[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3904 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 527
117th CONGRESS
  2d Session
                                S. 3904

                          [Report No. 117-177]

   To enhance the cybersecurity of the Healthcare and Public Health 
                                Sector.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 23, 2022

   Ms. Rosen (for herself, Mr. Cassidy, Ms. Hassan, Mr. Ossoff, Mr. 
 Tillis, Mrs. Feinstein, and Mr. King) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
                        and Governmental Affairs

                            October 18, 2022

  Reported under authority of the order of the Senate of October 14, 
  2022, by Mr. Peters, with an amendment and an amendment to the title
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
   To enhance the cybersecurity of the Healthcare and Public Health 
                                Sector.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Healthcare Cybersecurity 
Act of 2022''.</DELETED>

<DELETED>SEC. 2. DEFINITIONS.</DELETED>

<DELETED>    In this Act--</DELETED>
        <DELETED>    (1) the term ``Agency'' means the Cybersecurity 
        and Infrastructure Security Agency;</DELETED>
        <DELETED>    (2) the term ``Cybersecurity State Coordinator'' 
        means a Cybersecurity State Coordinator appointed under section 
        2217(a) of the Homeland Security Act of 2002 (6 U.S.C. 
        665c(a));</DELETED>
        <DELETED>    (3) the term ``Department'' means the Department 
        of Health and Human Services;</DELETED>
        <DELETED>    (4) the term ``Director'' means the Director of 
        the Agency;</DELETED>
        <DELETED>    (5) the term ``Healthcare and Public Health 
        Sector'' means the Healthcare and Public Health sector, as 
        identified in Presidential Policy Directive 21 (February 12, 
        2013; relating to critical infrastructure security and 
        resilience);</DELETED>
        <DELETED>    (6) the term ``Information Sharing and Analysis 
        Organizations'' has the meaning given that term in section 2222 
        of the Homeland Security Act of 2002 (6 U.S.C. 671); 
        and</DELETED>
        <DELETED>    (7) the term ``Secretary'' means the Secretary of 
        Health and Human Services.</DELETED>

<DELETED>SEC. 3. FINDINGS.</DELETED>

<DELETED>    Congress finds the following:</DELETED>
        <DELETED>    (1) Healthcare and Public Health Sector assets are 
        increasingly the targets of malicious cyberattacks, which 
        result not only in data breaches, but also increased healthcare 
        delivery costs, and can ultimately affect patient health 
        outcomes.</DELETED>
        <DELETED>    (2) Data reported to the Department shows that 
        almost every month in 2020, more than 1,000,000 people were 
        affected by data breaches at healthcare organizations. 
        Cyberattacks on healthcare facilities rose 55 percent in 2020, 
        and these attacks also resulted in a 16 percent increase in the 
        average cost of recovering a patient record in 2020, as 
        compared to 2019.</DELETED>
        <DELETED>    (3) According to data from the Office for Civil 
        Rights of the Department, health information breaches have 
        increased since 2016, and in 2020 alone, the Department 
        reported 663 breaches on covered entities, as defined under the 
        Health Insurance Portability and Accountability Act of 1996 
        (Public Law 104-191), affecting more than 500 people, with over 
        33,000,000 total people affected by health information 
        breaches.</DELETED>

<DELETED>SEC. 4. AGENCY COLLABORATION WITH THE DEPARTMENT.</DELETED>

<DELETED>    (a) In General.--The Agency shall collaborate with the 
Department, including by entering into an agreement, as appropriate, to 
improve cybersecurity in the Healthcare and Public Health 
Sector.</DELETED>
<DELETED>    (b) Assistance.--</DELETED>
        <DELETED>    (1) In general.--The Agency shall coordinate with 
        and make resources available to Information Sharing and 
        Analysis Organizations, information sharing and analysis 
        centers, and non-Federal entities that are receiving 
        information shared through programs managed by the 
        Department.</DELETED>
        <DELETED>    (2) Scope.--The coordination under paragraph (1) 
        shall include--</DELETED>
                <DELETED>    (A) developing products specific to the 
                needs of Healthcare and Public Health Sector entities; 
                and</DELETED>
                <DELETED>    (B) sharing information relating to cyber 
                threat indicators and appropriate defensive 
                measures.</DELETED>

<DELETED>SEC. 5. TRAINING FOR HEALTHCARE EXPERTS.</DELETED>

<DELETED>    The Cyber Security Advisors and Cybersecurity State 
Coordinators of the Agency shall, in coordination, as appropriate, with 
private sector healthcare experts, provide training to Healthcare and 
Public Health Sector asset owners and operators on--</DELETED>
        <DELETED>    (1) cybersecurity risks to the Healthcare and 
        Public Health Sector and assets within the sector; 
        and</DELETED>
        <DELETED>    (2) ways to mitigate the risks to information 
        systems in the Healthcare and Public Health Sector.</DELETED>

<DELETED>SEC. 6. SECTOR-SPECIFIC STUDY AND REPORT.</DELETED>

<DELETED>    (a) In General.--Not later than 1 year after the date of 
enactment of this Act, the Director, in consultation with the 
Secretary, shall conduct a study and issue a report, which shall 
include the following elements:</DELETED>
        <DELETED>    (1) An analysis of how identified cybersecurity 
        risks specifically impact Healthcare and Public Health Sector 
        assets, including the impact on rural and small and medium-
        sized Healthcare and Public Health Sector assets.</DELETED>
        <DELETED>    (2) An evaluation of the challenges Healthcare and 
        Public Health Sector assets face in--</DELETED>
                <DELETED>    (A) securing--</DELETED>
                        <DELETED>    (i) updated information systems 
                        owned, leased, or relied upon by Healthcare and 
                        Public Health Sector assets;</DELETED>
                        <DELETED>    (ii) medical devices or equipment 
                        owned, leased, or relied upon by Healthcare and 
                        Public Health Sector assets, which shall 
                        include an analysis of the threat landscape and 
                        cybersecurity vulnerabilities of such medical 
                        devices or equipment; and</DELETED>
                        <DELETED>    (iii) sensitive patient health 
                        information and electronic health 
                        records;</DELETED>
                <DELETED>    (B) implementing cybersecurity protocols; 
                and</DELETED>
                <DELETED>    (C) responding to data breaches or 
                cybersecurity attacks, including the impact on patient 
                access to care, quality of patient care, timeliness of 
                health care delivery, and health outcomes.</DELETED>
        <DELETED>    (3) An evaluation of best practices for the 
        deployment of trained Cyber Security Advisors and Cybersecurity 
        State Coordinators of the Agency into Healthcare and Public 
        Health Sector assets before, during, and after data breaches or 
        cybersecurity attacks.</DELETED>
        <DELETED>    (4) An assessment of relevant Healthcare and 
        Public Health Sector cybersecurity workforce shortages, 
        including--</DELETED>
                <DELETED>    (A) training, recruitment, and retention 
                issues; and</DELETED>
                <DELETED>    (B) recommendations for how to address 
                these shortages and issues, particularly at rural and 
                small and medium-sized Healthcare and Public Health 
                Sector assets.</DELETED>
        <DELETED>    (5) An identification of cybersecurity challenges 
        related to or brought on by the public health emergency 
        declared by the Secretary under section 319 of the Public 
        Health Service Act (42 U.S.C. 247d) on January 27, 2020, with 
        respect to COVID-19.</DELETED>
        <DELETED>    (6) An evaluation of the most accessible and 
        timely ways for the Agency and the Department to communicate 
        and deploy cybersecurity recommendations and tools to 
        Healthcare and Public Health Sector assets.</DELETED>
<DELETED>    (b) Report Transmittal.--Not later than 60 days after 
completing the study and report required under subsection (a), the 
Director shall present the completed report to the Secretary, which the 
Secretary may, in consultation with the Director, consult when updating 
the Healthcare and Public Health Sector Specific Plan of the 
Secretary.</DELETED>
<DELETED>    (c) Congressional Briefing.--Not later than 120 days after 
the date of enactment of this Act, the Director, in consultation with 
the Secretary, as appropriate, shall provide a briefing on the status 
of the study and report required under subsection (a) to--</DELETED>
        <DELETED>    (1) the Committee on Health, Education, Labor, and 
        Pensions and the Committee on Homeland Security and 
        Governmental Affairs of the Senate; and</DELETED>
        <DELETED>    (2) the Committee on Energy and Commerce and the 
        Committee on Homeland Security of the House of 
        Representatives.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Healthcare Cybersecurity Act of 
2022''.

SEC. 2. DEFINITIONS.

    In this Act--
            (1) the term ``Agency'' means the Cybersecurity and 
        Infrastructure Security Agency;
            (2) the term ``Cybersecurity State Coordinator'' means a 
        Cybersecurity State Coordinator appointed under section 2217(a) 
        of the Homeland Security Act of 2002 (6 U.S.C. 665c(a));
            (3) the term ``Department'' means the Department of Health 
        and Human Services;
            (4) the term ``Director'' means the Director of the Agency;
            (5) the term ``Healthcare and Public Health Sector'' means 
        the Healthcare and Public Health sector, as identified in 
        Presidential Policy Directive 21 (February 12, 2013; relating 
        to critical infrastructure security and resilience);
            (6) the term ``Information Sharing and Analysis 
        Organizations'' has the meaning given that term in section 2222 
        of the Homeland Security Act of 2002 (6 U.S.C. 671); and
            (7) the term ``Secretary'' means the Secretary of Health 
        and Human Services.

SEC. 3. FINDINGS.

    Congress finds the following:
            (1) Healthcare and Public Health Sector assets are 
        increasingly the targets of malicious cyberattacks, which 
        result not only in data breaches, but also increased healthcare 
        delivery costs, and can ultimately affect patient health 
        outcomes.
            (2) Data reported to the Department shows that almost every 
        month in 2020, more than 1,000,000 people were affected by data 
        breaches at healthcare organizations. Cyberattacks on 
        healthcare facilities rose 55 percent in 2020, and these 
        attacks also resulted in a 16 percent increase in the average 
        cost of recovering a patient record in 2020, as compared to 
        2019.
            (3) According to data from the Office for Civil Rights of 
        the Department, health information breaches have increased 
        since 2016, and in 2020 alone, the Department reported 663 
        breaches on covered entities, as defined under the Health 
        Insurance Portability and Accountability Act of 1996 (Public 
        Law 104-191), affecting more than 500 people, with over 
        33,000,000 total people affected by health information 
        breaches.

SEC. 4. AGENCY COORDINATION WITH THE DEPARTMENT.

    (a) In General.--The Agency and the Department shall coordinate, 
including by entering into an agreement, as appropriate, to improve 
cybersecurity in the Healthcare and Public Health Sector.
    (b) Assistance.--
            (1) In general.--The Agency shall coordinate with and make 
        resources available to Information Sharing and Analysis 
        Organizations, information sharing and analysis centers, and 
        non-Federal entities that are receiving information shared 
        through programs managed by the Department.
            (2) Scope.--The coordination under paragraph (1) shall 
        include--
                    (A) developing products specific to the needs of 
                Healthcare and Public Health Sector entities; and
                    (B) sharing information relating to cyber threat 
                indicators and appropriate defensive measures.

SEC. 5. TRAINING FOR HEALTHCARE EXPERTS.

    The Secretary, in coordination with the Cyber Security Advisors and 
Cybersecurity State Coordinators of the Agency and private sector 
healthcare experts, as appropriate, shall provide training to 
Healthcare and Public Health Sector asset owners and operators on--
            (1) cybersecurity risks to the Healthcare and Public Health 
        Sector and assets within the sector; and
            (2) ways to mitigate the risks to information systems in 
        the Healthcare and Public Health Sector.

SEC. 6. SECTOR-SPECIFIC PLAN.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Secretary, in coordination with the Director, shall 
update the Healthcare and Public Health Sector Specific Plan (referred 
to in this section as the ``Plan''), which shall include the following 
elements:
            (1) An analysis of how identified cybersecurity risks 
        specifically impact Healthcare and Public Health Sector assets, 
        including the impact on rural and small and medium-sized 
        Healthcare and Public Health Sector assets.
            (2) An evaluation of the challenges Healthcare and Public 
        Health Sector assets face in--
                    (A) securing--
                            (i) updated information systems owned, 
                        leased, or relied upon by Healthcare and Public 
                        Health Sector assets;
                            (ii) medical devices or equipment owned, 
                        leased, or relied upon by Healthcare and Public 
                        Health Sector assets, which shall include an 
                        analysis of the threat landscape and 
                        cybersecurity vulnerabilities of such medical 
                        devices or equipment; and
                            (iii) sensitive patient health information 
                        and electronic health records;
                    (B) implementing cybersecurity protocols; and
                    (C) responding to data breaches or cybersecurity 
                attacks, including the impact on patient access to 
                care, quality of patient care, timeliness of health 
                care delivery, and health outcomes.
            (3) An evaluation of best practices for the deployment of 
        trained Cyber Security Advisors and Cybersecurity State 
        Coordinators of the Agency into Healthcare and Public Health 
        Sector assets before, during, and after data breaches or 
        cybersecurity attacks.
            (4) An assessment of relevant Healthcare and Public Health 
        Sector cybersecurity workforce shortages, including--
                    (A) training, recruitment, and retention issues; 
                and
                    (B) recommendations for how to address these 
                shortages and issues, particularly at rural and small 
                and medium-sized Healthcare and Public Health Sector 
                assets.
            (5) An identification of cybersecurity challenges related 
        to or brought on by the public health emergency declared by the 
        Secretary under section 319 of the Public Health Service Act 
        (42 U.S.C. 247d) on January 27, 2020, with respect to COVID-19.
            (6) An evaluation of the most accessible and timely ways 
        for the Agency and the Department to communicate and deploy 
        cybersecurity recommendations and tools to Healthcare and 
        Public Health Sector assets.
    (b) Congressional Briefing.--Not later than 120 days after the date 
of enactment of this Act, the Secretary, in consultation with the 
Director, shall provide a briefing on the updating of the Plan under 
subsection (a) to--
            (1) the Committee on Health, Education, Labor, and Pensions 
        and the Committee on Homeland Security and Governmental Affairs 
        of the Senate; and
            (2) the Committee on Energy and Commerce and the Committee 
        on Homeland Security of the House of Representatives.
            Amend the title so as to read: ``A bill to enhance the 
        cybersecurity of the Healthcare and Public Health Sector and 
        update the Healthcare and Public Health Sector Specific 
        Plan.''.
                                                       Calendar No. 527

117th CONGRESS

  2d Session

                                S. 3904

                          [Report No. 117-177]

_______________________________________________________________________

                                 A BILL

   To enhance the cybersecurity of the Healthcare and Public Health 
                                Sector.

_______________________________________________________________________

                            October 18, 2022

  Reported under authority of the order of the Senate of October 14, 
         2022, with an amendment and an amendment to the title