[Senate Report 118-280]
[From the U.S. Government Publishing Office]
Calendar No. 683
118th Congress} { Report
SENATE
2d Session } { 118-280
======================================================================
HEALTHCARE CYBERSECURITY ACT OF 2024
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 4697
TO ENHANCE THE CYBERSECURITY OF THE HEALTHCARE
AND PUBLIC HEALTH SECTOR
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
December 9, 2024.--Ordered to be printed
__________
U.S. GOVERNMENT PUBLISHING OFFICE
WASHINGTON : 2025
-----------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
RICHARD BLUMENTHAL, Connecticut JOSH HAWLEY, Missouri
LAPHONZA R. BUTLER, California ROGER MARSHALL, Kansas
David M. Weinberg, Staff Director
Alan S. Kahn, Chief Counsel
Christopher J. Mulkins, Director of Homeland Security
Emily A. Ferguson, Professional Staff Member
William E. Henderson III, Minority Staff Director
Christina N. Salazar, Minority Chief Counsel
Andrew J. Hopkins, Minority Counsel
Kendal B. Tigner, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 683
118th Congress} { Report
SENATE
2d Session } { 118-280
======================================================================
HEALTHCARE CYBERSECURITY ACT OF 2024
_______
December 9, 2024.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 4697]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 4697) to enhance
the cybersecurity of the Healthcare and Public Health Sector,
having considered the same reports favorably theron with an
amendment, in the nature of a substitute, and recommends the
bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
IV. Section-by-Section Analysis of the Bill, as Reported.............5
V. Evaluation of Regulatory Impact..................................6
VI. Congressional Budget Office Cost Estimate........................7
VII. Changes in Existing Law Made by the Bill, as Reported............8
I. PURPOSE AND SUMMARY
S. 4697, the Healthcare Cybersecurity Act of 2024,
increases information sharing and improves cybersecurity in the
healthcare and public health sector by requiring the
Cybersecurity and Infrastructure Security Agency (CISA) and the
Department of Health and Human Services (HHS) to jointly
designate an individual with cybersecurity expertise to serve
as a liaison between CISA and HHS. The bill outlines the
criteria for selection and appointment of the liaison, and
their duties and responsibilities. The bill further requires
the agencies to formulate a comprehensive update to the
healthcare and public health sector specific plan, last updated
in 2015, which each critical infrastructure sector risk
management agency is required to produce to establish detailed
goals and priorities for risk mitigation. Additionally, the
bill requires the agencies to identify and manage the public
health sector's specific cybersecurity risks, lead the sharing
of cyber threat information and defensive measures, provide
training for owners and operators, develop a methodology to
identify high-risk covered assets, and submit reports to
Congress about the activities related to these provisions.
II. BACKGROUND AND NEED FOR THE LEGISLATION
CISA and HHS share responsibility to help protect
healthcare and public health sector entities. However, HHS is
the Sector Risk Management Agency (SRMA).\1\ As defined in law,
SRMAs designated by the President, provide institutional
knowledge and lead risk management activities in their sector,
in coordination with the Department of Homeland Security
(DHS).\2\ As the sector's SRMA, HHS's responsibilities include
collaborating with healthcare asset owners and operators,
coordinating sector-specific activities at the federal level,
and carrying out incident management responsibilities.\3\ As a
part of this, HHS operates the Health Sector Cybersecurity
Coordination Center (HC3) to foster cybersecurity information
sharing across the sector.\4\
---------------------------------------------------------------------------
\1\Department of Health and Human Services, Administration for
Strategic Preparedness and Response, Division of Critical
Infrastructure Protection (website) (Accessed December 9, 2024)
(aspr.hhs.gov/cip/Pages/About.aspx).
\2\6 U.S. Code Sec. 651.
\3\Government Accountability Office, Report to Congressional
Requesters, CYBERSECURITY HHS Defined Roles and Responsibilities, but
Can Further Improve Collaboration (GAO-21-403) (June 2021).
(www.gao.gov/assets/gao-21-403.pdf).
\4\Department of Health and Human Services, Health Sector
Cybersecurity Coordination Center (HC3), A Prescription for Health
Sector Cybersecurity (Mar. 31, 2022). (www.hhs.gov/about/agencies/asa/
ocio/hc3/index.html).
---------------------------------------------------------------------------
Cyberattacks against the healthcare and public health
sector, one of 16 designated critical infrastructure sectors,
are a threat to the security of the healthcare infrastructure
and the security and privacy of all Americans. While other
critical infrastructure sectors experience similar attacks, the
healthcare industry's mission poses unique challenges,
including protecting sensitive patient information under Health
Insurance and Portability Act (HIPAA). Not only do cyberattacks
result in data breaches and, in many cases, risk patient
welfare or directly threaten patient safety, but they also
increase healthcare delivery costs and adversely impact
providers, particularly small practices.\5\ Cyberattacks harm
the individuals whose privacy has been violated and affect
every insured person whose healthcare payments may increase due
to increased costs, which can cause skepticism or refusal of
telehealth services amongst patients.\6\ Distrust of telehealth
is particularly harmful amongst those who may rely heavily on
technology to obtain healthcare, such as patients with limited
accessibility or mobility.\7\ Unsurprisingly, academic studies
in the last few years reviewing the challenges of providing
healthcare through virtual visits most often cited patient and
provider concerns with privacy and security and the risk of
using technology in healthcare consultations.\8\
---------------------------------------------------------------------------
\5\New York Times, 4 Things You Need to Know About Health Care
Cyberattacks (Apr. 9, 2024). (www.nytimes.com/2024/03/29/health/cyber-
attack-unitedhealth-hospital-patients.html).
\6\52% of Providers Say Patients Declined Telehealth Due to
Security Concerns, TechTarget (Dec. 1, 2021) (www.techtarget.com/
virtualhealthcare/news/366597792/52-of-Providers-Say-Patients-Declined-
Telehealth-Due-to-Security-Concerns:�:text=But%2052%20percent
%20of%20telehealth,shared%20from%20these%20virtual%20sessions).
\7\Department of Health and Human Services, Resource for Health
Care Providers on Educating Patients about Privacy and Security Risks
to Protected Health Information when Using Remote Communication
Technologies for Telehealth. (www.hhs.gov/hipaa/for-professionals/
privacy/guidance/resource-health-care-providers-educating-patients/
index.html).
\8\S. Houser et al., Privacy and Security Risk Factors Related to
Telehealth Services--A Systematic Review, Perspectives in Health
Information Management (Jan. 10, 2023) (www.ncbi.nlm.nih.gov/pmc/
articles/PMC9860467/); F. Tazi et al., ``We Have No Security
Concerns'': Understanding the Privacy-Security Nexus in Telehealth for
Audiologists and Speech-Language Pathologists, In Proceedings of the
2024 CHI Conference on Human Factors in Computing Systems (CHI '24),
Association for Computing Machinery (May 11, 2024) (dl.acm.org/doi/
10.1145/3613904.3642208#abstract).
---------------------------------------------------------------------------
Cyberattacks are becoming more common and sophisticated.
According to the Office of the Director of National
Intelligence, worldwide cyberattacks for ransom have nearly
doubled since 2022, reaching a total of 389 victims in 2023. In
the U.S., attacks in the healthcare and public health sector
increased by 128 percent in 2023, claiming 258 victims in 2023
in contrast to 113 in 2022.\9\ Another report by HHS shows that
large cyber breaches of the information systems of healthcare
facilities rose by 93 percent from 2018 to 2022, while breaches
involving ransomware increased by 278 percent in the same
period.\10\ With the increased use of technology in healthcare,
most patient records are electronic and most medical equipment
is managed online; therefore, just a single cyberattack can
affect a large number of people.
---------------------------------------------------------------------------
\9\Office of the Director of National Intelligence--the Cyber
Threat Intelligence Integration Center, Ransomware Attacks Surge in
2023; Attacks on Healthcare Sector Nearly Double (February 28, 2024)
(www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_
Surge_in_2023.pdf); BC Training, Have Cyber Attacks Killed People?
Updated June 2024 (June 14, 2024). (www.b-c-training.com/bulletin/have-
cyber-attacks-killed-people-updated-june-2024/
#:�:text=Of%20the%2088%25%20of%20health,and%2029%25%20for%20cloud%20comp
romises).
\10\Department of Health and Human Services, HEALTHCARE SECTOR
CYBERSECURITY, Introduction to the Strategy of the U.S. Department of
Health and Human Services (Dec. 2023) (aspr.hhs.gov/cyber/Documents/
Health-Care-Sector-Cybersecurity-Dec2023-508.pdf).
---------------------------------------------------------------------------
On February 21, 2024, Change Healthcare, a UnitedHealth
Group subsidiary and one of the world's largest health payment
processing companies, was breached. One of the biggest and most
costly cyberattacks, it is predicted to cost the company $2.3
billion dollars to restore the impacted platform and cover
other remediation activities.\11\ Six terabytes of data were
stolen, including a large number of patient records, and the
House Committee on Energy and Commerce Subcommittee on Health
determined ``that a third of Americans had their sensitive
health information leaked to the dark web as a result of the
attack.''\12\ The company was forced to pay $22 million ransom
to retrieve the datasets.\13\
---------------------------------------------------------------------------
\11\Steve Adler, Change healthcare Reports Ransomware Data Breach
to HHS (blog) (July 31, 2024). (www.hipaajournal.com/change-healthcare-
responding-to-cyberattack/#:�:text=Change%20
Healthcare%20experienced%20an%20ALPHV,affiliate%20who%20conducted%20the%
20attack).
\12\House Committee on Energy & Commerce, What we learned: Change
Healthcare Cyber Attack (blog). (https://energycommerce.house.gov/
posts/what-we-learned-change-healthcare-cyber-attack) and
UnitedHealthGroup, Change Healthcare Cyberattack, What Happened?
(blog). (www.unitedhealthgroup.com/ ns/health-data-breach.html).
\13\Medical-Targeted Ransomware Is Breaking Records After Change
Healthcare's $22M Payout, Wired (June 12, 2024) (www.wired.com/story/
change-healthcare-22-million-payment-ransomware-spike/).
---------------------------------------------------------------------------
Due to these large-scale breaches and the value of patient
information, patient safety and security is under serious
threat. For example, on the Dark Web, medical records can be
purchased for anywhere between $250-$1,000 because these
medical records include important personal information like
Social Security numbers, dates of birth, addresses, and
demographic data all in one file--making it easy for
cybercriminals to conduct identify theft, financial fraud, and
other nefarious activities.\14\ Most importantly, however,
cyberattacks on the healthcare sector can adversely impact
patient outcomes. New studies now show that ransomware attacks
on hospitals not only impact the financials of healthcare
providers through an average decreased patient volume by 17-
25%, but they also increase in-hospital mortality for patients
who are already admitted at the time of attack.\15\ Recognizing
these dangers and the enormity of the threats facing the
sector, HHS has called for action placing cybersecurity as a
top priority in patient safety, and in October 2023, released a
collaborative cybersecurity toolkit with CISA to ``close the
gaps in resources and cyber capabilities.''\16\ Since October
2023, however, the threats to the sector have outpaced the
resources and support CISA and HHS currently offer.\17\
---------------------------------------------------------------------------
\14\Hackers are Stealing Millions of Medical Records- and Selling
Them on the Dark Web, CBS News (Feb. 14, 2019) (www.cbsnews.com/news/
hackers-steal-medical-records-sell-them-on-dark-web/); Editorial: Why
Do Criminals Target Medical Records, The HIPPAA Journal (Nov. 2, 2023)
(www.hipaajournal.com/why-do-criminals-target-medical-records/).
\15\Claire C. McGlave, Hannah Neprash, and Sayeh Nikpay, Hacked to
Pieces? The Effects of Ransomware Attacks on Hospitals and Patients,
Social Science Research Network (Oct. 4, 2023) (papers.ssrn.com/sol3/
papers.cfm?abstract_id=4579292).
\16\Department of Health and Human Services, CISA, HHS Release
Collaborative Cybersecurity Healthcare Toolkit (Oct. 26, 2023)
(www.hhs.gov/about/news/2023/10/25/cisa-hhs-release-collaborative-
cybersecurity-healthcare-toolkit.html).
\17\Healthcare Leads in Third-Party Data Breaches, Says New Report,
Healthcare IT News (June 25, 2024) (www.healthcareitnews.com/news/
healthcare-leads-third-party-data-breaches-says-new-report); Healthcare
Leads in Third-Party Data Breaches, Says New Report, Healthcare IT News
(June 25, 2024) (www.healthcareitnews.com/news/healthcare-leads-third-
party-data-breaches-says-new-report); The State of Cyber Defense:
Diagnosing Cyber Threats in Healthcare, Kroll (April 17, 2024)
(www.kroll.com/en/insights/publications/cyber/state-cyber-defense-
healthcare).
---------------------------------------------------------------------------
Cybersecurity risks in the healthcare and public health
sector can be addressed with robust cybersecurity strategies,
and a well-trained, knowledgeable workforce. While recent
efforts to improve the healthcare sector's security have led to
improved access standards, such as implementation of `multi-
factor' or `two-step' authentication, more is needed.
Hospitals, clinics, pharmacies, and other entities often
require technical support to implement these solutions
correctly in addition to training for personnel on phishing and
other social engineering tactics.\18\ A liaison between CISA
and HHS, as required by this bill, would serve to address the
workforce challenge in the sector through implementing training
to owners and operators of healthcare assets, providing
technical assistance to the sector, and streamlining and
facilitating communications on cybersecurity issues.
---------------------------------------------------------------------------
\18\HHS Offering $50 Million for Proposals to Improve Hospital
Cybersecurity, The Record (May 20, 2024) (https://therecord.media/hhs-
offering-funding-cybersecurity-hospital).
---------------------------------------------------------------------------
S. 4697 the Healthcare Cybersecurity Act of 2024, ensures
that CISA and HHS continue to coordinate to provide appropriate
resources to the sector's entities to prevent, detect, and
respond to cyber incidents. This support includes engaging in
outreach and sharing best practices, providing technical
assistance, keeping up with new technology, sharing information
related to breaches and systems vulnerabilities, and providing
cybersecurity training to sector asset owners and operators, in
addition to appointing a liaison between CISA and HHS.
III. LEGISLATIVE HISTORY
Senator Rosen (D-NV), Senator Young (R-IN), Senator King
(I-ME) and Senator Ossoff (D-GA) introduced S. 4697, the
Healthcare Cybersecurity Act of 2024, on July 7, 2024. The bill
was referred to the Senate Committee on Homeland Security and
Governmental Affairs. The Committee considered S. 4697 at a
business meeting on July 31, 2024.
At the business meeting, Senator Rosen offered a substitute
amendment to the bill as well as a modification to the
substitute amendment. The Rosen amendment, as modified,
specified that the HHS report provided to Congress should
include a summary of the activities of CISA-HHS liaison, a
description of any challenges to the effectiveness of the
liaison completing the required duties, and a study of the
feasibility of an agreement to enhance cybersecurity in the
public health care sector. It further required a report be
submitted to Congress by the Government Accountability Office,
within 18 months of the bill's enactment. The report would
address federal resources available for the health care and
public health sector related to critical infrastructure. It
also specified that no additional funds would be authorized to
implement the bill's provisions and made technical changes. The
Committee adopted the modification to the Rosen substitute
amendment, and the Rosen substitute amendment, as modified, by
unanimous consent with Senators Peters, Carper, Hassan, Sinema,
Rosen, Ossoff, Blumenthal, Butler, Paul, Lankford and Scott
present.
The bill, as amended by the Rosen substitute amendment, as
modified, was ordered favorably by a roll call vote of 10 yeas
to 1 nay, with Senators Peters, Carper, Hassan, Sinema, Rosen,
Ossoff, Blumenthal, Butler, Lankford, and Scott voting in the
affirmative, and Senator Paul voting in the negative. Senators
Johnson, Romney, Hawley and Marshall voted yea by proxy, for
the record only.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section designates the short title of the bill as the
``Healthcare Cybersecurity Act of 2024.''
Section 2. Definitions
This section defines the terms ``Agency,'' ``covered
asset,'' ``Cybersecurity Coordinator,'' ``Department,''
``Director,'' ``Health and Public Health Sector,''
``Information Sharing and Analysis Organizations,'' ``Plan,''
and ``Secretary.''
Section 3. Findings
This section describes Congress' findings of reported data
of increased cybersecurity risks in the sector, and the extent
of the harm on the victims of these malicious acts.
Section 4. Agency coordination with the department
Subsection (a) establishes that CISA and HHS shall
coordinate to improve cybersecurity in the healthcare and
public health sector, including entering into an agreement, as
appropriate.
Subsection (b) establishes the liaison between HHS and CISA
and liaison's manner of appointment, duties and
responsibilities. It also sets the reporting requirements,
contents of the report.
Subsection (c). Establishes that CISA shall coordinate and
share developed resources for the sector with information
sharing and analysis organizations, centers, sector
coordinating councils, and non-federal entities within the
sector. Developed resources shall include products specific for
sector entities to use and information related to cyber threats
and appropriate defensive measures for the sector.
Section 5. Training for healthcare owners and operators
This section describes the type of training that CISA must
make available to the sector's covered assets owners and
operators, such as training on cybersecurity risks to the
sector and ways to mitigate the risks.
Section 6. Sector specific risk management plan
Subsection (a) sets the general requirements on the
frequency and how to update the sector-specific management
plan, conduct an analysis on how the risks impact various
covered assets based on geography and size, evaluations on the
challenges to secure systems, best use of recourses and
workforce optimization, and best ways to share recommendations.
Subsection (b) directs HHS and CISA to provide
Congressional Committees with a briefing within 120 days.
Section 7. Identifying high-risk covered assets
Subsection (a) provides general guidance on how to
establish criteria to assign risk level to covered assets and
designate high-risk assets.
Subsection (b) sets the requirements for a running list of
high-risk assets and formulaic reviews, updates, and
notifications to owners and operators of high-risk assets and
Congress. The list will be used to allocate resources such as
cybersecurity defensive measures and other cyber resilience
tools and resources.
Section 8. Reports
Subsection (a) outlines the requirements and 120-day
timeframe for the report to Congress on the activities CISA has
conducted to support the healthcare sector in preparation to
handle and mitigate cyber-attacks.
Subsection (b) outlines the requirements and 18-month
timeframe for the U.S. Controller General's report to Congress
on available Federal recourses for the Healthcare and Public
Health Sector's critical infrastructure, in accordance with the
Critical Infrastructures Protection Act of 2001.
Section 9. Rules of construction
Subsection (a) The Secretary or Director is not authorized
under this Act to take an action not authorized by the Act or
existing law.
Subsection (b) This Act does not permit the violation of
any protected rights under the U.S. Constitution through
censorship of protected speech or unauthorized surveillance.
Subsection (c) This Act does not authorize additional funds
to be appropriated for carrying out the act.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
S. 4697 would require the Cybersecurity and Infrastructure
Security Agency (CISA), in coordination with the Department of
Health and Human Services (HHS), to provide information and
training on cybersecurity threats to health care providers. The
bill also would require CISA, HHS, and the Governmental
Accountability Office to report to the Congress on the
effectiveness of those efforts. For purposes of this estimate,
CBO assumes the bill will be enacted in 2025.
CISA currently employs 32 analysts to provide training to
and share information with eight critical infrastructure
sectors. Using information from CISA, CBO expects that the
agency would need one liaison officer to coordinate with HHS
and three analysts to expand its support to the health care
sector. CBO estimates that the costs of compensation for those
employees and information technology needed to deliver the
training would total $2 million annually. Accounting for the
time needed to hire new employees, develop the training, and
publish the required reports, CBO estimates that implementing
the bill would cost $10 million over the 2024-2029 period; any
spending would be subject to the availability of appropriated
funds.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Christina Hawley Anthony, Deputy
Director of Budget Analysis.
Phillip L. Swagel,
Director, Congressional Budget Office.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
This legislation would make no change in existing law,
within the meaning of clauses (a) and (b) of subparagraph 12 of
rule XXVI of the Standing Rules of the Senate, because this
legislation would not repeal or amend any provision of current
law.
[all]