[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 9412 Introduced in House (IH)]

<DOC>






118th CONGRESS
  2d Session
                                H. R. 9412

   To enhance the cybersecurity of the Healthcare and Public Health 
                                Sector.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            August 27, 2024

Mr. Crow (for himself, Mr. Fitzpatrick, Mr. Kim of New Jersey, and Ms. 
   Salazar) introduced the following bill; which was referred to the 
  Committee on Homeland Security, and in addition to the Committee on 
Energy and Commerce, for a period to be subsequently determined by the 
  Speaker, in each case for consideration of such provisions as fall 
           within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
   To enhance the cybersecurity of the Healthcare and Public Health 
                                Sector.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Healthcare Cybersecurity Act of 
2024''.

SEC. 2. DEFINITIONS.

    In this Act--
            (1) the term ``Agency'' means the Cybersecurity and 
        Infrastructure Security Agency;
            (2) the term ``covered asset'' means a Healthcare and 
        Public Health Sector asset, including technologies, services, 
        and utilities;
            (3) the term ``Cybersecurity State Coordinator'' means a 
        Cybersecurity State Coordinator appointed under section 2217(a) 
        of the Homeland Security Act of 2002 (6 U.S.C. 665c(a));
            (4) the term ``Department'' means the Department of Health 
        and Human Services;
            (5) the term ``Director'' means the Director of the Agency;
            (6) the term ``Healthcare and Public Health Sector'' means 
        the Healthcare and Public Health sector, as identified in the 
        National Security Memorandum on Critical Infrastructure and 
        Resilience (NSM-22), issued April 30, 2024;
            (7) the term ``Information Sharing and Analysis 
        Organizations'' has the meaning given that term in section 2200 
        of the Homeland Security Act of 2002 (6 U.S.C. 650);
            (8) the term ``Plan'' means the Healthcare and Public 
        Health Sector-specific Risk Management Plan; and
            (9) the term ``Secretary'' means the Secretary of Health 
        and Human Services.

SEC. 3. FINDINGS.

    Congress finds the following:
            (1) Covered assets are increasingly the targets of 
        malicious cyberattacks, which result not only in data breaches, 
        but also increased healthcare delivery costs, and can 
        ultimately affect patient health outcomes.
            (2) Data reported to the Department shows that large cyber 
        breaches of the information systems of healthcare facilities 
        rose 93 percent between 2018 to 2022.
            (3) According to the ``Annual Report to Congress on 
        Breaches of Unsecured Protected Health Information for Calendar 
        Year 2022'' issued by the Office for Civil Rights of the 
        Department, breaches of unsecured protected health information 
        have increased 107 percent since 2018, and, in 2022 alone, the 
        Department received 626 reported breaches affecting not less 
        than 500 individuals at covered entities or business 
        associates, (as defined in section 160.103 of title 45, Code of 
        Federal Regulations), that occurred or ended in 2022, with 
        nearly 42,000,000 individuals affected.

SEC. 4. AGENCY COORDINATION WITH THE DEPARTMENT.

    (a) In General.--The Agency shall coordinate with the Department to 
improve cybersecurity in the Healthcare and Public Health Sector.
    (b) Agency Liaison to the Department.--
            (1) Appointment.--The Director shall, in coordination with 
        the Secretary, appoint an individual, who shall be an employee 
        of the Agency or a detailee assigned to the Administration for 
        Strategic Preparedness and Response Office of the Department by 
        the Director, to serve as a liaison of the Agency to the 
        Department, who shall--
                    (A) have appropriate cybersecurity qualifications 
                and expertise; and
                    (B) report directly to the Director.
            (2) Responsibilities and duties.--The liaison appointed 
        under paragraph (1) shall--
                    (A) serve as a primary contact of the Department to 
                coordinate cybersecurity issues with the Agency;
                    (B) support the implementation and execution of the 
                Plan and assist in the development of updates to the 
                Plan;
                    (C) facilitate the sharing of cyber threat 
                information between the Department and the Agency to 
                improve understanding of cybersecurity risks and 
                situational awareness of cybersecurity incidents;
                    (D) assist in implementing the training described 
                in section 5;
                    (E) facilitate coordination between the Agency and 
                the Department during cybersecurity incidents within 
                the Healthcare and Public Health Sector; and
                    (F) perform such other duties as determined 
                necessary by the Secretary to achieve the goal of 
                improving the cybersecurity of the Healthcare and 
                Public Health Sector.
            (3) Report.--
                    (A) Requirement.--Not later than 18 months after 
                the date of enactment of this Act, the Secretary, in 
                coordination with the Director, shall submit a report 
                that describes the activities undertaken to improve 
                cybersecurity coordination between the Agency and the 
                Department to--
                            (i) the Committee on Health, Education, 
                        Labor, and Pensions, the Committee on Finance, 
                        and the Committee on Homeland Security and 
                        Governmental Affairs of the Senate; and
                            (ii) the Committee on Energy and Commerce, 
                        the Committee on Ways and Means, and the 
                        Committee on Homeland Security of the House of 
                        Representatives.
                    (B) Contents.--The report submitted under 
                subparagraph (A) shall include--
                            (i) a summary of the activities of the 
                        liaison appointed under paragraph (1);
                            (ii) a description of any challenges to the 
                        effectiveness of the liaison appointed under 
                        paragraph (1) completing the required duties of 
                        the liaison; and
                            (iii) a study of the feasibility of an 
                        agreement to improve cybersecurity in the 
                        public sector of healthcare.
    (c) Resources.--
            (1) In general.--The Agency shall coordinate with and make 
        resources available to Information Sharing and Analysis 
        Organizations, information sharing and analysis centers, the 
        sector coordinating councils, and non-Federal entities that are 
        receiving information shared through programs managed by the 
        Department.
            (2) Scope.--The coordination under paragraph (1) shall 
        include--
                    (A) developing products specific to the needs of 
                Healthcare and Public Health Sector entities; and
                    (B) sharing information relating to cyber threat 
                indicators and appropriate defensive measures.

SEC. 5. TRAINING FOR HEALTHCARE OWNERS AND OPERATORS.

    The Agency shall make available training to the owners and 
operators of covered assets on--
            (1) cybersecurity risks to the Healthcare and Public Health 
        Sector and covered assets; and
            (2) ways to mitigate the risks to information systems in 
        the Healthcare and Public Health Sector.

SEC. 6. SECTOR-SPECIFIC RISK MANAGEMENT PLAN.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Secretary, in coordination with the Director, shall 
update the Plan, which shall include the following elements:
            (1) An analysis of how identified cybersecurity risks 
        specifically impact covered assets, including the impact on 
        rural and small and medium-sized covered assets.
            (2) An evaluation of the challenges the owners and 
        operators of covered assets face in--
                    (A) securing--
                            (i) updated information systems owned, 
                        leased, or relied upon by covered assets;
                            (ii) medical devices or equipment owned, 
                        leased, or relied upon by covered assets, which 
                        shall include an analysis of the threat 
                        landscape and cybersecurity vulnerabilities of 
                        such medical devices or equipment; and
                            (iii) sensitive patient health information 
                        and electronic health records;
                    (B) implementing cybersecurity protocols; and
                    (C) responding to data breaches or cybersecurity 
                attacks, including the impact on patient access to 
                care, quality of patient care, timeliness of health 
                care delivery, and health outcomes.
            (3) An evaluation of the best practices for utilization of 
        resources from the Agency to support covered assets before, 
        during and after data breaches or cybersecurity attacks, such 
        as by Cyber Security Advisors and Cybersecurity State 
        Coordinators of the Agency or other similar resources.
            (4) An assessment of relevant Healthcare and Public Health 
        Sector cybersecurity workforce shortages, including--
                    (A) training, recruitment, and retention issues; 
                and
                    (B) recommendations for how to address these 
                shortages and issues, particularly at rural and small 
                and medium-sized covered assets.
            (5) An evaluation of the most accessible and timely ways 
        for the Agency and the Department to communicate and deploy 
        cybersecurity recommendations and tools to the owners and 
        operators of covered assets.
    (b) Congressional Briefing.--Not later than 120 days after the date 
of enactment of this Act, the Secretary, in consultation with the 
Director, shall provide a briefing on the updating of the Plan under 
subsection (a) to--
            (1) the Committee on Health, Education, Labor, and 
        Pensions, the Committee on Finance, and the Committee on 
        Homeland Security and Governmental Affairs of the Senate; and
            (2) the Committee on Energy and Commerce, the Committee on 
        Ways and Means, and the Committee on Homeland Security of the 
        House of Representatives.

SEC. 7. IDENTIFYING HIGH-RISK COVERED ASSETS.

    (a) In General.--The Secretary, in consultation with the Director 
and health sector owners and operators, as appropriate, may establish 
objective criteria for determining whether a covered asset may be 
designated as a high-risk covered asset, provided that such criteria 
shall align with the methodology promulgated by the Director for 
identifying functions relating to critical infrastructure, as defined 
in section 1016(e) of the Critical Infrastructure Protection Act of 
2001 (42 U.S.C. 5195c(e)), and associated risk assessments.
    (b) List of High-Risk Covered Assets.--
            (1) In general.--The Secretary may develop a list of, and 
        notify, the owners and operators of each covered asset 
        determined to be a high-risk covered asset using the 
        methodology promulgated by the Director pursuant to subsection 
        (a).
            (2) Biannual updating.--The Secretary may--
                    (A) biannually review and update the list of high-
                risk covered assets developed under paragraph (1); and
                    (B) notify the owners and operators of each covered 
                asset added to or removed from the list as part of a 
                review and update of the list under subparagraph (A).
            (3) Notice to congress.--The Secretary shall notify 
        Congress when an initial list of high-risk covered assets is 
        developed under paragraph (1) and each time the list is updated 
        under paragraph (2).
            (4) Use.--The list developed and updated under this 
        subsection may be used by the Department to prioritize resource 
        allocation to high-risk covered assets to bolster cyber 
        resilience.

SEC. 8. REPORTS.

    (a) Report on Assistance Provided to Entities of Healthcare and 
Public Health Sector.--Not later than 120 days after the date of 
enactment of this Act, the Agency shall submit to Congress a report on 
the organization-wide level of support and activities that the Agency 
has provided to the healthcare and public health sector to proactively 
prepare the sector to face cyber threats and respond to cyber attacks 
when such threats or attacks occur.
    (b) Report on Critical Infrastructure Resources.--Not later than 18 
months after the date of enactment of this Act, the Comptroller General 
of the United States shall submit to Congress a report on Federal 
resources available, as of the date of enactment of this Act, for the 
Healthcare and Public Health Sector relating to critical 
infrastructure, as defined in section 1016(e) of the Critical 
Infrastructures Protection Act of 2001 (42 U.S.C. 5195c(e)), including 
resources available from recent and ongoing collaboration with the 
Director and the Secretary.

SEC. 9. RULES OF CONSTRUCTION.

    (a) Agency Actions.--Nothing in this Act shall be construed to 
authorize the Secretary or Director to take an action that is not 
authorized by this Act or existing law.
    (b) Protection of Rights.--Nothing in this Act shall be construed 
to permit the violation of the rights of any individual protected by 
the Constitution of the United States, including through censorship of 
speech protected by the Constitution of the United States or 
unauthorized surveillance.
    (c) No Additional Funds.--No additional funds are authorized to be 
appropriated for the purpose of carrying out this Act.
                                 <all>