[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 4697 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
2d Session
S. 4697
To enhance the cybersecurity of the Healthcare and Public Health
Sector.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 11 (legislative day, July 10), 2024
Ms. Rosen (for herself, Mr. Young, and Mr. King) introduced the
following bill; which was read twice and referred to the Committee on
Homeland Security and Governmental Affairs
_______________________________________________________________________
A BILL
To enhance the cybersecurity of the Healthcare and Public Health
Sector.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Healthcare Cybersecurity Act of
2024''.
SEC. 2. DEFINITIONS.
In this Act--
(1) the term ``Agency'' means the Cybersecurity and
Infrastructure Security Agency;
(2) the term ``covered asset'' means a Healthcare and
Public Health Sector asset, including technologies, services,
and utilities;
(3) the term ``Cybersecurity State Coordinator'' means a
Cybersecurity State Coordinator appointed under section 2217(a)
of the Homeland Security Act of 2002 (6 U.S.C. 665c(a));
(4) the term ``Department'' means the Department of Health
and Human Services;
(5) the term ``Director'' means the Director of the Agency;
(6) the term ``Healthcare and Public Health Sector'' means
the Healthcare and Public Health sector, as identified in
Presidential Policy Directive 21 (February 12, 2013; relating
to critical infrastructure security and resilience);
(7) the term ``Information Sharing and Analysis
Organizations'' has the meaning given that term in section 2200
of the Homeland Security Act of 2002 (6 U.S.C. 650);
(8) the term ``Plan'' means the Healthcare and Public
Health Sector Specific Plan; and
(9) the term ``Secretary'' means the Secretary of Health
and Human Services.
SEC. 3. FINDINGS.
Congress finds the following:
(1) Covered assets are increasingly the targets of
malicious cyberattacks, which result not only in data breaches,
but also increased healthcare delivery costs, and can
ultimately affect patient health outcomes.
(2) Data reported to the Department shows that large cyber
breaches of the information systems of healthcare facilities
rose 93 percent between 2018 to 2022 .
(3) According to data from the Office for Civil Rights of
the Department, health information breaches have increased
since 2016, and in 2022 alone, the Department reported 626
breaches on covered entities, as defined under the Health
Insurance Portability and Accountability Act of 1996 (Public
Law 104-191), affecting more than 500 people, with nearly
42,000,000 total people affected by health information
breaches.
SEC. 4. AGENCY COORDINATION WITH THE DEPARTMENT.
(a) In General.--The Agency shall coordinate with the Department,
including by entering into an agreement, as appropriate, to improve
cybersecurity in the Healthcare and Public Health Sector.
(b) Agency Liaison to the Department.--
(1) Appointment.--The Director shall, in coordination with
the Secretary, appoint an individual, who shall be an employee
of the Agency or a detailee assigned to the Department by the
Director, to serve as the liaison of the Agency to the
Department, who shall--
(A) have appropriate cybersecurity qualifications
and expertise; and
(B) report directly to the Director.
(2) Responsibilities and duties.--The liaison appointed
under paragraph (1) shall--
(A) provide to the owners and operators of covered
assets technical assistance regarding, information on,
and best practices relating to improving cybersecurity;
(B) serve as a primary contact of the Department to
coordinate cybersecurity issues with the Agency;
(C) support the implementation and execution of the
Plan and assist in the development of updates to the
Plan;
(D) facilitate the sharing of cyber threat
information to improve understanding of cybersecurity
risks and situational awareness of cybersecurity
incidents;
(E) manage the implementation of the agreement
entered into under subsection (a);
(F) implement the training described in section 5;
(G) coordinate between the Agency and the
Department during cybersecurity incidents within the
Healthcare and Public Health Sector; and
(H) perform such other duties as determined
necessary by the Secretary to achieve the goal of
improving the cybersecurity of the Healthcare and
Public Health Sector.
(3) Report.--Not later than 18 months after the date of
enactment of this Act, the liaison appointed under paragraph
(1), in consultation with the Secretary and the Director, shall
submit a report that describes the activities undertaken to
improve cybersecurity coordination between the Agency and the
Department to--
(A) the Committee on Health, Education, Labor, and
Pensions, the Committee on Finance, and the Committee
on Homeland Security and Governmental Affairs of the
Senate; and
(B) the Committee on Energy and Commerce, the
Committee on Ways and Means, and the Committee on
Homeland Security of the House of Representatives.
(c) Assistance.--
(1) In general.--The Agency shall coordinate with and make
resources available to Information Sharing and Analysis
Organizations, information sharing and analysis centers, the
sector coordinating councils, and non-Federal entities that are
receiving information shared through programs managed by the
Department.
(2) Scope.--The coordination under paragraph (1) shall
include--
(A) developing products specific to the needs of
Healthcare and Public Health Sector entities; and
(B) sharing information relating to cyber threat
indicators and appropriate defensive measures.
SEC. 5. TRAINING FOR HEALTHCARE EXPERTS.
The Cyber Security Advisors and Cybersecurity State Coordinators of
the Agency shall, in coordination, as appropriate, with the liaison
appointed under section 4(b)(1) and private sector healthcare experts,
provide training to the owners and operators of covered assets on--
(1) cybersecurity risks to the Healthcare and Public Health
Sector and covered assets; and
(2) ways to mitigate the risks to information systems in
the Healthcare and Public Health Sector.
SEC. 6. SECTOR-SPECIFIC PLAN.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Secretary, in coordination with the Director, shall
update the Plan, which shall include the following elements:
(1) An analysis of how identified cybersecurity risks
specifically impact covered assets, including the impact on
rural and small and medium-sized covered assets.
(2) An evaluation of the challenges the owners and
operators of covered assets face in--
(A) securing--
(i) updated information systems owned,
leased, or relied upon by covered assets;
(ii) medical devices or equipment owned,
leased, or relied upon by covered assets, which
shall include an analysis of the threat
landscape and cybersecurity vulnerabilities of
such medical devices or equipment; and
(iii) sensitive patient health information
and electronic health records;
(B) implementing cybersecurity protocols; and
(C) responding to data breaches or cybersecurity
attacks, including the impact on patient access to
care, quality of patient care, timeliness of health
care delivery, and health outcomes.
(3) An evaluation of best practices for the deployment of
trained Cyber Security Advisors and Cybersecurity State
Coordinators of the Agency into covered assets before, during,
and after data breaches or cybersecurity attacks.
(4) An assessment of relevant Healthcare and Public Health
Sector cybersecurity workforce shortages, including--
(A) training, recruitment, and retention issues;
and
(B) recommendations for how to address these
shortages and issues, particularly at rural and small
and medium-sized covered assets.
(5) An evaluation of the most accessible and timely ways
for the Agency and the Department to communicate and deploy
cybersecurity recommendations and tools to the owners and
operators of covered assets.
(b) Congressional Briefing.--Not later than 120 days after the date
of enactment of this Act, the Secretary, in consultation with the
Director, shall provide a briefing on the updating of the Plan under
subsection (a) to--
(1) the Committee on Health, Education, Labor, and
Pensions, the Committee on Finance, and the Committee on
Homeland Security and Governmental Affairs of the Senate; and
(2) the Committee on Energy and Commerce, the Committee on
Ways and Means, and the Committee on Homeland Security of the
House of Representatives.
SEC. 7. IDENTIFYING HIGH-RISK COVERED ASSETS.
(a) In General.--Not later than 90 days after the date of enactment
of this Act, the Director shall establish objective criteria for
determining whether a covered asset should be designated as a high-risk
covered asset.
(b) Methodology.--The Director, in consultation with the Secretary,
as appropriate, shall establish a methodology for determining whether a
covered asset meets the criteria established under subsection (a) to be
designated as a high-risk covered asset.
(c) List of High-Risk Covered Assets.--
(1) In general.--The Secretary shall develop a list of, and
notify, the owners and operators of each covered asset
determined to be a high-risk covered asset using the
methodology established under subsection (b).
(2) Biannual updating.--The Secretary shall--
(A) biannually review and update the list of high-
risk covered assets developed under paragraph (1); and
(B) notify the owners and operators of each covered
asset added to or removed from the list as part of a
review and update of the list under subparagraph (A).
(3) Notice to congress.--The Secretary shall notify
Congress when the initial list of high-risk covered assets is
developed under paragraph (1) and each time the list is updated
under paragraph (2).
(4) Use.--The list developed and updated under this
subsection shall be used by the Department to prioritize
resource allocation to high-risk covered assets to bolster
cyber resilience.
SEC. 8. REPORT ON ASSISTANCE PROVIDED TO ENTITIES OF HEALTHCARE AND
PUBLIC HEALTH SECTOR.
Not later than 120 days after the date of enactment of this Act,
the Agency shall submit to Congress a report on the organization-wide
level of support and activities that the Agency has provided to the
healthcare and public health sector to proactively prepare the sector
to face cyber threats and respond to cyber attacks when such threats or
attacks occur.
<all>