“A bill to enhance the cybersecurity of the Healthcare and Public Health Sector.”
No CRS summary available for this bill.
This section provides definitions for the following terms for purposes of the Act: (1) Agency, meaning the Cybersecurity and Infrastructure Security Agency; (2) covered asset, meaning a Healthcare and Public Health Sector asset, including technologies, services, and utilities; (3) Cybersecurity State Coordinator, meaning a coordinator appointed under section 2217(a) of the Homeland Security Act of 2002 (6 U.S.C. 665c(a)); (4) Department, meaning the Department of Health and Human Services; (5) Director, meaning the Director of the Agency; (6) Healthcare and Public Health Sector, meaning the Healthcare and Public Health sector as identified in National Security Memorandum–22 (issued April 30, 2024); (7) Information Sharing and Analysis Organizations, having the meaning given that term in 6 U.S.C. 650; (8) Plan, meaning the Healthcare and Public Health Sector-specific Risk Management Plan; and (9) Secretary, meaning the Secretary of Health and Human Services.
This section states congressional findings concerning cyberattacks on covered assets in the healthcare sector. It finds that (1) such attacks result in data breaches, increased healthcare delivery costs, and adverse patient health outcomes; (2) large cyber breaches of healthcare facilities' information systems rose 93 percent between 2018 and 2022; and (3) breaches of unsecured protected health information increased 107 percent since 2018, with 626 such breaches reported in 2022 affecting nearly 42 million individuals at covered entities or business associates.
This section requires the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate with the Department of Health and Human Services (HHS) to improve cybersecurity in the healthcare and public health sector. It directs CISA's Director, in coordination with HHS's Secretary, to appoint a qualified cybersecurity expert as a CISA liaison to HHS's Administration for Strategic Preparedness and Response, who must serve as the primary contact for cybersecurity coordination; support implementation of a cybersecurity plan; facilitate threat information sharing, training, and incident response; and perform other related duties. The section also requires the Secretary and Director, not later than 18 months after enactment, to submit to specified Senate and House committees a report summarizing the liaison's activities, coordination challenges, and a feasibility study of a public-sector healthcare cybersecurity agreement. Finally, it requires CISA to make resources available to information sharing and analysis organizations (ISACs), information sharing and analysis centers, sector coordinating councils, and non-federal entities receiving departmental cybersecurity information, including sector-specific products and cyber threat indicators with defensive measures.
This section directs the Agency to make available training to owners and operators of covered assets on (1) cybersecurity risks to the Healthcare and Public Health Sector and covered assets, and (2) ways to mitigate risks to information systems in that sector.
This section directs the Secretary of Health and Human Services (HHS), in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) Director, to update the Healthcare and Public Health Sector Risk Management Plan (i.e., the critical infrastructure risk management plan for the healthcare sector) not later than one year after enactment of this Act to include (1) an analysis of cybersecurity risks to covered assets (i.e., healthcare critical infrastructure), including impacts on rural and small- and medium-sized assets; (2) an evaluation of challenges faced by owners and operators in securing information systems, medical devices, and patient health information; implementing cybersecurity protocols; and responding to breaches or attacks (including effects on patient care access, quality, timeliness, and outcomes); (3) best practices for using CISA resources such as Cyber Security Advisors and Cybersecurity State Coordinators; (4) an assessment of cybersecurity workforce shortages in the sector, with recommendations to address training, recruitment, and retention issues (particularly for rural and small- and medium-sized assets); and (5) evaluations of optimal methods for CISA and HHS to communicate and deploy cybersecurity tools and recommendations. It further requires the HHS Secretary, in consultation with the CISA Director, to brief specified congressional committees on the plan update not later than 120 days after enactment.
This section authorizes the Secretary, in consultation with the Director and health sector owners and operators as appropriate, to establish objective criteria—aligned with the Director's methodology under the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c(e)) for identifying critical infrastructure functions—for designating high-risk covered assets. The section further authorizes the Secretary to (1) develop and notify owners and operators of an initial list of such assets; (2) biannually review, update, and notify owners and operators of changes to the list; (3) notify Congress of the initial list and each update; and (4) use the list to prioritize Department resources for bolstering cyber resilience of high-risk covered assets.
This section requires two reports to Congress on federal support for the healthcare and public health critical infrastructure sector (one of 16 designated sectors). (1) Not later than 120 days after enactment, the Agency must report on its organization-wide support and activities to prepare the sector for cyber threats and responses to cyber attacks. (2) Not later than 18 months after enactment, the Comptroller General of the United States must report on federal resources available as of enactment for the sector, as defined in the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c(e)), including from recent and ongoing collaboration with the Director and the Secretary.
This section specifies rules of construction for the Act, providing that (1) it does not authorize the Secretary or Director to take any action not authorized by the Act or existing law; (2) it does not permit violation of any individual's constitutional rights, including through censorship of protected speech or unauthorized surveillance; and (3) no additional funds are authorized to be appropriated to carry out the Act.