Rural Hospital Cybersecurity Enhancement Act
- Bill Number
- S. 2169
- Origin Chamber
- Senate
- Congress
- 119th Congress, Session 1
- Policy Area
- Science, Technology, Communications
- Status
- Introduced
- Latest Action
- 2026-01-28: Placed on Senate Legislative Calendar under General Orders. Calendar No. 309.
- Last Updated
- 2026-05-08T17:08:11Z
AI-Generated Summary
Purpose
The Rural Hospital Cybersecurity Enhancement Act aims to strengthen cybersecurity in rural hospitals by requiring the Secretary of Health and Human Services (HHS) to create a national strategy for building a skilled cybersecurity workforce tailored to these facilities and to provide free training materials for hospital staff. This addresses the increasing cyber threats to rural healthcare, where resources for protection are often limited.
Key Provisions
- Short Title and Definitions:
- The Act is titled the "Rural Hospital Cybersecurity Enhancement Act."
- Key terms include "agency" (federal departments or entities), "appropriate committees of Congress" (Senate Health, Education, Labor, and Pensions and Finance Committees; House Energy and Commerce and Ways and Means Committees), "geographic division" (one of nine U.S. Census Bureau regions), "rural hospital" (specific types like critical access hospitals, sole community hospitals, or those in rural areas under Medicare definitions), and "Secretary" (HHS Secretary).
- Cybersecurity Workforce Development Strategy (Section 3):
- Within one year of enactment, the HHS Secretary must develop and submit to Congress a comprehensive strategy to meet the need for cybersecurity experts in rural hospitals.
- The Secretary must consult with the Cybersecurity and Infrastructure Security Agency (CISA) Director, Secretaries of Education and Labor, National Cyber Director, other relevant agency heads, and at least two rural healthcare representatives from each of the nine geographic divisions.
- The strategy must address:
- Partnerships among rural hospitals, non-rural hospitals, educational institutions, and nonprofit/for-profit entities to expand the workforce through targeted education and training.
- Creation of cybersecurity curricula and resources focusing on technical skills for use in rural community colleges, vocational schools, and similar institutions.
- Identification of unique cybersecurity workforce challenges for rural hospitals and proven methods to address them.
- Starting after the first full fiscal year post-submission, the Secretary must provide annual briefings to Congress on strategy updates, related programs/initiatives (including training numbers), and overall effectiveness.
- Instructional Materials for Rural Hospitals (Section 4):
- Within one year of enactment, HHS must publish free instructional materials on its website (and via other means) to train rural hospital staff on basic cybersecurity practices.
- The Secretary must consult agency heads, cybersecurity education experts, and rural healthcare specialists; adapt existing materials where possible and create new ones as needed; and run a public awareness campaign to promote their use.
- Funding (Section 5):
- No new funds are authorized; all activities must use existing HHS resources.
Significant Changes to Existing Law
This Act introduces new mandates without amending prior statutes directly. It builds on existing Medicare definitions for rural hospitals (e.g., from the Social Security Act) but adds requirements for HHS to produce a workforce strategy and training resources, which were not previously required. The expanded list of congressional committees (including finance-focused ones) reflects a broader oversight role compared to the original bill draft.
Potential Impacts
- On Government Agencies: HHS will face resource strain to develop the strategy and materials without extra funding, potentially reallocating staff from other priorities. Agencies like CISA, Education, and Labor will provide input, fostering inter-agency collaboration on healthcare cybersecurity.
- On Citizens and Rural Hospitals: Rural communities, especially those relying on small hospitals for essential care, could benefit from reduced cyber risks (e.g., data breaches or service disruptions), improving patient safety and access to care. Hospital staff gain accessible training, potentially attracting more cybersecurity talent to underserved areas.
- On International Relations: No direct impacts, as the focus is domestic workforce and training for U.S. rural healthcare.
Main Stakeholders Affected
- Rural Hospitals and Healthcare Providers: Primary beneficiaries, including critical access, sole community, and other designated rural facilities, which often lack cybersecurity expertise.
- Federal Agencies: HHS leads implementation; CISA, Education, Labor, and the National Cyber Director provide consultations.
- Educational Institutions: Rural community colleges and vocational schools will use or develop curricula, expanding training opportunities.
- Congressional Committees: The specified panels oversee progress through strategy submission and annual briefings.
- Rural Residents and Patients: Indirectly affected through safer healthcare services in remote areas.
Notable Legal, Constitutional, or Political Implications
- Legal: The "no additional funds" clause means implementation depends on HHS's ability to repurpose existing budgets, which could lead to challenges if resources are insufficient; it emphasizes efficiency but risks incomplete execution. Reliance on Medicare definitions ensures consistency with federal healthcare law without creating new regulatory burdens.
- Constitutional: No major issues; the Act falls under Congress's spending and commerce powers to regulate healthcare and workforce development, with no apparent free speech, privacy, or federalism conflicts.
- Political: Bipartisan sponsorship (e.g., Sens. Hawley, Hassan, Kelly, Ossoff, Collins, Warnock) highlights rural health as a non-partisan priority. The focus on rural areas could influence future funding debates in agriculture or health appropriations, promoting equity in cybersecurity protections amid rising national cyber threats.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (6)
Sen. Hassan, Margaret Wood [D-NH], Sen. Kelly, Mark [D-AZ], Sen. Ossoff, Jon [D-GA], Sen. Collins, Susan M. [R-ME], Sen. Warnock, Raphael G. [D-GA], Sen. Heinrich, Martin [D-NM]
Recent Actions
- 2026-01-28: Placed on Senate Legislative Calendar under General Orders. Calendar No. 309.
- 2026-01-28: Committee on Health, Education, Labor, and Pensions. Reported by Senator Cassidy with an amendment in the nature of a substitute. Without written report.
- 2026-01-28: Committee on Health, Education, Labor, and Pensions. Reported by Senator Cassidy with an amendment in the nature of a substitute. Without written report.
- 2026-01-15: Committee on Health, Education, Labor, and Pensions. Ordered to be reported with an amendment in the nature of a substitute favorably.
- 2025-06-25: Read twice and referred to the Committee on Health, Education, Labor, and Pensions.
- 2025-06-25: Introduced in Senate
Bill Versions
- Rural Hospital Cybersecurity Enhancement Act — issued 2025-06-25 — PDF (6 pages)
- Rural Hospital Cybersecurity Enhancement Act — issued 2026-01-28 — PDF (14 pages)