[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 1851 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 1851
To enhance the cybersecurity of the Healthcare and Public Health
Sector.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
May 21, 2025
Ms. Rosen (for herself and Mr. Young) introduced the following bill;
which was read twice and referred to the Committee on Homeland Security
and Governmental Affairs
_______________________________________________________________________
A BILL
To enhance the cybersecurity of the Healthcare and Public Health
Sector.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Healthcare Cybersecurity Act of
2025''.
SEC. 2. DEFINITIONS.
In this Act--
(1) the term ``Agency'' means the Cybersecurity and
Infrastructure Security Agency;
(2) the term ``covered asset'' means a Healthcare and
Public Health Sector asset, including technologies, services,
and utilities;
(3) the term ``Cybersecurity State Coordinator'' means a
Cybersecurity State Coordinator appointed under section 2217(a)
of the Homeland Security Act of 2002 (6 U.S.C. 665c(a));
(4) the term ``Department'' means the Department of Health
and Human Services;
(5) the term ``Director'' means the Director of the Agency;
(6) the term ``Healthcare and Public Health Sector'' means
the Healthcare and Public Health sector, as identified in the
National Security Memorandum on Critical Infrastructure and
Resilience (NSM-22), issued April 30, 2024;
(7) the term ``Information Sharing and Analysis
Organizations'' has the meaning given the term in section 2200
of the Homeland Security Act of 2002 (6 U.S.C. 650);
(8) the term ``Plan'' means the Healthcare and Public
Health Sector-specific Risk Management Plan; and
(9) the term ``Secretary'' means the Secretary of Health
and Human Services.
SEC. 3. FINDINGS.
Congress finds the following:
(1) Covered assets are increasingly the targets of
malicious cyberattacks, which result not only in data breaches
but also increased healthcare delivery costs and can ultimately
affect patient health outcomes.
(2) Data reported to the Department shows that large cyber
breaches of the information systems of healthcare facilities
rose 93 percent between 2018 and 2022.
(3) According to the ``Annual Report to Congress on
Breaches of Unsecured Protected Health Information for Calendar
Year 2022'' issued by the Office for Civil Rights of the
Department, breaches of unsecured protected health information
have increased 107 percent since 2018, and, in 2022 alone, the
Department received 626 reported breaches affecting not fewer
than 500 individuals at covered entities or business associates
(as defined in section 160.103 of title 45, Code of Federal
Regulations) that occurred or ended in 2022, with nearly
42,000,000 individuals affected.
SEC. 4. AGENCY COORDINATION WITH THE DEPARTMENT.
(a) In General.--The Agency shall coordinate with the Department to
improve cybersecurity in the Healthcare and Public Health Sector.
(b) Agency Liaison to the Department.--
(1) Appointment.--The Director shall, in coordination with
the Secretary, appoint an individual, who shall be an employee
of the Agency or a detailee assigned to the Administration for
Strategic Preparedness and Response Office of the Department by
the Director, to serve as a liaison of the Agency to the
Department, who shall--
(A) have appropriate cybersecurity qualifications
and expertise; and
(B) report directly to the Director.
(2) Responsibilities and duties.--The liaison appointed
under paragraph (1) shall--
(A) serve as a primary contact of the Department to
coordinate cybersecurity issues with the Agency;
(B) support the implementation and execution of the
Plan and assist in the development of updates to the
Plan;
(C) facilitate the sharing of cyber threat
information between the Department and the Agency to
improve understanding of cybersecurity risks and
situational awareness of cybersecurity incidents;
(D) assist in implementing the training described
in section 5;
(E) facilitate coordination between the Agency and
the Department during cybersecurity incidents within
the Healthcare and Public Health Sector; and
(F) perform such other duties as determined
necessary by the Secretary to achieve the goal of
improving the cybersecurity of the Healthcare and
Public Health Sector.
(3) Report.--
(A) Requirement.--Not later than 18 months after
the date of enactment of this Act, the Secretary, in
coordination with the Director, shall submit a report
that describes the activities undertaken to improve
cybersecurity coordination between the Agency and the
Department to--
(i) the Committee on Health, Education,
Labor, and Pensions, the Committee on Finance,
and the Committee on Homeland Security and
Governmental Affairs of the Senate; and
(ii) the Committee on Energy and Commerce,
the Committee on Ways and Means, and the
Committee on Homeland Security of the House of
Representatives.
(B) Contents.--The report submitted under
subparagraph (A) shall include--
(i) a summary of the activities of the
liaison appointed under paragraph (1);
(ii) a description of any challenges to the
effectiveness of the liaison appointed under
paragraph (1) completing the required duties of
the liaison; and
(iii) a study of the feasibility of an
agreement to improve cybersecurity in the
public sector of healthcare.
(c) Resources.--
(1) In general.--The Agency shall coordinate with and make
resources available to Information Sharing and Analysis
Organizations, information sharing and analysis centers, the
sector coordinating councils, and non-Federal entities that are
receiving information shared through programs managed by the
Department.
(2) Scope.--The coordination under paragraph (1) shall
include--
(A) developing products specific to the needs of
Healthcare and Public Health Sector entities; and
(B) sharing information relating to cyber threat
indicators and appropriate defensive measures.
SEC. 5. TRAINING FOR HEALTHCARE OWNERS AND OPERATORS.
The Agency shall make available training to the owners and
operators of covered assets on--
(1) cybersecurity risks to the Healthcare and Public Health
Sector and covered assets; and
(2) ways to mitigate the risks to information systems in
the Healthcare and Public Health Sector.
SEC. 6. SECTOR-SPECIFIC RISK MANAGEMENT PLAN.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Secretary, in coordination with the Director, shall
update the Plan, which shall include the following elements:
(1) An analysis of how identified cybersecurity risks
specifically impact covered assets, including the impact on
rural and small- and medium-sized covered assets.
(2) An evaluation of the challenges the owners and
operators of covered assets face in--
(A) securing--
(i) updated information systems owned,
leased, or relied upon by covered assets;
(ii) medical devices or equipment owned,
leased, or relied upon by covered assets, which
shall include an analysis of the threat
landscape and cybersecurity vulnerabilities of
such medical devices or equipment; and
(iii) sensitive patient health information
and electronic health records;
(B) implementing cybersecurity protocols; and
(C) responding to data breaches or cybersecurity
attacks, including the impact on patient access to
care, quality of patient care, timeliness of health
care delivery, and health outcomes.
(3) An evaluation of the best practices for utilization of
resources from the Agency to support covered assets before,
during, and after data breaches or cybersecurity attacks, such
as by Cyber Security Advisors and Cybersecurity State
Coordinators of the Agency or other similar resources.
(4) An assessment of relevant Healthcare and Public Health
Sector cybersecurity workforce shortages, including--
(A) training, recruitment, and retention issues;
and
(B) recommendations for how to address these
shortages and issues, particularly at rural and small-
and medium-sized covered assets.
(5) An evaluation of the most accessible and timely ways
for the Agency and the Department to communicate and deploy
cybersecurity recommendations and tools to the owners and
operators of covered assets.
(b) Congressional Briefing.--Not later than 120 days after the date
of enactment of this Act, the Secretary, in consultation with the
Director, shall provide a briefing on the updating of the Plan under
subsection (a) to--
(1) the Committee on Health, Education, Labor, and
Pensions, the Committee on Finance, and the Committee on
Homeland Security and Governmental Affairs of the Senate; and
(2) the Committee on Energy and Commerce, the Committee on
Ways and Means, and the Committee on Homeland Security of the
House of Representatives.
SEC. 7. IDENTIFYING HIGH-RISK COVERED ASSETS.
(a) In General.--The Secretary, in consultation with the Director
and health sector owners and operators, as appropriate, may establish
objective criteria for determining whether a covered asset may be
designated as a high-risk covered asset, provided that such criteria
shall align with the methodology promulgated by the Director for
identifying functions relating to critical infrastructure, as defined
in section 1016(e) of the Critical Infrastructures Protection Act of
2001 (42 U.S.C. 5195c(e)), and associated risk assessments.
(b) List of High-Risk Covered Assets.--
(1) In general.--The Secretary may develop a list of, and
notify, the owners and operators of each covered asset
determined to be a high-risk covered asset using the
methodology promulgated by the Director pursuant to subsection
(a).
(2) Biannual updating.--The Secretary may--
(A) biannually review and update the list of high-
risk covered assets developed under paragraph (1); and
(B) notify the owners and operators of each covered
asset added to or removed from the list as part of a
review and update of the list under subparagraph (A).
(3) Notice to congress.--The Secretary shall notify
Congress when an initial list of high-risk covered assets is
developed under paragraph (1) and each time the list is updated
under paragraph (2).
(4) Use.--The list developed and updated under this
subsection may be used by the Department to prioritize resource
allocation to high-risk covered assets to bolster cyber
resilience.
SEC. 8. REPORTS.
(a) Report on Assistance Provided to Entities of Healthcare and
Public Health Sector.--Not later than 120 days after the date of
enactment of this Act, the Agency shall submit to Congress a report on
the organization-wide level of support and activities that the Agency
has provided to the healthcare and public health sector to proactively
prepare the sector to face cyber threats and respond to cyber attacks
when such threats or attacks occur.
(b) Report on Critical Infrastructure Resources.--Not later than 18
months after the date of enactment of this Act, the Comptroller General
of the United States shall submit to Congress a report on Federal
resources available, as of the date of enactment of this Act, for the
Healthcare and Public Health Sector relating to critical
infrastructure, as defined in section 1016(e) of the Critical
Infrastructures Protection Act of 2001 (42 U.S.C. 5195c(e)), including
resources available from recent and ongoing collaboration with the
Director and the Secretary.
SEC. 9. RULES OF CONSTRUCTION.
(a) Agency Actions.--Nothing in this Act shall be construed to
authorize the Secretary or Director to take an action that is not
authorized by this Act or existing law.
(b) Protection of Rights.--Nothing in this Act shall be construed
to permit the violation of the rights of any individual protected by
the Constitution of the United States, including through censorship of
speech protected by the Constitution of the United States or
unauthorized surveillance.
(c) No Additional Funds.--No additional funds are authorized to be
appropriated for the purpose of carrying out this Act.
<all>