[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 4697 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  2d Session
                                S. 4697

   To enhance the cybersecurity of the Healthcare and Public Health 
                                Sector.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                July 11 (legislative day, July 10), 2024

    Ms. Rosen (for herself, Mr. Young, and Mr. King) introduced the 
 following bill; which was read twice and referred to the Committee on 
               Homeland Security and Governmental Affairs

_______________________________________________________________________

                                 A BILL


 
   To enhance the cybersecurity of the Healthcare and Public Health 
                                Sector.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Healthcare Cybersecurity Act of 
2024''.

SEC. 2. DEFINITIONS.

    In this Act--
            (1) the term ``Agency'' means the Cybersecurity and 
        Infrastructure Security Agency;
            (2) the term ``covered asset'' means a Healthcare and 
        Public Health Sector asset, including technologies, services, 
        and utilities;
            (3) the term ``Cybersecurity State Coordinator'' means a 
        Cybersecurity State Coordinator appointed under section 2217(a) 
        of the Homeland Security Act of 2002 (6 U.S.C. 665c(a));
            (4) the term ``Department'' means the Department of Health 
        and Human Services;
            (5) the term ``Director'' means the Director of the Agency;
            (6) the term ``Healthcare and Public Health Sector'' means 
        the Healthcare and Public Health sector, as identified in 
        Presidential Policy Directive 21 (February 12, 2013; relating 
        to critical infrastructure security and resilience);
            (7) the term ``Information Sharing and Analysis 
        Organizations'' has the meaning given that term in section 2200 
        of the Homeland Security Act of 2002 (6 U.S.C. 650);
            (8) the term ``Plan'' means the Healthcare and Public 
        Health Sector Specific Plan; and
            (9) the term ``Secretary'' means the Secretary of Health 
        and Human Services.

SEC. 3. FINDINGS.

    Congress finds the following:
            (1) Covered assets are increasingly the targets of 
        malicious cyberattacks, which result not only in data breaches, 
        but also increased healthcare delivery costs, and can 
        ultimately affect patient health outcomes.
            (2) Data reported to the Department shows that large cyber 
        breaches of the information systems of healthcare facilities 
        rose 93 percent between 2018 to 2022 .
            (3) According to data from the Office for Civil Rights of 
        the Department, health information breaches have increased 
        since 2016, and in 2022 alone, the Department reported 626 
        breaches on covered entities, as defined under the Health 
        Insurance Portability and Accountability Act of 1996 (Public 
        Law 104-191), affecting more than 500 people, with nearly 
        42,000,000 total people affected by health information 
        breaches.

SEC. 4. AGENCY COORDINATION WITH THE DEPARTMENT.

    (a) In General.--The Agency shall coordinate with the Department, 
including by entering into an agreement, as appropriate, to improve 
cybersecurity in the Healthcare and Public Health Sector.
    (b) Agency Liaison to the Department.--
            (1) Appointment.--The Director shall, in coordination with 
        the Secretary, appoint an individual, who shall be an employee 
        of the Agency or a detailee assigned to the Department by the 
        Director, to serve as the liaison of the Agency to the 
        Department, who shall--
                    (A) have appropriate cybersecurity qualifications 
                and expertise; and
                    (B) report directly to the Director.
            (2) Responsibilities and duties.--The liaison appointed 
        under paragraph (1) shall--
                    (A) provide to the owners and operators of covered 
                assets technical assistance regarding, information on, 
                and best practices relating to improving cybersecurity;
                    (B) serve as a primary contact of the Department to 
                coordinate cybersecurity issues with the Agency;
                    (C) support the implementation and execution of the 
                Plan and assist in the development of updates to the 
                Plan;
                    (D) facilitate the sharing of cyber threat 
                information to improve understanding of cybersecurity 
                risks and situational awareness of cybersecurity 
                incidents;
                    (E) manage the implementation of the agreement 
                entered into under subsection (a);
                    (F) implement the training described in section 5;
                    (G) coordinate between the Agency and the 
                Department during cybersecurity incidents within the 
                Healthcare and Public Health Sector; and
                    (H) perform such other duties as determined 
                necessary by the Secretary to achieve the goal of 
                improving the cybersecurity of the Healthcare and 
                Public Health Sector.
            (3) Report.--Not later than 18 months after the date of 
        enactment of this Act, the liaison appointed under paragraph 
        (1), in consultation with the Secretary and the Director, shall 
        submit a report that describes the activities undertaken to 
        improve cybersecurity coordination between the Agency and the 
        Department to--
                    (A) the Committee on Health, Education, Labor, and 
                Pensions, the Committee on Finance, and the Committee 
                on Homeland Security and Governmental Affairs of the 
                Senate; and
                    (B) the Committee on Energy and Commerce, the 
                Committee on Ways and Means, and the Committee on 
                Homeland Security of the House of Representatives.
    (c) Assistance.--
            (1) In general.--The Agency shall coordinate with and make 
        resources available to Information Sharing and Analysis 
        Organizations, information sharing and analysis centers, the 
        sector coordinating councils, and non-Federal entities that are 
        receiving information shared through programs managed by the 
        Department.
            (2) Scope.--The coordination under paragraph (1) shall 
        include--
                    (A) developing products specific to the needs of 
                Healthcare and Public Health Sector entities; and
                    (B) sharing information relating to cyber threat 
                indicators and appropriate defensive measures.

SEC. 5. TRAINING FOR HEALTHCARE EXPERTS.

    The Cyber Security Advisors and Cybersecurity State Coordinators of 
the Agency shall, in coordination, as appropriate, with the liaison 
appointed under section 4(b)(1) and private sector healthcare experts, 
provide training to the owners and operators of covered assets on--
            (1) cybersecurity risks to the Healthcare and Public Health 
        Sector and covered assets; and
            (2) ways to mitigate the risks to information systems in 
        the Healthcare and Public Health Sector.

SEC. 6. SECTOR-SPECIFIC PLAN.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Secretary, in coordination with the Director, shall 
update the Plan, which shall include the following elements:
            (1) An analysis of how identified cybersecurity risks 
        specifically impact covered assets, including the impact on 
        rural and small and medium-sized covered assets.
            (2) An evaluation of the challenges the owners and 
        operators of covered assets face in--
                    (A) securing--
                            (i) updated information systems owned, 
                        leased, or relied upon by covered assets;
                            (ii) medical devices or equipment owned, 
                        leased, or relied upon by covered assets, which 
                        shall include an analysis of the threat 
                        landscape and cybersecurity vulnerabilities of 
                        such medical devices or equipment; and
                            (iii) sensitive patient health information 
                        and electronic health records;
                    (B) implementing cybersecurity protocols; and
                    (C) responding to data breaches or cybersecurity 
                attacks, including the impact on patient access to 
                care, quality of patient care, timeliness of health 
                care delivery, and health outcomes.
            (3) An evaluation of best practices for the deployment of 
        trained Cyber Security Advisors and Cybersecurity State 
        Coordinators of the Agency into covered assets before, during, 
        and after data breaches or cybersecurity attacks.
            (4) An assessment of relevant Healthcare and Public Health 
        Sector cybersecurity workforce shortages, including--
                    (A) training, recruitment, and retention issues; 
                and
                    (B) recommendations for how to address these 
                shortages and issues, particularly at rural and small 
                and medium-sized covered assets.
            (5) An evaluation of the most accessible and timely ways 
        for the Agency and the Department to communicate and deploy 
        cybersecurity recommendations and tools to the owners and 
        operators of covered assets.
    (b) Congressional Briefing.--Not later than 120 days after the date 
of enactment of this Act, the Secretary, in consultation with the 
Director, shall provide a briefing on the updating of the Plan under 
subsection (a) to--
            (1) the Committee on Health, Education, Labor, and 
        Pensions, the Committee on Finance, and the Committee on 
        Homeland Security and Governmental Affairs of the Senate; and
            (2) the Committee on Energy and Commerce, the Committee on 
        Ways and Means, and the Committee on Homeland Security of the 
        House of Representatives.

SEC. 7. IDENTIFYING HIGH-RISK COVERED ASSETS.

    (a) In General.--Not later than 90 days after the date of enactment 
of this Act, the Director shall establish objective criteria for 
determining whether a covered asset should be designated as a high-risk 
covered asset.
    (b) Methodology.--The Director, in consultation with the Secretary, 
as appropriate, shall establish a methodology for determining whether a 
covered asset meets the criteria established under subsection (a) to be 
designated as a high-risk covered asset.
    (c) List of High-Risk Covered Assets.--
            (1) In general.--The Secretary shall develop a list of, and 
        notify, the owners and operators of each covered asset 
        determined to be a high-risk covered asset using the 
        methodology established under subsection (b).
            (2) Biannual updating.--The Secretary shall--
                    (A) biannually review and update the list of high-
                risk covered assets developed under paragraph (1); and
                    (B) notify the owners and operators of each covered 
                asset added to or removed from the list as part of a 
                review and update of the list under subparagraph (A).
            (3) Notice to congress.--The Secretary shall notify 
        Congress when the initial list of high-risk covered assets is 
        developed under paragraph (1) and each time the list is updated 
        under paragraph (2).
            (4) Use.--The list developed and updated under this 
        subsection shall be used by the Department to prioritize 
        resource allocation to high-risk covered assets to bolster 
        cyber resilience.

SEC. 8. REPORT ON ASSISTANCE PROVIDED TO ENTITIES OF HEALTHCARE AND 
              PUBLIC HEALTH SECTOR.

    Not later than 120 days after the date of enactment of this Act, 
the Agency shall submit to Congress a report on the organization-wide 
level of support and activities that the Agency has provided to the 
healthcare and public health sector to proactively prepare the sector 
to face cyber threats and respond to cyber attacks when such threats or 
attacks occur.
                                 <all>