[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3904 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
2d Session
S. 3904
To enhance the cybersecurity of the Healthcare and Public Health
Sector.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 23, 2022
Ms. Rosen (for herself and Mr. Cassidy) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
A BILL
To enhance the cybersecurity of the Healthcare and Public Health
Sector.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Healthcare Cybersecurity Act of
2022''.
SEC. 2. DEFINITIONS.
In this Act--
(1) the term ``Agency'' means the Cybersecurity and
Infrastructure Security Agency;
(2) the term ``Cybersecurity State Coordinator'' means a
Cybersecurity State Coordinator appointed under section 2217(a)
of the Homeland Security Act of 2002 (6 U.S.C. 665c(a));
(3) the term ``Department'' means the Department of Health
and Human Services;
(4) the term ``Director'' means the Director of the Agency;
(5) the term ``Healthcare and Public Health Sector'' means
the Healthcare and Public Health sector, as identified in
Presidential Policy Directive 21 (February 12, 2013; relating
to critical infrastructure security and resilience);
(6) the term ``Information Sharing and Analysis
Organizations'' has the meaning given that term in section 2222
of the Homeland Security Act of 2002 (6 U.S.C. 671); and
(7) the term ``Secretary'' means the Secretary of Health
and Human Services.
SEC. 3. FINDINGS.
Congress finds the following:
(1) Healthcare and Public Health Sector assets are
increasingly the targets of malicious cyberattacks, which
result not only in data breaches, but also increased healthcare
delivery costs, and can ultimately affect patient health
outcomes.
(2) Data reported to the Department shows that almost every
month in 2020, more than 1,000,000 people were affected by data
breaches at healthcare organizations. Cyberattacks on
healthcare facilities rose 55 percent in 2020, and these
attacks also resulted in a 16 percent increase in the average
cost of recovering a patient record in 2020, as compared to
2019.
(3) According to data from the Office for Civil Rights of
the Department, health information breaches have increased
since 2016, and in 2020 alone, the Department reported 663
breaches on covered entities, as defined under the Health
Insurance Portability and Accountability Act of 1996 (Public
Law 104-191), affecting more than 500 people, with over
33,000,000 total people affected by health information
breaches.
SEC. 4. AGENCY COLLABORATION WITH THE DEPARTMENT.
(a) In General.--The Agency shall collaborate with the Department,
including by entering into an agreement, as appropriate, to improve
cybersecurity in the Healthcare and Public Health Sector.
(b) Assistance.--
(1) In general.--The Agency shall coordinate with and make
resources available to Information Sharing and Analysis
Organizations, information sharing and analysis centers, and
non-Federal entities that are receiving information shared
through programs managed by the Department.
(2) Scope.--The coordination under paragraph (1) shall
include--
(A) developing products specific to the needs of
Healthcare and Public Health Sector entities; and
(B) sharing information relating to cyber threat
indicators and appropriate defensive measures.
SEC. 5. TRAINING FOR HEALTHCARE EXPERTS.
The Cyber Security Advisors and Cybersecurity State Coordinators of
the Agency shall, in coordination, as appropriate, with private sector
healthcare experts, provide training to Healthcare and Public Health
Sector asset owners and operators on--
(1) cybersecurity risks to the Healthcare and Public Health
Sector and assets within the sector; and
(2) ways to mitigate the risks to information systems in
the Healthcare and Public Health Sector.
SEC. 6. SECTOR-SPECIFIC STUDY AND REPORT.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Director, in consultation with the Secretary, shall
conduct a study and issue a report, which shall include the following
elements:
(1) An analysis of how identified cybersecurity risks
specifically impact Healthcare and Public Health Sector assets,
including the impact on rural and small and medium-sized
Healthcare and Public Health Sector assets.
(2) An evaluation of the challenges Healthcare and Public
Health Sector assets face in--
(A) securing--
(i) updated information systems owned,
leased, or relied upon by Healthcare and Public
Health Sector assets;
(ii) medical devices or equipment owned,
leased, or relied upon by Healthcare and Public
Health Sector assets, which shall include an
analysis of the threat landscape and
cybersecurity vulnerabilities of such medical
devices or equipment; and
(iii) sensitive patient health information
and electronic health records;
(B) implementing cybersecurity protocols; and
(C) responding to data breaches or cybersecurity
attacks, including the impact on patient access to
care, quality of patient care, timeliness of health
care delivery, and health outcomes.
(3) An evaluation of best practices for the deployment of
trained Cyber Security Advisors and Cybersecurity State
Coordinators of the Agency into Healthcare and Public Health
Sector assets before, during, and after data breaches or
cybersecurity attacks.
(4) An assessment of relevant Healthcare and Public Health
Sector cybersecurity workforce shortages, including--
(A) training, recruitment, and retention issues;
and
(B) recommendations for how to address these
shortages and issues, particularly at rural and small
and medium-sized Healthcare and Public Health Sector
assets.
(5) An identification of cybersecurity challenges related
to or brought on by the public health emergency declared by the
Secretary under section 319 of the Public Health Service Act
(42 U.S.C. 247d) on January 27, 2020, with respect to COVID-19.
(6) An evaluation of the most accessible and timely ways
for the Agency and the Department to communicate and deploy
cybersecurity recommendations and tools to Healthcare and
Public Health Sector assets.
(b) Report Transmittal.--Not later than 60 days after completing
the study and report required under subsection (a), the Director shall
present the completed report to the Secretary, which the Secretary may,
in consultation with the Director, consult when updating the Healthcare
and Public Health Sector Specific Plan of the Secretary.
(c) Congressional Briefing.--Not later than 120 days after the date
of enactment of this Act, the Director, in consultation with the
Secretary, as appropriate, shall provide a briefing on the status of
the study and report required under subsection (a) to--
(1) the Committee on Health, Education, Labor, and Pensions
and the Committee on Homeland Security and Governmental Affairs
of the Senate; and
(2) the Committee on Energy and Commerce and the Committee
on Homeland Security of the House of Representatives.
<all>