[Senate Report 117-177]
[From the U.S. Government Publishing Office]
Calendar No. 527
117th Congress } { Report
SENATE
2d Session } { 117-177
_______________________________________________________________________
HEALTHCARE CYBERSECURITY ACT OF 2022
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 3904
TO ENHANCE THE CYBERSECURITY OF THE HEALTHCARE AND PUBLIC HEALTH SECTOR
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
October 18, 2022.--Ordered to be printed
Filed, under authority of the order of the Senate of October 14, 2022
__________
U.S. GOVERNMENT PUBLISHING OFFICE
39-010 WASHINGTON : 2022
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware ROB PORTMAN, Ohio
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona RAND PAUL, Kentucky
JACKY ROSEN, Nevada JAMES LANKFORD, Oklahoma
ALEX PADILLA, California MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
JOSH HAWLEY, Missouri
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Christopher J. Mulkins, Director of Homeland Security
Jeffrey D. Rothblum, Senior Professional Staff Member
Pamela Thiessen, Minority Staff Director
Sam J. Mulopulos, Minority Deputy Staff Director
William H.W McKenna, Minority Chief Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 527
117th Congress } { Report
SENATE
2d Session } { 117-177
======================================================================
HEALTHCARE CYBERSECURITY ACT OF 2022
_______
October 18, 2022.--Ordered to be printed
Filed, under authority of the order of the Senate of October 14, 2022
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 3904]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 3904), to enhance
the cybersecurity of the Healthcare and Public Health Sector,
having considered the same, reports favorably thereon with an
amendment, in the nature of a substitute, and an amendment to
the title, and recommends the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................3
IV. Section-by-Section Analysis of the Bill, as Reported.............4
V. Evaluation of Regulatory Impact..................................5
VI. Congressional Budget Office Cost Estimate........................5
VII. Changes in Existing Law Made by the Bill, as Reported............6
I. PURPOSE AND SUMMARY
S. 3904, the Healthcare Cybersecurity Act of 2022, aims to
improve the cybersecurity of the Healthcare and Public Health
Sector. The bill directs the Cybersecurity and Infrastructure
Security Agency (CISA) to coordinate with the Department of
Health and Human Services (HHS) on improving cybersecurity in
the Healthcare and Public Health Sector. As part of this, the
bill requires CISA, in collaboration with HHS, to coordinate
with and provide resources to non-Federal Healthcare and Public
Health Sector entities, including products specific to those
entities and sharing cyber threat indicators. Additionally, the
HHS Secretary, in coordination with CISA Cyber Security
Advisors, CISA Cybersecurity State Coordinators, and private
sector healthcare experts, must provide training to Healthcare
and Public Health Sector asset owners and operators on
cybersecurity risks and mitigations. Lastly, the bill requires
the HHS Secretary to update the Healthcare and Public Health
Sector Specific Plan, including an evaluation of challenges
Healthcare and Public Health Sector entities face and an
assessment of cybersecurity workforce shortages in the
Healthcare and Public Health Sector.
II. BACKGROUND AND NEED FOR THE LEGISLATION
Cyberattacks against entities in the Healthcare and Public
Health Sector pose grave, and increasing, threats to the
security of healthcare infrastructure, the safety of patients,
and the security of individuals' personally identifiable
information. According to an analysis of data from HHS, there
were 599 healthcare data breaches in 2020, a 55 percent
increase from 2019.\1\ In 2020 alone, at least 24,000,000
individuals were affected by healthcare data breaches.\2\ This
included a ransomware attack on the fundraising software
company Blackbaud, which exposed the data of millions of
individuals, including 1.05 million donors to the Virginia-
based Inova Health System.\3\
---------------------------------------------------------------------------
\1\BitGlass, Healthcare Breach Report 2021 (Feb. 17, 2021) (https:/
/pages.bitglass.com/rs/418-ZAL-815/images/
CDFY21Q1HealthcareBreachReport2021.pdf).
\2\Id.
\3\Hipaa Journal, Inova Health System Says 1.05 Million Individuals
Impacted by Blackbaud Ransomware Attack (Sep. 11, 2020) (https://
www.hipaajournal.com/inova-health-system-says-1-05-million-individuals-
impacted-by-blackbaud-ransomware-attack/).
---------------------------------------------------------------------------
Cyberattacks with the potential to disrupt the functioning
of Healthcare and Public Health Sector entities are also
increasing. Amidst the COVID-19 pandemic, CISA, the Federal
Bureau of Investigation (FBI), and HHS released an alert about
ransomware threat actors targeting Healthcare and Public Health
Sector entities.\4\ According to CISA, past ransomware attacks
against hospitals have ``resulted in inaccessible patient
schedules and records'' and downstream effects included
``cancelled or delayed surgeries and cancer treatments''.\5\
---------------------------------------------------------------------------
\4\U.S. Cybersecurity and Infrastructure Security Agency,
Ransomware Activity Targeting the Healthcare and Public Health Sector
(Oct. 28, 2020) (https://www.cisa.gov/uscert/ncas/alerts/aa20-302a).
\5\U.S. Cybersecurity and Infrastructure Security Agency, Provide
Medical Care is in Critical Condition: Analysis and Stakeholder
Decision Support to Minimize Further Harm (Sept. 2021) (https://
www.cisa.gov/sites/default/files/publications/
Insights_MedicalCare_FINAL-v2_0.pdf).
---------------------------------------------------------------------------
The attack surface of the Healthcare and Public Health
Sector includes medical devices, which are increasingly
Internet-connected and can pose cybersecurity risks to hospital
networks.\6\ The Food and Drug Administration (FDA), a
component agency of HHS, regulates medical devices and works to
reduce cybersecurity risks.\7\ When a vulnerability that can
pose a risk is identified, the FDA issues a ``safety
communication'' to inform patients, providers, and
manufacturers.\8\
---------------------------------------------------------------------------
\6\U.S. Food and Drug Administration, Cybersecurity (Apr. 8, 2022)
(https://www.fda.gov/
medical-devices/digital-health-center-excellence/cybersecurity).
\7\U.S. Food and Drug Administration, Medical Device Cybersecurity:
What You Need to Know (Feb. 4, 2022) (https://www.fda.gov/consumers/
consumer-updates/medical-device-cybersecurity-what-you-need-know).
\8\Id.
---------------------------------------------------------------------------
Cybersecurity risks in the Healthcare and Public Health
Sector can only be addressed with a robust cybersecurity
workforce. Globally, there is an estimated shortage of 2.72
million cybersecurity workers.\9\ This is especially true in
the healthcare sector, where a 2018 study found that 79% of
surveyed executives in healthcare organizations reported
difficulty recruiting cybersecurity personnel.\10\
---------------------------------------------------------------------------
\9\International Information System Security Certification
Consortium, A Resilient Cybersecurity Profession Charts the Path
Forward (2021) (https://www.isc2.org/Research/Workforce-Study).
\10\Merlin International, Merlin International & Ponemon Institute
Cybersecurity Study Signals Dangerous Diagnosis for Healthcare Industry
(Mar. 12 2018) (https://www.businesswire.com/news/home/20180312005302/
en/Merlin-International-Ponemon-Institute-Cybersecurity-Study-Signals).
---------------------------------------------------------------------------
CISA and HHS share responsibility to help protect
Healthcare and Public Health Sector entities. As defined in
law, Sector Risk Management Agencies, designated by the
President, provide institutional knowledge and lead risk
management activities in their sector, in coordination with the
Department of Homeland Security (DHS).\11\ As the Sector Risk
Management Agency for the Healthcare and Public Health Sector,
HHS's responsibilities include collaborating with healthcare
asset owners and operators, coordinating sector-specific
activities at the federal level, and carrying out incident
management responsibilities.\12\ As part of this, HHS operates
the Health Sector Cybersecurity Coordination Center (HC3) to
foster cybersecurity information sharing across the Healthcare
and Public Health Sector.\13\
---------------------------------------------------------------------------
\11\6 U.S. Code Sec. 651.
\12\U.S. Government Accountability Office, HHS Defined Roles and
Responsibilities, but Can Further Improve Collaboration (June 2021)
(https://www.gao.gov/assets/gao-21-403.pdf).
\13\U.S. Department of Health and Human Services, Health Sector
Cybersecurity Coordination Center (HC3) (Mar. 31, 2022) (https://
www.hhs.gov/about/agencies/asa/ocio/hc3/index.html).
---------------------------------------------------------------------------
S. 3904 ensures that CISA and HHS coordinate to provide
appropriate resources to Healthcare and Public Health Sector
entities to prevent, detect, and respond to cyber incidents.
This includes developing products for sector entities,
information sharing, and providing cybersecurity training to
sector asset owners and operators. Additionally, the bill
requires that HHS update the Healthcare and Public Health
Sector-Specific Plan, last updated in 2015, within one year of
enactment.\14\
---------------------------------------------------------------------------
\14\U.S. Cybersecurity and Infrastructure Security Agency,
Healthcare and Public Health Sector-Specific Plan (May 2016) (https://
www.cisa.gov/sites/default/files/publications/nipp-ssp-healthcare-
public-health-2015-508.pdf).
---------------------------------------------------------------------------
III. LEGISLATIVE HISTORY
Senator Jacky Rosen (D-NV) introduced S. 3904, the
Healthcare Cybersecurity Act of 2022, on March 23, 2022, with
Senator Bill Cassidy (R-LA). The bill was referred to the
Committee on Homeland Security and Governmental Affairs.
Senators Margaret Hassan (D-NH), Jon Ossoff (D-GA), Thom Tillis
(R-NC), and Dianne Feinstein (D-CA) later joined as cosponsors
on March 28, 2022, April 4, 2022, April 6, 2022, and May 16,
2022, respectively.
The Committee considered S. 3904 at a business meeting on
March 30, 2022. During the business meeting, Senator Rosen
offered a substitute amendment, as modified. The Rosen
substitute amendment, as modified, updated the bill to require
the HHS Secretary to update the Healthcare and Public Health
Sector Specific Plan, rather than the CISA Director conducting
a study and issuing a report. The Rosen substitute amendment,
as modified, also included changes to require the HHS
Secretary, in coordination with CISA and private sector
healthcare experts, to provide training to Healthcare and
Public Health Sector asset owners and operators, rather than
CISA. The Rosen substitute amendment, as modified, was adopted
by voice vote en bloc with Senators Peters, Carper, Hassan,
Sinema, Rosen, Padilla, Ossoff, Paul, Lankford, Romney, Scott,
and Hawley present.
Senator Rosen offered another amendment to change the long
title of the bill. The Rosen amendment was adopted by voice
vote en bloc with Senators Peters, Carper, Hassan, Sinema,
Rosen, Padilla, Ossoff, Paul, Lankford, Romney, Scott, and
Hawley present.
The bill, as amended, was ordered reported favorably by
voice vote en bloc. Senators Peters, Carper, Hassan, Sinema,
Rosen, Padilla, Ossoff, Paul, Lankford, Romney, Scott, and
Hawley were present for the vote.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section designates the name of the bill as the
``Healthcare Cybersecurity Act of 2022.''
Section 2. Definitions
This section defines the terms ``Agency,'' ``Cybersecurity
State Coordinator,'' ``Department,'' ``Director,'' ``Healthcare
and Public Health Sector,'' ``Information Sharing and Analysis
Organizations,'' and ``Secretary''.
Section 3. Findings
This section includes the findings of Congress.
Section 4. Agency coordination with the Department
Subsection (a) requires CISA and HHS to coordinate,
including by entering into an agreement, as appropriate, to
improve cybersecurity in the Healthcare and Public Health
Sector.
Subsection (b) requires CISA to coordinate with and make
resources available to Information Sharing and Analysis
Organizations, information sharing and analysis centers, and
certain other non-federal entities. This coordination includes
information sharing of cyber threat indicators and developing
products specific to the Healthcare and Public Health Sector's
needs.
Section 5. Training for healthcare experts
This section requires the HHS Secretary, in coordination
with private sector healthcare experts and CISA's regional
advisors and state coordinators, to provide training to
Healthcare and Public Health Sector asset owners and operators.
This training covers cybersecurity risks to the sector and ways
to mitigate these risks.
Section 6. Sector-specific plan
Subsection (a) requires the HHS Secretary, in coordination
with the CISA Director, to update the Healthcare and Public
Health Sector Specific Plan within a year of enactment of this
bill. The updated plan must include an analysis of
cybersecurity risks affecting the sector. The updated plan must
also include an evaluation of challenges the sector faces in
securing information systems and medical devices, as well as
implementing cybersecurity protocols and responding to data
breaches or cybersecurity attacks. Additionally, the updated
plan must include: an evaluation of best practices for the
deployment of CISA advisors over the course of data breaches or
cybersecurity attacks, an assessment of Healthcare and Public
Health Sector cybersecurity workforce shortages, an
identification of cybersecurity challenges related to COVID-19,
and an evaluation of ways for CISA and HHS to communicate and
deploy cybersecurity recommendations and tools to sector
assets.
Subsection (b) requires the HHS Secretary, in consultation
with the CISA Director, to provide a briefing to Congress on
required updates to the Healthcare and Public Health Sector
Specific Plan set forth in subsection (a) no later than 120
days after the date of enactment of this bill.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, May 6, 2022.
Hon. Gary C. Peters,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 3904, the Healthcare
Cybersecurity Act of 2022.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Aldo
Prosperi.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
S. 3904 would require the Cybersecurity and Infrastructure
Security Agency (CISA) to provide cybersecurity threat
information and training to health care providers in
coordination with the Department of Health and Human Services.
The bill also would require CISA to report to the Congress on
the effectiveness of its efforts.
Under current law, CISA currently employs 32 analysts to
provide training to and share information with eight critical
infrastructure sectors. Using information from CISA, CBO
expects that the agency would need four additional analysts to
expand its support to the health care sector. CBO estimates
that staff salaries and technology costs to deliver the
training would total $2 million annually. Accounting for the
time needed to hire new employees and develop the training, CBO
estimates that implementing the bill would cost $10 million
over the 2022-2027 period; such spending would be subject to
the availability of appropriated funds.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Leo Lex, Deputy Director of Budget
Analysis.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
This legislation would make no change in existing law,
within the meaning of clauses (a) and (b) of subparagraph 12 of
rule XXVI of the Standing Rules of the Senate, because this
legislation would not repeal or amend any provision of current
law.
[all]