[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4191 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 4191

 To amend the Public Health Service Act to authorize the Secretary of 
Health and Human Services to designate an officer within the Department 
 of Health and Human Services as having primary responsibility for the 
    information security (including cybersecurity) programs of the 
                  Department, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 31, 2017

 Mr. Long (for himself and Ms. Matsui) introduced the following bill; 
       which was referred to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
 To amend the Public Health Service Act to authorize the Secretary of 
Health and Human Services to designate an officer within the Department 
 of Health and Human Services as having primary responsibility for the 
    information security (including cybersecurity) programs of the 
                  Department, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``HHS Cybersecurity Modernization 
Act''.

SEC. 2. INFORMATION SECURITY.

    (a) Authority To Designate Chief Information Security Officer.--
Title II of the Public Health Service Act is amended by inserting after 
section 229 of such Act (42 U.S.C. 237a) the following:

``SEC. 229A. AUTHORITY TO DESIGNATE CHIEF INFORMATION SECURITY OFFICER.

    ``Notwithstanding any other provision of law--
            ``(1) the Secretary may designate an officer within the 
        Department as having primary responsibility for the information 
        security (including cybersecurity) programs of the Department;
            ``(2) any such designated officer shall report directly to 
        the Secretary or directly to another senior officer within the 
        Department of the Secretary's choosing; and
            ``(3) the Secretary may transfer the functions, personnel, 
        assets, and liabilities of the Chief Information Security 
        Officer in the Office of the Chief Information Officer of the 
        Department of Health and Human Services, as such position 
        exists on September 30, 2017, to such designated officer.''.
    (b) Report.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, the Secretary of Health and Human 
        Services shall develop and submit to the Committee on Energy 
        and Commerce of the House of Representatives and the Committee 
        on Health, Education, Labor, and Pensions of the Senate a plan 
        on the role of the Department of Health and Human Services (in 
        this subsection referred to as the ``Department'') in preparing 
        for and responding to cybersecurity threats.
            (2) Contents.--The plan under paragraph (1) shall--
                    (A) differentiate between--
                            (i) the responsibilities of the Department 
                        overall and each of its agencies and offices in 
                        maintaining the security and integrity of their 
                        respective information systems; and
                            (ii) the responsibilities of the Department 
                        overall and each of its agencies and offices in 
                        regulating and providing guidance, information, 
                        education, training, and assistance to the 
                        health care sector;
                    (B) specify how the Department overall and each of 
                its agencies and offices delineates between the 
                responsibilities described in subparagraph (A)(i) and 
                those described in subparagraph (A)(ii) through 
                organization, personnel, policies, and procedures;
                    (C) address the coordination of the 
                responsibilities described in subparagraph (A)(i) and 
                those described in subparagraph (A)(ii) across the 
                agencies and offices of the Department;
                    (D) address any types of conflicts that can arise 
                (within the Department or the health care sector) 
                because of the Department having both the 
                responsibilities described in subparagraph (A)(i) and 
                those described in subparagraph (A)(ii);
                    (E) differentiate between--
                            (i) the role of the Department in 
                        regulating the health care sector; and
                            (ii) the role of the Department as a 
                        Sector-Specific Agency for the health care 
                        sector under Presidential Policy Directive 21 
                        (signed on February 12, 2013); and
                    (F) specify how the Department delineates between 
                the role described in subparagraph (E)(i) and the role 
                described in subparagraph (E)(ii) through organization, 
                personnel, policies, and procedures.
    (c) No Additional Appropriations Authorized.--No additional funds 
are authorized to be appropriated to carry out this Act, or the 
amendments made by this Act. This Act, and the amendments made by this 
Act, shall be carried out using amounts otherwise authorized or 
appropriated.
                                 <all>