[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3904 Reported in Senate (RS)]
<DOC>
Calendar No. 527
117th CONGRESS
2d Session
S. 3904
[Report No. 117-177]
To enhance the cybersecurity of the Healthcare and Public Health
Sector.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 23, 2022
Ms. Rosen (for herself, Mr. Cassidy, Ms. Hassan, Mr. Ossoff, Mr.
Tillis, Mrs. Feinstein, and Mr. King) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
October 18, 2022
Reported under authority of the order of the Senate of October 14,
2022, by Mr. Peters, with an amendment and an amendment to the title
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To enhance the cybersecurity of the Healthcare and Public Health
Sector.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Healthcare Cybersecurity
Act of 2022''.</DELETED>
<DELETED>SEC. 2. DEFINITIONS.</DELETED>
<DELETED> In this Act--</DELETED>
<DELETED> (1) the term ``Agency'' means the Cybersecurity
and Infrastructure Security Agency;</DELETED>
<DELETED> (2) the term ``Cybersecurity State Coordinator''
means a Cybersecurity State Coordinator appointed under section
2217(a) of the Homeland Security Act of 2002 (6 U.S.C.
665c(a));</DELETED>
<DELETED> (3) the term ``Department'' means the Department
of Health and Human Services;</DELETED>
<DELETED> (4) the term ``Director'' means the Director of
the Agency;</DELETED>
<DELETED> (5) the term ``Healthcare and Public Health
Sector'' means the Healthcare and Public Health sector, as
identified in Presidential Policy Directive 21 (February 12,
2013; relating to critical infrastructure security and
resilience);</DELETED>
<DELETED> (6) the term ``Information Sharing and Analysis
Organizations'' has the meaning given that term in section 2222
of the Homeland Security Act of 2002 (6 U.S.C. 671);
and</DELETED>
<DELETED> (7) the term ``Secretary'' means the Secretary of
Health and Human Services.</DELETED>
<DELETED>SEC. 3. FINDINGS.</DELETED>
<DELETED> Congress finds the following:</DELETED>
<DELETED> (1) Healthcare and Public Health Sector assets are
increasingly the targets of malicious cyberattacks, which
result not only in data breaches, but also increased healthcare
delivery costs, and can ultimately affect patient health
outcomes.</DELETED>
<DELETED> (2) Data reported to the Department shows that
almost every month in 2020, more than 1,000,000 people were
affected by data breaches at healthcare organizations.
Cyberattacks on healthcare facilities rose 55 percent in 2020,
and these attacks also resulted in a 16 percent increase in the
average cost of recovering a patient record in 2020, as
compared to 2019.</DELETED>
<DELETED> (3) According to data from the Office for Civil
Rights of the Department, health information breaches have
increased since 2016, and in 2020 alone, the Department
reported 663 breaches on covered entities, as defined under the
Health Insurance Portability and Accountability Act of 1996
(Public Law 104-191), affecting more than 500 people, with over
33,000,000 total people affected by health information
breaches.</DELETED>
<DELETED>SEC. 4. AGENCY COLLABORATION WITH THE DEPARTMENT.</DELETED>
<DELETED> (a) In General.--The Agency shall collaborate with the
Department, including by entering into an agreement, as appropriate, to
improve cybersecurity in the Healthcare and Public Health
Sector.</DELETED>
<DELETED> (b) Assistance.--</DELETED>
<DELETED> (1) In general.--The Agency shall coordinate with
and make resources available to Information Sharing and
Analysis Organizations, information sharing and analysis
centers, and non-Federal entities that are receiving
information shared through programs managed by the
Department.</DELETED>
<DELETED> (2) Scope.--The coordination under paragraph (1)
shall include--</DELETED>
<DELETED> (A) developing products specific to the
needs of Healthcare and Public Health Sector entities;
and</DELETED>
<DELETED> (B) sharing information relating to cyber
threat indicators and appropriate defensive
measures.</DELETED>
<DELETED>SEC. 5. TRAINING FOR HEALTHCARE EXPERTS.</DELETED>
<DELETED> The Cyber Security Advisors and Cybersecurity State
Coordinators of the Agency shall, in coordination, as appropriate, with
private sector healthcare experts, provide training to Healthcare and
Public Health Sector asset owners and operators on--</DELETED>
<DELETED> (1) cybersecurity risks to the Healthcare and
Public Health Sector and assets within the sector;
and</DELETED>
<DELETED> (2) ways to mitigate the risks to information
systems in the Healthcare and Public Health Sector.</DELETED>
<DELETED>SEC. 6. SECTOR-SPECIFIC STUDY AND REPORT.</DELETED>
<DELETED> (a) In General.--Not later than 1 year after the date of
enactment of this Act, the Director, in consultation with the
Secretary, shall conduct a study and issue a report, which shall
include the following elements:</DELETED>
<DELETED> (1) An analysis of how identified cybersecurity
risks specifically impact Healthcare and Public Health Sector
assets, including the impact on rural and small and medium-
sized Healthcare and Public Health Sector assets.</DELETED>
<DELETED> (2) An evaluation of the challenges Healthcare and
Public Health Sector assets face in--</DELETED>
<DELETED> (A) securing--</DELETED>
<DELETED> (i) updated information systems
owned, leased, or relied upon by Healthcare and
Public Health Sector assets;</DELETED>
<DELETED> (ii) medical devices or equipment
owned, leased, or relied upon by Healthcare and
Public Health Sector assets, which shall
include an analysis of the threat landscape and
cybersecurity vulnerabilities of such medical
devices or equipment; and</DELETED>
<DELETED> (iii) sensitive patient health
information and electronic health
records;</DELETED>
<DELETED> (B) implementing cybersecurity protocols;
and</DELETED>
<DELETED> (C) responding to data breaches or
cybersecurity attacks, including the impact on patient
access to care, quality of patient care, timeliness of
health care delivery, and health outcomes.</DELETED>
<DELETED> (3) An evaluation of best practices for the
deployment of trained Cyber Security Advisors and Cybersecurity
State Coordinators of the Agency into Healthcare and Public
Health Sector assets before, during, and after data breaches or
cybersecurity attacks.</DELETED>
<DELETED> (4) An assessment of relevant Healthcare and
Public Health Sector cybersecurity workforce shortages,
including--</DELETED>
<DELETED> (A) training, recruitment, and retention
issues; and</DELETED>
<DELETED> (B) recommendations for how to address
these shortages and issues, particularly at rural and
small and medium-sized Healthcare and Public Health
Sector assets.</DELETED>
<DELETED> (5) An identification of cybersecurity challenges
related to or brought on by the public health emergency
declared by the Secretary under section 319 of the Public
Health Service Act (42 U.S.C. 247d) on January 27, 2020, with
respect to COVID-19.</DELETED>
<DELETED> (6) An evaluation of the most accessible and
timely ways for the Agency and the Department to communicate
and deploy cybersecurity recommendations and tools to
Healthcare and Public Health Sector assets.</DELETED>
<DELETED> (b) Report Transmittal.--Not later than 60 days after
completing the study and report required under subsection (a), the
Director shall present the completed report to the Secretary, which the
Secretary may, in consultation with the Director, consult when updating
the Healthcare and Public Health Sector Specific Plan of the
Secretary.</DELETED>
<DELETED> (c) Congressional Briefing.--Not later than 120 days after
the date of enactment of this Act, the Director, in consultation with
the Secretary, as appropriate, shall provide a briefing on the status
of the study and report required under subsection (a) to--</DELETED>
<DELETED> (1) the Committee on Health, Education, Labor, and
Pensions and the Committee on Homeland Security and
Governmental Affairs of the Senate; and</DELETED>
<DELETED> (2) the Committee on Energy and Commerce and the
Committee on Homeland Security of the House of
Representatives.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Healthcare Cybersecurity Act of
2022''.
SEC. 2. DEFINITIONS.
In this Act--
(1) the term ``Agency'' means the Cybersecurity and
Infrastructure Security Agency;
(2) the term ``Cybersecurity State Coordinator'' means a
Cybersecurity State Coordinator appointed under section 2217(a)
of the Homeland Security Act of 2002 (6 U.S.C. 665c(a));
(3) the term ``Department'' means the Department of Health
and Human Services;
(4) the term ``Director'' means the Director of the Agency;
(5) the term ``Healthcare and Public Health Sector'' means
the Healthcare and Public Health sector, as identified in
Presidential Policy Directive 21 (February 12, 2013; relating
to critical infrastructure security and resilience);
(6) the term ``Information Sharing and Analysis
Organizations'' has the meaning given that term in section 2222
of the Homeland Security Act of 2002 (6 U.S.C. 671); and
(7) the term ``Secretary'' means the Secretary of Health
and Human Services.
SEC. 3. FINDINGS.
Congress finds the following:
(1) Healthcare and Public Health Sector assets are
increasingly the targets of malicious cyberattacks, which
result not only in data breaches, but also increased healthcare
delivery costs, and can ultimately affect patient health
outcomes.
(2) Data reported to the Department shows that almost every
month in 2020, more than 1,000,000 people were affected by data
breaches at healthcare organizations. Cyberattacks on
healthcare facilities rose 55 percent in 2020, and these
attacks also resulted in a 16 percent increase in the average
cost of recovering a patient record in 2020, as compared to
2019.
(3) According to data from the Office for Civil Rights of
the Department, health information breaches have increased
since 2016, and in 2020 alone, the Department reported 663
breaches on covered entities, as defined under the Health
Insurance Portability and Accountability Act of 1996 (Public
Law 104-191), affecting more than 500 people, with over
33,000,000 total people affected by health information
breaches.
SEC. 4. AGENCY COORDINATION WITH THE DEPARTMENT.
(a) In General.--The Agency and the Department shall coordinate,
including by entering into an agreement, as appropriate, to improve
cybersecurity in the Healthcare and Public Health Sector.
(b) Assistance.--
(1) In general.--The Agency shall coordinate with and make
resources available to Information Sharing and Analysis
Organizations, information sharing and analysis centers, and
non-Federal entities that are receiving information shared
through programs managed by the Department.
(2) Scope.--The coordination under paragraph (1) shall
include--
(A) developing products specific to the needs of
Healthcare and Public Health Sector entities; and
(B) sharing information relating to cyber threat
indicators and appropriate defensive measures.
SEC. 5. TRAINING FOR HEALTHCARE EXPERTS.
The Secretary, in coordination with the Cyber Security Advisors and
Cybersecurity State Coordinators of the Agency and private sector
healthcare experts, as appropriate, shall provide training to
Healthcare and Public Health Sector asset owners and operators on--
(1) cybersecurity risks to the Healthcare and Public Health
Sector and assets within the sector; and
(2) ways to mitigate the risks to information systems in
the Healthcare and Public Health Sector.
SEC. 6. SECTOR-SPECIFIC PLAN.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Secretary, in coordination with the Director, shall
update the Healthcare and Public Health Sector Specific Plan (referred
to in this section as the ``Plan''), which shall include the following
elements:
(1) An analysis of how identified cybersecurity risks
specifically impact Healthcare and Public Health Sector assets,
including the impact on rural and small and medium-sized
Healthcare and Public Health Sector assets.
(2) An evaluation of the challenges Healthcare and Public
Health Sector assets face in--
(A) securing--
(i) updated information systems owned,
leased, or relied upon by Healthcare and Public
Health Sector assets;
(ii) medical devices or equipment owned,
leased, or relied upon by Healthcare and Public
Health Sector assets, which shall include an
analysis of the threat landscape and
cybersecurity vulnerabilities of such medical
devices or equipment; and
(iii) sensitive patient health information
and electronic health records;
(B) implementing cybersecurity protocols; and
(C) responding to data breaches or cybersecurity
attacks, including the impact on patient access to
care, quality of patient care, timeliness of health
care delivery, and health outcomes.
(3) An evaluation of best practices for the deployment of
trained Cyber Security Advisors and Cybersecurity State
Coordinators of the Agency into Healthcare and Public Health
Sector assets before, during, and after data breaches or
cybersecurity attacks.
(4) An assessment of relevant Healthcare and Public Health
Sector cybersecurity workforce shortages, including--
(A) training, recruitment, and retention issues;
and
(B) recommendations for how to address these
shortages and issues, particularly at rural and small
and medium-sized Healthcare and Public Health Sector
assets.
(5) An identification of cybersecurity challenges related
to or brought on by the public health emergency declared by the
Secretary under section 319 of the Public Health Service Act
(42 U.S.C. 247d) on January 27, 2020, with respect to COVID-19.
(6) An evaluation of the most accessible and timely ways
for the Agency and the Department to communicate and deploy
cybersecurity recommendations and tools to Healthcare and
Public Health Sector assets.
(b) Congressional Briefing.--Not later than 120 days after the date
of enactment of this Act, the Secretary, in consultation with the
Director, shall provide a briefing on the updating of the Plan under
subsection (a) to--
(1) the Committee on Health, Education, Labor, and Pensions
and the Committee on Homeland Security and Governmental Affairs
of the Senate; and
(2) the Committee on Energy and Commerce and the Committee
on Homeland Security of the House of Representatives.
Amend the title so as to read: ``A bill to enhance the
cybersecurity of the Healthcare and Public Health Sector and
update the Healthcare and Public Health Sector Specific
Plan.''.
Calendar No. 527
117th CONGRESS
2d Session
S. 3904
[Report No. 117-177]
_______________________________________________________________________
A BILL
To enhance the cybersecurity of the Healthcare and Public Health
Sector.
_______________________________________________________________________
October 18, 2022
Reported under authority of the order of the Senate of October 14,
2022, with an amendment and an amendment to the title