119-s1851

[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 1851 Introduced in Senate

    (IS) ]

<DOC>

119th CONGRESS
 1st Session
 S. 1851

 To enhance the cybersecurity of the Healthcare and Public Health 
 Sector.

_______________________________________________________________________

 IN THE SENATE OF THE UNITED STATES

 May 21, 2025

 Ms. Rosen (for herself and Mr. Young) introduced the following bill; 
which was read twice and referred to the Committee on Homeland Security 
 and Governmental Affairs

_______________________________________________________________________

 A BILL

 To enhance the cybersecurity of the Healthcare and Public Health 
 Sector.

 Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

 This Act may be cited as the ``Healthcare Cybersecurity Act of 
2025''.

SEC. 2. DEFINITIONS.

 In this Act--

    (1) the term ``Agency'' means the Cybersecurity and 
 Infrastructure Security Agency;

    (2) the term ``covered asset'' means a Healthcare and 
 Public Health Sector asset, including technologies, services, 
 and utilities;

    (3) the term ``Cybersecurity State Coordinator'' means a 
 Cybersecurity State Coordinator appointed under 

section 2217

    (a) of the Homeland Security Act of 2002 (6 U.S.C. 665c

    (a) );

    (4) the term ``Department'' means the Department of Health 
 and Human Services;

    (5) the term ``Director'' means the Director of the Agency;

    (6) the term ``Healthcare and Public Health Sector'' means 
 the Healthcare and Public Health sector, as identified in the 
 National Security Memorandum on Critical Infrastructure and 
 Resilience (NSM-22), issued April 30, 2024;

    (7) the term ``Information Sharing and Analysis 
 Organizations'' has the meaning given the term in 

section 2200 
 of the Homeland Security Act of 2002 (6 U.S.C. 650);

    (8) the term ``Plan'' means the Healthcare and Public 
 Health Sector-specific Risk Management Plan; and

    (9) the term ``Secretary'' means the Secretary of Health 
 and Human Services.

SEC. 3. FINDINGS.

 Congress finds the following:

    (1) Covered assets are increasingly the targets of 
 malicious cyberattacks, which result not only in data breaches 
 but also increased healthcare delivery costs and can ultimately 
 affect patient health outcomes.

    (2) Data reported to the Department shows that large cyber 
 breaches of the information systems of healthcare facilities 
 rose 93 percent between 2018 and 2022.

    (3) According to the ``Annual Report to Congress on 
 Breaches of Unsecured Protected Health Information for Calendar 
 Year 2022'' issued by the Office for Civil Rights of the 
 Department, breaches of unsecured protected health information 
 have increased 107 percent since 2018, and, in 2022 alone, the 
 Department received 626 reported breaches affecting not fewer 
 than 500 individuals at covered entities or business associates 
 (as defined in 

section 160.103 of title 45, Code of Federal 
 Regulations) that occurred or ended in 2022, with nearly 
 42,000,000 individuals affected.

SEC. 4. AGENCY COORDINATION WITH THE DEPARTMENT.

    (a) In General.--The Agency shall coordinate with the Department to 
improve cybersecurity in the Healthcare and Public Health Sector.

    (b) Agency Liaison to the Department.--

    (1) Appointment.--The Director shall, in coordination with 
 the Secretary, appoint an individual, who shall be an employee 
 of the Agency or a detailee assigned to the Administration for 
 Strategic Preparedness and Response Office of the Department by 
 the Director, to serve as a liaison of the Agency to the 
 Department, who shall--
        (A) have appropriate cybersecurity qualifications 
 and expertise; and
        (B) report directly to the Director.

    (2) Responsibilities and duties.--The liaison appointed 
 under paragraph

    (1) shall--
        (A) serve as a primary contact of the Department to 
 coordinate cybersecurity issues with the Agency;
        (B) support the implementation and execution of the 
 Plan and assist in the development of updates to the 
 Plan;
            (C) facilitate the sharing of cyber threat 
 information between the Department and the Agency to 
 improve understanding of cybersecurity risks and 
 situational awareness of cybersecurity incidents;
            (D) assist in implementing the training described 
 in 

section 5;
        (E) facilitate coordination between the Agency and 
 the Department during cybersecurity incidents within 
 the Healthcare and Public Health Sector; and
        (F) perform such other duties as determined 
 necessary by the Secretary to achieve the goal of 
 improving the cybersecurity of the Healthcare and 
 Public Health Sector.

    (3) Report.--
        (A) Requirement.--Not later than 18 months after 
 the date of enactment of this Act, the Secretary, in 
 coordination with the Director, shall submit a report 
 that describes the activities undertaken to improve 
 cybersecurity coordination between the Agency and the 
 Department to--
            (i) the Committee on Health, Education, 
 Labor, and Pensions, the Committee on Finance, 
 and the Committee on Homeland Security and 
 Governmental Affairs of the Senate; and
            (ii) the Committee on Energy and Commerce, 
 the Committee on Ways and Means, and the 
 Committee on Homeland Security of the House of 
 Representatives.
        (B) Contents.--The report submitted under 
 subparagraph
        (A) shall include--
            (i) a summary of the activities of the 
 liaison appointed under paragraph

    (1) ;
            (ii) a description of any challenges to the 
 effectiveness of the liaison appointed under 
 paragraph

    (1) completing the required duties of 
 the liaison; and
            (iii) a study of the feasibility of an 
 agreement to improve cybersecurity in the 
 public sector of healthcare.
            (c) Resources.--

    (1) In general.--The Agency shall coordinate with and make 
 resources available to Information Sharing and Analysis 
 Organizations, information sharing and analysis centers, the 
 sector coordinating councils, and non-Federal entities that are 
 receiving information shared through programs managed by the 
 Department.

    (2) Scope.--The coordination under paragraph

    (1) shall 
 include--
        (A) developing products specific to the needs of 
 Healthcare and Public Health Sector entities; and
        (B) sharing information relating to cyber threat 
 indicators and appropriate defensive measures.

SEC. 5. TRAINING FOR HEALTHCARE OWNERS AND OPERATORS.

 The Agency shall make available training to the owners and 
operators of covered assets on--

    (1) cybersecurity risks to the Healthcare and Public Health 
 Sector and covered assets; and

    (2) ways to mitigate the risks to information systems in 
 the Healthcare and Public Health Sector.

SEC. 6. SECTOR-SPECIFIC RISK MANAGEMENT PLAN.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Secretary, in coordination with the Director, shall 
update the Plan, which shall include the following elements:

    (1) An analysis of how identified cybersecurity risks 
 specifically impact covered assets, including the impact on 
 rural and small- and medium-sized covered assets.

    (2) An evaluation of the challenges the owners and 
 operators of covered assets face in--
        (A) securing--
            (i) updated information systems owned, 
 leased, or relied upon by covered assets;
            (ii) medical devices or equipment owned, 
 leased, or relied upon by covered assets, which 
 shall include an analysis of the threat 
 landscape and cybersecurity vulnerabilities of 
 such medical devices or equipment; and
            (iii) sensitive patient health information 
 and electronic health records;
        (B) implementing cybersecurity protocols; and
            (C) responding to data breaches or cybersecurity 
 attacks, including the impact on patient access to 
 care, quality of patient care, timeliness of health 
 care delivery, and health outcomes.

    (3) An evaluation of the best practices for utilization of 
 resources from the Agency to support covered assets before, 
 during, and after data breaches or cybersecurity attacks, such 
 as by Cyber Security Advisors and Cybersecurity State 
 Coordinators of the Agency or other similar resources.

    (4) An assessment of relevant Healthcare and Public Health 
 Sector cybersecurity workforce shortages, including--
        (A) training, recruitment, and retention issues; 
 and
        (B) recommendations for how to address these 
 shortages and issues, particularly at rural and small- 
 and medium-sized covered assets.

    (5) An evaluation of the most accessible and timely ways 
 for the Agency and the Department to communicate and deploy 
 cybersecurity recommendations and tools to the owners and 
 operators of covered assets.

    (b) Congressional Briefing.--Not later than 120 days after the date 
of enactment of this Act, the Secretary, in consultation with the 
Director, shall provide a briefing on the updating of the Plan under 
subsection

    (a) to--

    (1) the Committee on Health, Education, Labor, and 
 Pensions, the Committee on Finance, and the Committee on 
 Homeland Security and Governmental Affairs of the Senate; and

    (2) the Committee on Energy and Commerce, the Committee on 
 Ways and Means, and the Committee on Homeland Security of the 
 House of Representatives.

SEC. 7. IDENTIFYING HIGH-RISK COVERED ASSETS.

    (a) In General.--The Secretary, in consultation with the Director 
and health sector owners and operators, as appropriate, may establish 
objective criteria for determining whether a covered asset may be 
designated as a high-risk covered asset, provided that such criteria 
shall align with the methodology promulgated by the Director for 
identifying functions relating to critical infrastructure, as defined 
in 

section 1016

    (e) of the Critical Infrastructures Protection Act of 
2001 (42 U.S.C. 5195c

    (e) ), and associated risk assessments.

    (b) List of High-Risk Covered Assets.--

    (1) In general.--The Secretary may develop a list of, and 
 notify, the owners and operators of each covered asset 
 determined to be a high-risk covered asset using the 
 methodology promulgated by the Director pursuant to subsection

    (a) .

    (2) Biannual updating.--The Secretary may--
        (A) biannually review and update the list of high-
 risk covered assets developed under paragraph

    (1) ; and
        (B) notify the owners and operators of each covered 
 asset added to or removed from the list as part of a 
 review and update of the list under subparagraph
        (A) .

    (3) Notice to congress.--The Secretary shall notify 
 Congress when an initial list of high-risk covered assets is 
 developed under paragraph

    (1) and each time the list is updated 
 under paragraph

    (2) .

    (4) Use.--The list developed and updated under this 
 subsection may be used by the Department to prioritize resource 
 allocation to high-risk covered assets to bolster cyber 
 resilience.

SEC. 8. REPORTS.

    (a) Report on Assistance Provided to Entities of Healthcare and 
Public Health Sector.--Not later than 120 days after the date of 
enactment of this Act, the Agency shall submit to Congress a report on 
the organization-wide level of support and activities that the Agency 
has provided to the healthcare and public health sector to proactively 
prepare the sector to face cyber threats and respond to cyber attacks 
when such threats or attacks occur.

    (b) Report on Critical Infrastructure Resources.--Not later than 18 
months after the date of enactment of this Act, the Comptroller General 
of the United States shall submit to Congress a report on Federal 
resources available, as of the date of enactment of this Act, for the 
Healthcare and Public Health Sector relating to critical 
infrastructure, as defined in 

section 1016

    (e) of the Critical 
Infrastructures Protection Act of 2001 (42 U.S.C. 5195c

    (e) ), including 
resources available from recent and ongoing collaboration with the 
Director and the Secretary.

SEC. 9. RULES OF CONSTRUCTION.

    (a) Agency Actions.--Nothing in this Act shall be construed to 
authorize the Secretary or Director to take an action that is not 
authorized by this Act or existing law.

    (b) Protection of Rights.--Nothing in this Act shall be construed 
to permit the violation of the rights of any individual protected by 
the Constitution of the United States, including through censorship of 
speech protected by the Constitution of the United States or 
unauthorized surveillance.
            (c) No Additional Funds.--No additional funds are authorized to be 
appropriated for the purpose of carrying out this Act.
 <all>