104 S4697 IS: Healthcare Cybersecurity Act of 2024
U.S. Senate
2024-07-11
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.This Act may be cited as the Healthcare Cybersecurity Act of 2024
.2.In this Act—(1)the term Agency means the Cybersecurity and Infrastructure Security Agency;(2)the term covered asset means a Healthcare and Public Health Sector asset, including technologies, services, and utilities; (3)the term Cybersecurity State Coordinator means a Cybersecurity State Coordinator appointed under section 2217(a) of the Homeland Security Act of 2002 (6 U.S.C. 665c(a));(4)the term Department means the Department of Health and Human Services;(5)the term Director means the Director of the Agency;(6)the term Healthcare and Public Health Sector means the Healthcare and Public Health sector, as identified in Presidential Policy Directive 21 (February 12, 2013; relating to critical infrastructure security and resilience);(7)the term Information Sharing and Analysis Organizations has the meaning given that term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650); (8)the term Plan means the Healthcare and Public Health Sector Specific Plan; and(9)the term Secretary means the Secretary of Health and Human Services.3.Congress finds the following:(1)Covered assets are increasingly the targets of malicious cyberattacks, which result not only in data breaches, but also increased healthcare delivery costs, and can ultimately affect patient health outcomes.(2)Data reported to the Department shows that large cyber breaches of the information systems of healthcare facilities rose 93 percent between 2018 to 2022 . (3)According to data from the Office for Civil Rights of the Department, health information breaches have increased since 2016, and in 2022 alone, the Department reported 626 breaches on covered entities, as defined under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191), affecting more than 500 people, with nearly 42,000,000 total people affected by health information breaches.4.Agency coordination with the Department(a)The Agency shall coordinate with the Department, including by entering into an agreement, as appropriate, to improve cybersecurity in the Healthcare and Public Health Sector.(b)Agency liaison to the Department(1)The Director shall, in coordination with the Secretary, appoint an individual, who shall be an employee of the Agency or a detailee assigned to the Department by the Director, to serve as the liaison of the Agency to the Department, who shall—(A)have appropriate cybersecurity qualifications and expertise; and(B)report directly to the Director.(2)Responsibilities and dutiesThe liaison appointed under paragraph (1) shall—(A)provide to the owners and operators of covered assets technical assistance regarding, information on, and best practices relating to improving cybersecurity;(B)serve as a primary contact of the Department to coordinate cybersecurity issues with the Agency;(C)support the implementation and execution of the Plan and assist in the development of updates to the Plan;(D)facilitate the sharing of cyber threat information to improve understanding of cybersecurity risks and situational awareness of cybersecurity incidents; (E)manage the implementation of the agreement entered into under subsection (a); (F)implement the training described in section 5; (G)coordinate between the Agency and the Department during cybersecurity incidents within the Healthcare and Public Health Sector; and (H)perform such other duties as determined necessary by the Secretary to achieve the goal of improving the cybersecurity of the Healthcare and Public Health Sector.(3)Not later than 18 months after the date of enactment of this Act, the liaison appointed under paragraph (1), in consultation with the Secretary and the Director, shall submit a report that describes the activities undertaken to improve cybersecurity coordination between the Agency and the Department to—(A)the Committee on Health, Education, Labor, and Pensions, the Committee on Finance, and the Committee on Homeland Security and Governmental Affairs of the Senate; and(B)the Committee on Energy and Commerce, the Committee on Ways and Means, and the Committee on Homeland Security of the House of Representatives. (c)(1)The Agency shall coordinate with and make resources available to Information Sharing and Analysis Organizations, information sharing and analysis centers, the sector coordinating councils, and non-Federal entities that are receiving information shared through programs managed by the Department.(2)The coordination under paragraph (1) shall include—(A)developing products specific to the needs of Healthcare and Public Health Sector entities; and(B)sharing information relating to cyber threat indicators and appropriate defensive measures.5.Training for healthcare expertsThe Cyber Security Advisors and Cybersecurity State Coordinators of the Agency shall, in coordination, as appropriate, with the liaison appointed under section 4(b)(1) and private sector healthcare experts, provide training to the owners and operators of covered assets on— (1)cybersecurity risks to the Healthcare and Public Health Sector and covered assets; and(2)ways to mitigate the risks to information systems in the Healthcare and Public Health Sector.6.(a)Not later than 1 year after the date of enactment of this Act, the Secretary, in coordination with the Director, shall update the Plan, which shall include the following elements:(1)An analysis of how identified cybersecurity risks specifically impact covered assets, including the impact on rural and small and medium-sized covered assets.(2)An evaluation of the challenges the owners and operators of covered assets face in—(A)securing—(i)updated information systems owned, leased, or relied upon by covered assets;(ii)medical devices or equipment owned, leased, or relied upon by covered assets, which shall include an analysis of the threat landscape and cybersecurity vulnerabilities of such medical devices or equipment; and(iii)sensitive patient health information and electronic health records;(B)implementing cybersecurity protocols; and(C)responding to data breaches or cybersecurity attacks, including the impact on patient access to care, quality of patient care, timeliness of health care delivery, and health outcomes.(3)An evaluation of best practices for the deployment of trained Cyber Security Advisors and Cybersecurity State Coordinators of the Agency into covered assets before, during, and after data breaches or cybersecurity attacks.(4)An assessment of relevant Healthcare and Public Health Sector cybersecurity workforce shortages, including—(A)training, recruitment, and retention issues; and(B)recommendations for how to address these shortages and issues, particularly at rural and small and medium-sized covered assets.(5)An evaluation of the most accessible and timely ways for the Agency and the Department to communicate and deploy cybersecurity recommendations and tools to the owners and operators of covered assets.(b)Not later than 120 days after the date of enactment of this Act, the Secretary, in consultation with the Director, shall provide a briefing on the updating of the Plan under subsection (a) to—(1)the Committee on Health, Education, Labor, and Pensions, the Committee on Finance, and the Committee on Homeland Security and Governmental Affairs of the Senate; and(2)the Committee on Energy and Commerce, the Committee on Ways and Means, and the Committee on Homeland Security of the House of Representatives. 7.Identifying high-risk covered assets(a)Not later than 90 days after the date of enactment of this Act, the Director shall establish objective criteria for determining whether a covered asset should be designated as a high-risk covered asset.(b)The Director, in consultation with the Secretary, as appropriate, shall establish a methodology for determining whether a covered asset meets the criteria established under subsection (a) to be designated as a high-risk covered asset.(c)List of high-Risk covered assets(1)The Secretary shall develop a list of, and notify, the owners and operators of each covered asset determined to be a high-risk covered asset using the methodology established under subsection (b).(2)The Secretary shall— (A)biannually review and update the list of high-risk covered assets developed under paragraph (1); and (B)notify the owners and operators of each covered asset added to or removed from the list as part of a review and update of the list under subparagraph (A).(3)The Secretary shall notify Congress when the initial list of high-risk covered assets is developed under paragraph (1) and each time the list is updated under paragraph (2). (4)The list developed and updated under this subsection shall be used by the Department to prioritize resource allocation to high-risk covered assets to bolster cyber resilience.8.Report on Assistance Provided to Entities of Healthcare and Public Health SectorNot later than 120 days after the date of enactment of this Act, the Agency shall submit to Congress a report on the organization-wide level of support and activities that the Agency has provided to the healthcare and public health sector to proactively prepare the sector to face cyber threats and respond to cyber attacks when such threats or attacks occur.