Information security

(a)

Authority To designate chief information security officer

Title II of the Public Health Service Act is amended by inserting after section 229 of such Act (42 U.S.C. 237a) the following:

229A.

Authority to designate chief information security officer

Notwithstanding any other provision of law— (1)the Secretary may designate an officer within the Department as having primary responsibility for the information security (including cybersecurity) programs of the Department; (2)any such designated officer shall report directly to the Secretary or directly to another senior officer within the Department of the Secretary’s choosing; and (3)the Secretary may transfer the functions, personnel, assets, and liabilities of the Chief Information Security Officer in the Office of the Chief Information Officer of the Department of Health and Human Services, as such position exists on September 30, 2017, to such designated officer.

(b)

Report

(1)

In general

Not later than 1 year after the date of enactment of this Act, the Secretary of Health and Human Services shall develop and submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Health, Education, Labor, and Pensions of the Senate a plan on the role of the Department of Health and Human Services (in this subsection referred to as the Department) in preparing for and responding to cybersecurity threats. (2)

Contents

The plan under paragraph (1) shall— (A)differentiate between— (i)the responsibilities of the Department overall and each of its agencies and offices in maintaining the security and integrity of their respective information systems; and (ii)the responsibilities of the Department overall and each of its agencies and offices in regulating and providing guidance, information, education, training, and assistance to the health care sector; (B)specify how the Department overall and each of its agencies and offices delineates between the responsibilities described in subparagraph (A)(i) and those described in subparagraph (A)(ii) through organization, personnel, policies, and procedures; (C)address the coordination of the responsibilities described in subparagraph (A)(i) and those described in subparagraph (A)(ii) across the agencies and offices of the Department; (D)address any types of conflicts that can arise (within the Department or the health care sector) because of the Department having both the responsibilities described in subparagraph (A)(i) and those described in subparagraph (A)(ii); (E)differentiate between— (i)the role of the Department in regulating the health care sector; and (ii)the role of the Department as a Sector-Specific Agency for the health care sector under Presidential Policy Directive 21 (signed on February 12, 2013); and (F)specify how the Department delineates between the role described in subparagraph (E)(i) and the role described in subparagraph (E)(ii) through organization, personnel, policies, and procedures. (c)

No additional appropriations authorized

No additional funds are authorized to be appropriated to carry out this Act, or the amendments made by this Act. This Act, and the amendments made by this Act, shall be carried out using amounts otherwise authorized or appropriated.