Last week, Sen Rosen (D,NV) introduced S 3904,
the Healthcare Cybersecurity Act of 2022. The bill would task the Cybersecurity
and Infrastructure Security Agency (CISA) with specific responsibilities for
supporting the Department of Health and Human Services (HHS) efforts to improve
cybersecurity practices within the Healthcare and Public Health Sector. No funding
is authorized in this bill.
Moving Forward
Rosen and one of her two cosponsors {Sen Hassan (D,NH)} are
members of the Senate Homeland Security and Governmental Affairs Committee to
which this bill was assigned for consideration. This means that there should be
sufficient influence to see this bill considered in Committee. I see nothing in
this bill that would engender any organized opposition. I suspect that this
bill would receive bipartisan support in Committee.
The bill is unlikely to make it to the floor of the Senate
under regular order. There is a remote possibility that the bill could be taken
up by the Senate under the unanimous consent process. The most likely way the
bill would move forward would be for it to be included as part of a larger
piece of legislation, perhaps as an amendment.
Commentary
In many ways this is just another feel good cybersecurity
bill that would make it look like Congress was taking action on a very real problem.
The study required in the bill would be the most helpful component of the
legislation, but CISA is not required to present it to Congress who would be
required to take legislative action to approve additional funding or program authorizations
to allow HHS to take significant actions to improve healthcare cybersecurity.
And the bill only
‘allows’ HHS to consider the provisions in the report when updating the
Healthcare and Public Health Sector Specific Plan. It does not require an
update or mandate that the recommendations made be considered when an update is
completed. There is not even a requirement for a follow-up GAO report.
The biggest ‘feel good without doing anything of
significance’ actions in the bill have to do with the two requirements dealing
with Cyber Security Advisors; training
and incident
response. CSAs are a very limited resource within CISA, with only four or
five available per region. At most they are only going to be able to provide
corporate level cybersecurity-overview training or ‘report back to CISA’
incident response reviews. And even that will be limited as they are also
required to support all of the other critical infrastructure sectors as well.
For more details about the requirements of the bill, see my
article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/s-3904-introduced
– subscription required.
Go to Source of this post
Author Of this post: PJCoyle