S 4697 Introduced
Healthcare Cybersecurity
Earlier this month, Sen Rosen (D,NV) introduced S 4697, the Healthcare Cybersecurity Act of 2024. The bill establishes requirements for: CISA-HHS coordination, CISA healthcare cybersecurity training, CISA developed sector security plans, and developing criteria for identifying high-risk covered assets. No new funding is authorized by this legislation.
Definitions
Section 2 of the bill provides definitions for nine key terms used in the legislation. None of these terms are technical in nature.
Congressional Findings
Section 3 of the bill provides the ‘findings’ that provide justification for the provisions of the bill.
CISA-HHS Coordination
Section 4 of the bill requires CISA to provide an official liaison to HHS. The person serving as liaison will have appropriate cybersecurity qualifications and expertise, and report directly to the Director. The Liaison responsibilities will include:
Provide to the owners and operators of covered assets technical assistance regarding, information on, and best practices relating to improving cybersecurity,
Serve as a primary contact of the Department to coordinate cybersecurity issues with the Agency,
Support the implementation and execution of the Plan and assist in the development of updates to the Plan,
Facilitate the sharing of cyber threat information to improve understanding of cybersecurity risks and situational awareness of cybersecurity incidents,
Manage the implementation of the CISA-HHS agreement,
Implement the training described in section 5,
Coordinate between the Agency and the Department during cybersecurity incidents within the Healthcare and Public Health Sector, and
Perform such other duties as determined necessary by the Secretary to achieve the goal of improving the cybersecurity of the Healthcare and Public Health Sector.
Subsection (c) requires CISA to coordinate and provide resources to the “information sharing and analysis centers, the sector coordinating councils, and non-Federal entities that are receiving information shared through programs managed by” HHS. The coordination would include:
Developing products specific to the needs of Healthcare and Public Health Sector entities; and
Sharing information relating to cyber threat indicators and appropriate defensive measures.
Training
Section 5 would require CISA’s Cyber Security Advisors and Cybersecurity State Coordinators to provide training to owners and operators of covered assets (link to definition). The training would cover:
Cybersecurity risks to the Healthcare and Public Health Sector and covered assets, and
Ways to mitigate the risks to information systems in the Healthcare and Public Health Sector.
Sector Specific Plan
Section 6 of the bill would require HHS to update the Healthcare and Public Health Sector Specific Plan (last updated in 2016). The update would be required to include the following elements:
An analysis of how identified cybersecurity risks specifically impact covered assets, including the impact on rural and small and medium-sized covered assets,
An evaluation of best practices for the deployment of trained Cyber Security Advisors and Cybersecurity State Coordinators of the Agency into covered assets before, during, and after data breaches or cybersecurity attacks,
An assessment of relevant Healthcare and Public Health Sector cybersecurity workforce shortages, and
An evaluation of the most accessible and timely ways for the CISA and HHS to communicate and deploy cybersecurity recommendations and tools to the owners and operators of covered assets.
The update would also be required to address the challenges the owners and operators of covered assets face in:
Securing updated information systems, medical devices, and sensitive patient health information,
Implementing cybersecurity protocols, and
Responding to data breaches or cybersecurity attacks.
High-Risk Covered Assets
Section 7 of the bill would require CISA to establish an objective criteria and methodology for determining which covered assets should be designated as a high-risk covered asset. HHS would then use that methodology to prepare a list of high-risk covered assets and update that list biannually. That list would be used by the Department to prioritize resource allocation to high-risk covered assets to bolster cyber resilience.
Moving Forward
Rosen and one of her cosponsors {Sen Ossoff (D,GA)} are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see the bill considered in Committee. I suspect that there would be some level of bipartisan support for this bill, but the Ranking Member {Sen Paul (R,KY)} would be expected to oppose the bill. This would complicate passage in Committee.
Commentary
There is no discussion, or even mention, of the role cybersecurity vulnerabilities in medical software and devices have in the abetting the malicious cyberattacks discussed in the §3 findings. This bill would be the ideal place to formalize which agency (FDA or CISA) would be responsible for receiving, coordinating and publishing reports about vulnerabilities in medical software and devices. The FDA has the benefit of being the regulatory agency responsible for oversight of the safety and efficacy of such systems, thus lending gravitas to their potential coordination efforts. Meanwhile, CISA has the technical expertise and experience (and the current de facto responsibility) to manage this effort. I would suggest inserting a new §4(c) into the bill:
“(c) The Agency will assist the Department with establishing within the Food and Drug Administration an office to receive, coordinate, and make public information related to security vulnerabilities (as defined in 6 U.S.C. 650) in medical software and devices.”