

115 HR 4191 IH: HHS Cybersecurity Modernization Act
U.S. House of Representatives
2017-10-31
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



I115th CONGRESS1st SessionH. R. 4191IN THE HOUSE OF REPRESENTATIVESOctober 31, 2017Mr. Long (for himself and Ms. Matsui) introduced the following bill; which was referred to the Committee on Energy and CommerceA BILLTo amend the Public Health Service Act to authorize the Secretary of Health and Human Services to
			 designate an officer within the Department of Health and Human Services as
			 having primary responsibility for the information security (including
			 cybersecurity) programs of the Department, and for other purposes.
	
 1.Short titleThis Act may be cited as the HHS Cybersecurity Modernization Act. 2.Information security (a)Authority To designate chief information security officerTitle II of the Public Health Service Act is amended by inserting after section 229 of such Act (42 U.S.C. 237a) the following:
				
 229A.Authority to designate chief information security officerNotwithstanding any other provision of law— (1)the Secretary may designate an officer within the Department as having primary responsibility for the information security (including cybersecurity) programs of the Department;
 (2)any such designated officer shall report directly to the Secretary or directly to another senior officer within the Department of the Secretary’s choosing; and
 (3)the Secretary may transfer the functions, personnel, assets, and liabilities of the Chief Information Security Officer in the Office of the Chief Information Officer of the Department of Health and Human Services, as such position exists on September 30, 2017, to such designated officer..
			(b)Report
 (1)In generalNot later than 1 year after the date of enactment of this Act, the Secretary of Health and Human Services shall develop and submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Health, Education, Labor, and Pensions of the Senate a plan on the role of the Department of Health and Human Services (in this subsection referred to as the Department) in preparing for and responding to cybersecurity threats.
 (2)ContentsThe plan under paragraph (1) shall— (A)differentiate between—
 (i)the responsibilities of the Department overall and each of its agencies and offices in maintaining the security and integrity of their respective information systems; and
 (ii)the responsibilities of the Department overall and each of its agencies and offices in regulating and providing guidance, information, education, training, and assistance to the health care sector;
 (B)specify how the Department overall and each of its agencies and offices delineates between the responsibilities described in subparagraph (A)(i) and those described in subparagraph (A)(ii) through organization, personnel, policies, and procedures;
 (C)address the coordination of the responsibilities described in subparagraph (A)(i) and those described in subparagraph (A)(ii) across the agencies and offices of the Department;
 (D)address any types of conflicts that can arise (within the Department or the health care sector) because of the Department having both the responsibilities described in subparagraph (A)(i) and those described in subparagraph (A)(ii);
 (E)differentiate between— (i)the role of the Department in regulating the health care sector; and
 (ii)the role of the Department as a Sector-Specific Agency for the health care sector under Presidential Policy Directive 21 (signed on February 12, 2013); and
 (F)specify how the Department delineates between the role described in subparagraph (E)(i) and the role described in subparagraph (E)(ii) through organization, personnel, policies, and procedures.
 (c)No additional appropriations authorizedNo additional funds are authorized to be appropriated to carry out this Act, or the amendments made by this Act. This Act, and the amendments made by this Act, shall be carried out using amounts otherwise authorized or appropriated.
			