HR 9412 Introduced – Healthcare Cybersecurity
Back in August, Rep Crow (D,CO) introduced HR 9412, the Healthcare Cybersecurity Act of 2024. The bill establishes requirements for: CISA-HHS coordination, CISA healthcare cybersecurity training, HHS developed sector security plans, and requires HHS to develop criteria for identifying high-risk covered assets. The bill would specifically prohibit additional funding to support these efforts.
This bill is very similar to S 4697 which was introduced in July by Sen Rosen (D,NV). That bill was considered by the Senate on July 31st, 2024. The bill was amended and recommended reported favorably by a vote of 10 to 1 {Sen Paul (R,KY) was the dissenting vote}. That report (and the amended version) has not yet been published. Paul’s opposition almost assures that the bill will not be considered by the full Senate.
Differences from S 4697
The general tenor of the two bills is very similar. The House version, however, puts the responsibility for most of the activities back on the HHS leadership, with consultation and assistance from CISA. This bill also gives CISA more leeway in how it accomplishes their responsibilities under the legislation, particularly in regards to how Cybersecurity State Coordinators and Cyber Security Advisors are utilized. Finally, the House version includes a §9, Rules of Construction, not seen in the Senate version. This includes §9(c) which prohibits additional funding for the requirements of this bill; the Senate bill was silent on the subject of spending authority.
At this point it is not possible to tell how the changes made to S 4697 in Committee compare to the current text of HR 9412. We will have to wait until the HSGA Committee publishes their report.
Definitions
Section 2 of the bill provides definitions for nine key terms used in the legislation. None of these terms are technical in nature.
Congressional Findings
Section 3 of the bill provides the ‘findings’ that provide justification for the provisions of the bill.
CISA-HHS Coordination
Section 4 of the bill requires CISA to provide an official liaison to HHS. The person serving as liaison will have appropriate cybersecurity qualifications and expertise, and report directly to the Director. The Liaison responsibilities will include:
Serve as a primary contact of the Department to coordinate cybersecurity issues with the Agency,
Support the implementation and execution of the Plan and assist in the development of updates to the Plan,
Facilitate the sharing of cyber threat information between the Department and the Agency to improve understanding of cybersecurity risks and situational awareness of cybersecurity incidents,
Manage the implementation of the CISA-HHS agreement,
Assist in implementing the training described in section 5,
Facilitate coordination between the Agency and the Department during cybersecurity incidents within the Healthcare and Public Health Sector, and
Perform such other duties as determined necessary by the Secretary to achieve the goal of improving the cybersecurity of the Healthcare and Public Health Sector.
Subsection (c) requires CISA to coordinate and provide resources to the “information sharing and analysis centers, the sector coordinating councils, and non-Federal entities that are receiving information shared through programs managed by” HHS. The coordination would include:
Developing products specific to the needs of Healthcare and Public Health Sector entities; and
Sharing information relating to cyber threat indicators and appropriate defensive measures.
Training
Section 5 would require CISA to provide training to owners and operators of covered assets (link to definition). The training would cover:
Cybersecurity risks to the Healthcare and Public Health Sector and covered assets, and
Ways to mitigate the risks to information systems in the Healthcare and Public Health Sector.
Sector Specific Plan
Section 6 of the bill would require HHS to update the Healthcare and Public Health Sector Specific Plan (last updated in 2016). The update would be required to include the following elements:
An analysis of how identified cybersecurity risks specifically impact covered assets, including the impact on rural and small and medium-sized covered assets,
An evaluation of the best practices for utilization of resources from the Agency to support covered assets before, during and after data breaches or cybersecurity attacks, such as by Cyber Security Advisors and Cybersecurity State Coordinators of the Agency or other similar resources,
An assessment of relevant Healthcare and Public Health Sector cybersecurity workforce shortages, and
An evaluation of the most accessible and timely ways for the CISA and HHS to communicate and deploy cybersecurity recommendations and tools to the owners and operators of covered assets.
The update would also be required to address the challenges the owners and operators of covered assets face in:
Securing updated information systems, medical devices, and sensitive patient health information,
Implementing cybersecurity protocols, and
Responding to data breaches or cybersecurity attacks.
High-Risk Covered Assets
Section 7 of the bill would require HHS to establish an objective criteria and methodology for determining which covered assets should be designated as a high-risk covered asset. HHS would then use that methodology to prepare a list of high-risk covered assets and update that list biannually. That list would be used by the Department to prioritize resource allocation to high-risk covered assets to bolster cyber resilience.
Moving Forward
Neither Crow, or his three cosponsors, are members of the House Homeland Security Committee to which this bill was assigned for primary consideration. This means that there will probably not be sufficient influence to see the bill considered in Committee. With the funding exclusion added to the bill, I see nothing that would engender any organized opposition. I suspect that there would be some level of bipartisan support for the bill were it to be considered. Whether it would be sufficient to see the bill considered under the suspension of the rules process before the Full House remains to be seen.