US SB3315

Secretary of HHS and CISA Director must coordinate through cooperative agreements to improve healthcare sector cybersecurity, including developing sector-specific products and sharing cyber threat information with Information Sharing and Analysis Organizations

HHS must develop a cybersecurity incident response plan within 1 year covering risk assessment, incident prevention and detection, data protection, and recovery strategies, with required consultation from CISA, OMB, and NIST

Covered entities and business associates must adopt mandatory cybersecurity standards including multifactor authentication, encryption of protected health information, and regular penetration testing audits

Authorizes grants to health centers, hospitals, rural clinics, and Indian Health Service facilities for adopting cybersecurity best practices, including hiring personnel, updating systems, and reducing legacy technology use for fiscal years 2025-2030

HHS must issue rural cybersecurity guidance within 1 year and GAO must study rural entity implementation within 3 years; HRSA must develop a strategic plan to grow the healthcare cybersecurity workforce