsection, the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that describes how such representative will implement steps to improve internal and external cybersecurity resilience within the Healthcare and Public Health Sector.

Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives a report on the state of cybersecurity in the Healthcare and Public Health Sector, including—

(A) an assessment of the most significant cybersecurity threats and vulnerabilities facing the Healthcare and Public Health Sector;

(B) a summary of major cybersecurity incidents affecting the Healthcare and Public Health Sector during the preceding year;

(C) an assessment of the overall cybersecurity posture of the Healthcare and Public Health Sector;

(D) a description of actions taken by the Department of Health and Human Services to improve cybersecurity; and

(E) recommendations to improve Healthcare and Public Health Sector cybersecurity.

Section 405 of the Cybersecurity Act of 2015 (6 U.S.C. 1533) is amended—

(1) in subsection (a)—

(A) in paragraph (4)—

(i) in the paragraph heading, by inserting information system; after federal entity;; and

(ii) by inserting information system, after Federal entity,;

(B) by redesignating paragraphs (4) through (7) as paragraphs (6) through (9), respectively; and

(C) by inserting after paragraph (3) the following:

The term cybersecurity incident has the meaning given the term incident in section 3552 of title 44, United States Code.

The term cybersecurity risk has the meaning given such term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650).

(C) ; and

(2) in subsection (d), by adding at the end the following:

Not later than 1 year after the date of enactment of the Health Care Cybersecurity and Resiliency Act of 2026, the Secretary shall expand and implement the Cyber Annex of the All Hazards Plan of the Department of Health and Human Services to inform applicable personnel within the Department of Health and Human Services of processes and protocols to prepare for, and respond to, cybersecurity incidents.

The plan under subparagraph (A) shall address cybersecurity incidents involving information systems, including hardware, software, databases, and networks, used or maintained by, or on behalf of, the Department.

The plan under subparagraph (A) shall include strategies—

(i) to assess cybersecurity risks;

(ii) to prevent cybersecurity incidents;

(iii) to detect and identify cybersecurity incidents;

(iv) to minimize damage in the event of a cybersecurity incident;

(v) to protect data;

(vi) to recover from any cybersecurity incidents expeditiously; and

(vii) to communicate and share non-sensitive information about cybersecurity incidents with entities in the Healthcare and Public Health Sector (as defined in section 2 of the Health Care Cybersecurity and Resiliency Act of 2026).

In developing the plan under subparagraph (A), the Secretary shall consult with the Director of the Cybersecurity and Infrastructure Security Agency, the Director of the Office of Management and Budget, the Director of the National Institute of Standards and Technology, and relevant experts, as appropriate.

The Secretary shall review and update the plan under subparagraph (A)—

(i) not less frequently than once every 2 years; and

(ii) after any significant cybersecurity incident affecting the Department of Health and Human Services or a Federal health program.

Not later than 60 days before the date on which the Secretary begins implementing the plan under subparagraph (A), the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions and the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Energy and Commerce, the Committee on Oversight and Reform, and the Committee on Homeland Security of the House of Representatives a report that describes such plan.

(2) .

Section 13402(f) of the HITECH Act (42 U.S.C. 17932(f)) is amended by adding at the end the following:

(6) The number of individuals affected by the breach.

.

Section 13412(b)(1) of the HITECH Act (42 U.S.C. 17941(b)(1)) is amended, in the first sentence, by inserting, investments, after other programs.

Not later than 1 year after the date of enactment of this Act, the Secretary shall promulgate regulations implementing section 13412 of the HITECH Act (42 U.S.C. 17941), which shall include—

(1) recognized security practices that the Secretary may consider when determining fines under such section;

(2) the extent to which such recognized security practices should be in place for consideration by the Secretary;

(3) procedural requirements or information that shall be submitted by a covered entity or business associate to the Secretary for consideration; and

(4) how the Secretary will take into account such recognized security practices when determining fines, earlier favorable termination of audits, or mitigating remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of part 160 and subparts A and C of part 164 of title 45, Code of Federal Regulations (or successor regulations) (commonly known as the HIPAA Security Rule) between the covered entity or business associate and the Department of Health and Human Services.

Not later than 2 years after the date of enactment of this Act, and annually thereafter, the Secretary shall include in the annual report required under section 13424(a) of the HITECH Act (42 U.S.C. 17953(a)) information on implementation of section 13412 of such Act (42 U.S.C. 17941), including an accounting of every case in which the Secretary considered recognized security practices when effectuating audits and assessing fines under such section.

The Secretary shall update the security regulations under part 160 and subparts A and C of part 164 of title 45, Code of Federal Regulations (or any successor regulation), to require non-governmental entities in the Healthcare and Public Health Sector and covered entities and business associates to adopt minimum risk-based cybersecurity practices, including—

(1) multifactor authentication, or a successor technology;

(2) encryption of protected health information, or a successor technology;

(3) requirements to conduct monitoring, including penetration testing, to maintain the protections of information systems; and

(4) other minimum cybersecurity standards, as reflected in national cybersecurity frameworks.

The minimum risk-based cybersecurity practices adopted pursuant to subsection (a) shall be based on—

(1) national cybersecurity frameworks, as appropriate, such as—

(A) the National Institute of Standards and Technology Risk Management Framework (or a successor framework);

(B) the National Institute of Standards and Technology Cybersecurity Framework (or a successor framework);

(C) the National Institute of Standards and Technology SP 800–53 r5 Security and Privacy Controls for Information Systems and Organizations (or a successor special publication), with relevant components of the National Institute of Standards and Technology Privacy Framework; or

(D) the National Institute of Standards and Technology Artificial Intelligence Risk Management Framework;

(2) the Health Sector Coordinating Council Cybersecurity Healthcare and Public Health Cybersecurity Performance Goals; and

(3) the health care-specific cybersecurity performance goals of the Cybersecurity and Infrastructure Security Agency.

The regulations updated in accordance with subsection (a), including each new requirement established, shall take effect on the date that is 36 months after the date of enactment of this Act.

The Secretary may exercise enforcement discretion for entities experiencing extraordinary circumstances in complying with the requirements of subsection (a).

Section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C. 1533(d)) (as amended by section 5(2)) is amended by adding at the end the following:

In this paragraph, the term rural has the meaning given such term by the Federal Office of Rural Health Policy.

Not later than 1 year after the date of enactment of the Health Care Cybersecurity and Resiliency Act of 2026, the Secretary shall issue guidance to rural entities on best practices to improve cybersecurity readiness, including strategies—

(i) to improve cybersecurity infrastructure, including any technical safeguards to mitigate cybersecurity risk;

(ii) to integrate best practices issued by the Secretary to improve cybersecurity preparedness;

(iii) to improve workforce preparation to mitigate any cybersecurity risks, including existing public-private programs to support educational initiatives;

(iv) to implement policies to facilitate mandatory cybersecurity incident reporting requirements under law; and

(v) to explore and recommend best practices, including—

(I) outsourcing information technology and chief information security officer functions to third parties on a part-time basis;

(II) participating in regional rural health care information technology management sharing programs; and

(III) migrating data to secure cloud-based platforms.

The Secretary shall provide technical assistance to rural entities to implement the recommendations included in the guidance under subparagraph (B).

Not later than 3 years after the date of enactment of the Health Care Cybersecurity and Resiliency Act of 2026, the Comptroller General of the United States shall conduct a study, and submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives a report, on how rural entities have implemented the recommendations included in the guidance under subparagraph (B).

The study under clause (i) shall assess—

(I) how rural entities have implemented any technical safeguards and any challenges faced by such rural entities in areas for which safeguards were not implemented;

(II) steps to further support cybersecurity resilience for rural entities;

(III) areas to improve coordination between Federal agencies, including for the purposes of required cyber reporting; and

(IV) any opportunities to support public-private collaboration in the area of cybersecurity readiness.

.

The Secretary may award grants to eligible entities for the adoption and implementation of cybersecurity best practices.

To be eligible to receive a grant under subsection (a), an entity shall be—

(1) a Federally qualified health center (as defined in section 1861(aa)(4) of the Social Security Act (42 U.S.C. 1395x(aa)(4)));

(2) a health facility operated by or pursuant to a contract with the Indian Health Service;

(3) a nonprofit hospital;

(4) a rural health clinic (as defined in section 1861(aa)(2) of the Social Security Act (42 U.S.C. 1395x(aa)(2))); or

(5) a nonprofit entity that enters into a partnership or coordinates referrals with an entity described in any of paragraphs (1) through (4).

In adopting and implementing cybersecurity best practices pursuant to a grant under subsection (a), an eligible entity may use grant funds—

(1) to hire individuals with demonstrated cybersecurity expertise and train personnel in such cybersecurity best practices;

(2) to update electronic data systems, such as by migrating to cloud-based platforms;

(3) to join and participate in health cybersecurity threat information sharing organizations;

(4) to contract with third parties to assist the eligible entity in carrying out the activities described in this subsection;

(5) to conduct cybersecurity risk assessments and vulnerability assessments; and

(6) to develop or improve cybersecurity incident response plans.

A grant awarded under this section shall be for a period of not more than 3 years.

In awarding grants under this section, the Secretary may give consideration to the demonstrated need of eligible entities.

An eligible entity seeking a grant under subsection (a) shall submit to the Secretary an application at such time, in such manner, and containing such information as the Secretary may require, including—

(1) a description of how the eligible entity will establish baseline measures and benchmarks that meet the Secretary’s requirements to evaluate performance outcomes; and

(2) a strategic plan for how, after the end of the grant period, the eligible entity will sustain the activities funded under the grant and continue to adopt cybersecurity best practices.

There are authorized to be appropriated to carry out this section such sums as may be necessary for each of fiscal years 2026 through 2030.

The Secretary, in coordination with the Cybersecurity State Coordinators of the Agency, the Office of the National Cyber Director, and private sector health care experts, as appropriate, shall provide training to Healthcare and Public Health Sector entities on—

(1) cybersecurity risks to information systems within the Healthcare and Public Health Sector; and

(2) ways to mitigate the risks to information systems in the Healthcare and Public Health Sector.

Not later than 1 year after the date of enactment of this Act, the Secretary, acting through the Administrator of the Health Resources and Services Administration, in coordination with the Agency, shall develop a strategic plan to support growing the cybersecurity workforce for health care entities.

The strategic plan under paragraph (1) shall include—

(A) recommendations for existing educational programs that can be used to support cybersecurity training;

(B) dissemination and development of educational materials on how to improve cybersecurity resilience;

(C) development of best practices to train the health care workforce on cybersecurity best practices;

(D) development of recommendations specific to rural facilities;

(E) development of best practices to leverage artificial intelligence to support cybersecurity preparedness;

(F) opportunities for public-private collaboration to strengthen the cybersecurity workforce; and

(G) alignment with the National Initiative for Cybersecurity Education Workforce Framework.

Not later than 1 year after the date of enactment of this Act, the Secretary shall convene a working group to examine how to streamline and reduce duplicative reporting for cybersecurity incidents.

The working group described in paragraph (1) shall include representatives of—

(A) the Cybersecurity and Infrastructure Security Agency;

(B) the Securities and Exchange Commission;

(C) the Office of the National Cyber Director;

(D) the Federal Bureau of Investigation;

(E) the Federal Trade Commission;

(F) State attorneys general;

(G) State health departments; and

(H) private sector health care entities.

The working group shall conclude not later than 18 months after the date of the first meeting of the working group.

Not later than 1 year after the conclusion of the working group under subsection (a)(3), the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives a report that—

(1) identifies areas the working group has identified to streamline and reduce duplicative reporting;

(2) includes recommendations to Congress on further streamlining such reporting; and

(3) addresses coordination with State breach notification laws.