S-3904-117
Placed on Senate Legislative Calendar under General Orders. Calendar No. 527.
Sponsored by Jacky Rosen (D-NV)
What it does
This bill would require the Department of Health and Human Services (HHS) to work with the Cybersecurity and Infrastructure Security Agency (CISA) to strengthen digital security across the healthcare and public health sector. It would direct CISA to share cyber-threat information and defensive tools with both government and private healthcare entities. HHS would also be required to provide cybersecurity training to healthcare asset owners and update the Healthcare and Public Health Sector Specific Plan to address risks facing rural, small, and medium-sized organizations, workforce shortages, and challenges stemming from the COVID-19 emergency.
Who benefits
Patients whose medical records and personal health data are stored by healthcare providers would benefit from stronger data protections. Hospitals, clinics, and public health agencies — particularly rural, small, and medium-sized ones — would gain access to federal cybersecurity resources and training they may not currently afford or access independently. Healthcare workers would benefit from improved training on cyber risks. The broader public health system would benefit from more resilient critical infrastructure.
Who is hurt
No group faces a direct financial penalty or loss of benefits under this bill. Federal agencies — primarily HHS and CISA — would face increased administrative workloads and potential resource demands without guaranteed new funding. Private healthcare entities could face indirect compliance burdens if sector plan updates lead to new recommended (or eventually required) security standards. Taxpayers would bear the cost of any federal resources, training programs, and plan updates required by the bill.
Supporters argue
Supporters argue that the healthcare sector is one of the most frequently targeted industries for cyberattacks, including ransomware that has shut down hospital systems and delayed patient care. They contend that many rural and smaller healthcare providers lack the expertise and resources to defend themselves, making federal coordination and training essential. Supporters say this bill fills a critical gap by ensuring that threat intelligence held by federal agencies is shared with the frontline organizations that need it most, and that updating the sector plan with current challenges — including COVID-19 disruptions and workforce shortages — would produce a more realistic and actionable security roadmap for the entire sector.
Opponents argue
Opponents argue that the bill creates new federal mandates and bureaucratic processes without guaranteeing the dedicated funding needed to carry them out effectively, risking an underfunded and therefore ineffective program. They contend that updating sector plans and coordinating across agencies may produce reports and guidance documents that are rarely acted upon, representing process over results. Some critics argue that cybersecurity standards are better developed by the private sector and existing industry groups who understand operational realities, and that federal involvement could impose one-size-fits-all frameworks that do not account for the diverse needs of healthcare organizations. Others raise concerns that the bill does not include enforceable standards, potentially leaving the sector no more secure in practice.