119 S1851 IS: Healthcare Cybersecurity Act of 2025
U.S. Senate
2025-05-21
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.
This Act may be cited as the Healthcare Cybersecurity Act of 2025
.
2.
In this Act— (1) the term Agency means the Cybersecurity and Infrastructure Security Agency;
(2)
the term covered asset means a Healthcare and Public Health Sector asset, including technologies, services, and utilities;
(3)
the term Cybersecurity State Coordinator means a Cybersecurity State Coordinator appointed under section 2217(a) of the Homeland Security Act of 2002 (6 U.S.C. 665c(a));
(4)
the term Department means the Department of Health and Human Services;
(5)
the term Director means the Director of the Agency; (6) the term Healthcare and Public Health Sector means the Healthcare and Public Health sector, as identified in the National Security Memorandum on Critical Infrastructure and Resilience (NSM–22), issued April 30, 2024;
(7)
the term Information Sharing and Analysis Organizations has the meaning given the term in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650);
(8)
the term Plan means the Healthcare and Public Health Sector-specific Risk Management Plan; and
(9)
the term Secretary means the Secretary of Health and Human Services.
3.
Congress finds the following: (1) Covered assets are increasingly the targets of malicious cyberattacks, which result not only in data breaches but also increased healthcare delivery costs and can ultimately affect patient health outcomes.
(2)
Data reported to the Department shows that large cyber breaches of the information systems of healthcare facilities rose 93 percent between 2018 and 2022.
(3)
According to the Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022
issued by the Office for Civil Rights of the Department, breaches of unsecured protected health information have increased 107 percent since 2018, and, in 2022 alone, the Department received 626 reported breaches affecting not fewer than 500 individuals at covered entities or business associates (as defined in section 160.103 of title 45, Code of Federal Regulations) that occurred or ended in 2022, with nearly 42,000,000 individuals affected.
4.
Agency coordination with the Department
(a)
The Agency shall coordinate with the Department to improve cybersecurity in the Healthcare and Public Health Sector.
(b)
Agency liaison to the Department
(1)
The Director shall, in coordination with the Secretary, appoint an individual, who shall be an employee of the Agency or a detailee assigned to the Administration for Strategic Preparedness and Response Office of the Department by the Director, to serve as a liaison of the Agency to the Department, who shall—
(A)
have appropriate cybersecurity qualifications and expertise; and
(B)
report directly to the Director. (2) Responsibilities and duties The liaison appointed under paragraph (1) shall—
(A)
serve as a primary contact of the Department to coordinate cybersecurity issues with the Agency;
(B)
support the implementation and execution of the Plan and assist in the development of updates to the Plan;
(C)
facilitate the sharing of cyber threat information between the Department and the Agency to improve understanding of cybersecurity risks and situational awareness of cybersecurity incidents;
(D)
assist in implementing the training described in section 5; (E) facilitate coordination between the Agency and the Department during cybersecurity incidents within the Healthcare and Public Health Sector; and
(F)
perform such other duties as determined necessary by the Secretary to achieve the goal of improving the cybersecurity of the Healthcare and Public Health Sector.
(3)
(A)
Not later than 18 months after the date of enactment of this Act, the Secretary, in coordination with the Director, shall submit a report that describes the activities undertaken to improve cybersecurity coordination between the Agency and the Department to—
(i)
the Committee on Health, Education, Labor, and Pensions, the Committee on Finance, and the Committee on Homeland Security and Governmental Affairs of the Senate; and
(ii)
the Committee on Energy and Commerce, the Committee on Ways and Means, and the Committee on Homeland Security of the House of Representatives.
(B)
The report submitted under subparagraph (A) shall include— (i) a summary of the activities of the liaison appointed under paragraph (1);
(ii)
a description of any challenges to the effectiveness of the liaison appointed under paragraph (1) completing the required duties of the liaison; and
(iii)
a study of the feasibility of an agreement to improve cybersecurity in the public sector of healthcare.
(c)
(1)
The Agency shall coordinate with and make resources available to Information Sharing and Analysis Organizations, information sharing and analysis centers, the sector coordinating councils, and non-Federal entities that are receiving information shared through programs managed by the Department.
(2)
The coordination under paragraph (1) shall include— (A) developing products specific to the needs of Healthcare and Public Health Sector entities; and
(B)
sharing information relating to cyber threat indicators and appropriate defensive measures.
5.
Training for healthcare owners and operators
The Agency shall make available training to the owners and operators of covered assets on—
(1)
cybersecurity risks to the Healthcare and Public Health Sector and covered assets; and
(2)
ways to mitigate the risks to information systems in the Healthcare and Public Health Sector.
6.
Sector-specific risk management plan
(a)
Not later than 1 year after the date of enactment of this Act, the Secretary, in coordination with the Director, shall update the Plan, which shall include the following elements:
(1)
An analysis of how identified cybersecurity risks specifically impact covered assets, including the impact on rural and small- and medium-sized covered assets.
(2)
An evaluation of the challenges the owners and operators of covered assets face in—
(A)
securing— (i) updated information systems owned, leased, or relied upon by covered assets;
(ii)
medical devices or equipment owned, leased, or relied upon by covered assets, which shall include an analysis of the threat landscape and cybersecurity vulnerabilities of such medical devices or equipment; and
(iii)
sensitive patient health information and electronic health records;
(B)
implementing cybersecurity protocols; and (C) responding to data breaches or cybersecurity attacks, including the impact on patient access to care, quality of patient care, timeliness of health care delivery, and health outcomes.
(3)
An evaluation of the best practices for utilization of resources from the Agency to support covered assets before, during, and after data breaches or cybersecurity attacks, such as by Cyber Security Advisors and Cybersecurity State Coordinators of the Agency or other similar resources.
(4)
An assessment of relevant Healthcare and Public Health Sector cybersecurity workforce shortages, including—
(A)
training, recruitment, and retention issues; and (B) recommendations for how to address these shortages and issues, particularly at rural and small- and medium-sized covered assets.
(5)
An evaluation of the most accessible and timely ways for the Agency and the Department to communicate and deploy cybersecurity recommendations and tools to the owners and operators of covered assets.
(b)
Not later than 120 days after the date of enactment of this Act, the Secretary, in consultation with the Director, shall provide a briefing on the updating of the Plan under subsection (a) to—
(1)
the Committee on Health, Education, Labor, and Pensions, the Committee on Finance, and the Committee on Homeland Security and Governmental Affairs of the Senate; and
(2)
the Committee on Energy and Commerce, the Committee on Ways and Means, and the Committee on Homeland Security of the House of Representatives.
7.
Identifying high-risk covered assets
(a)
The Secretary, in consultation with the Director and health sector owners and operators, as appropriate, may establish objective criteria for determining whether a covered asset may be designated as a high-risk covered asset, provided that such criteria shall align with the methodology promulgated by the Director for identifying functions relating to critical infrastructure, as defined in section 1016(e) of the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c(e)), and associated risk assessments.
(b)
List of high-Risk covered assets
(1)
The Secretary may develop a list of, and notify, the owners and operators of each covered asset determined to be a high-risk covered asset using the methodology promulgated by the Director pursuant to subsection (a).
(2)
The Secretary may— (A) biannually review and update the list of high-risk covered assets developed under paragraph (1); and
(B)
notify the owners and operators of each covered asset added to or removed from the list as part of a review and update of the list under subparagraph (A).
(3)
The Secretary shall notify Congress when an initial list of high-risk covered assets is developed under paragraph (1) and each time the list is updated under paragraph (2).
(4)
The list developed and updated under this subsection may be used by the Department to prioritize resource allocation to high-risk covered assets to bolster cyber resilience.
8.
(a)
Report on assistance provided to
entities of Healthcare and Public Health Sector
Not later than 120 days after the date of enactment of this Act, the Agency shall submit to Congress a report on the organization-wide level of support and activities that the Agency has provided to the healthcare and public health sector to proactively prepare the sector to face cyber threats and respond to cyber attacks when such threats or attacks occur.
(b)
Report on critical infrastructure resources
Not later than 18 months after the date of enactment of this Act, the Comptroller General of the United States shall submit to Congress a report on Federal resources available, as of the date of enactment of this Act, for the Healthcare and Public Health Sector relating to critical infrastructure, as defined in section 1016(e) of the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c(e)), including resources available from recent and ongoing collaboration with the Director and the Secretary.
9.
(a)
Nothing in this Act shall be construed to authorize the Secretary or Director to take an action that is not authorized by this Act or existing law.
(b)
Nothing in this Act shall be construed to permit the violation of the rights of any individual protected by the Constitution of the United States, including through censorship of speech protected by the Constitution of the United States or unauthorized surveillance.
(c)
No additional funds are authorized to be appropriated for the purpose of carrying out this Act.