House to Consider Medical Emergency Response Bill

When the House returns to Washington today one of the first items on its agenda will be an as of yet unintroduced bill, the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019. This is pretty much the same bill as HR 7328 from the last session which passed in the House by a strongly bipartisan vote of 367 to 9 (all 9 Nays were from Republicans).

Cybersecurity

The bill contains the same vague cybersecurity provisions that was seen in HR 7328. The requirements of §703 are not so vague. The bill would require the Secretary of Health and Human Services to submit to Congress a “strategy for public health preparedness and response to address cybersecurity threats” {§703(a)(1)}. That strategy would include:

• Identifying the duties, functions, and preparedness goals for which the Secretary is responsible in order to prepare for and respond to such cybersecurity threats, including metrics by which to measure success in meeting preparedness goals;

• Identifying gaps in public health capabilities to achieve such preparedness goals; and

• Strategies to address identified gaps and strengthen public health emergency preparedness and response capabilities to address such cybersecurity threats.

What is vague is the type of cybersecurity threat that these strategies would address. The bill relies on 6 USC 1501(5) for the definition of ‘cybersecurity threat’. While that definition relies on the ICS-inclusive definition of ‘information system found in §1501(9), the definition of ‘cybersecurity threat’ uses terminology that is more IT-centric; actions that “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system”.

Thus, it would seem that the bill is targeting classic information system attacks like ransomware attacks on hospitals or the theft or publication of personally identifiable information or classified/sensitive information about emergency response capabilities. Section 703 does not, however, provide any authority to address these gaps through regulatory actions.

The conflict in the two §1501 definitions could, however, provide a proactive Secretary sufficient leeway to include in the strategies potential responses to incidents related to the release of industrial chemical resulting from a cyberattack. Unfortunately, I do not foresee that much foresight from a political appointee in this Department; certainly not the current Secretary.

Industrial Chemical Incident Response

This bill amends a wide variety of existing laws covered under 42 USC 201 et seq. While there are frequent mentions of ‘chemical, biological, radiological, or nuclear agents’ in both the bill and the underlying statutes, the focus here remains on biological agents. While this is an understandable view to be taken by HHS, it essentially ignores the more likely threat to wide spread exposure to industrial chemicals released to the environment through either a deliberate effort or large-scale industrial accident.

As I have pointed out a number of times in this blog and more recently in my ‘Future ICS Security News’ blog, the release of any of a wide variety of industrial chemicals could cause a significant public health situation where local hospitals and first responders would be ill equipped to respond with life-saving measures in a timely manner.

The failure of the medical establishment, including HHS, to have adequately planned for and stockpiled necessary equipment and countermeasures is due to a two-part inadequacy in our current system. Local administrators have no way of knowing of the local scope of the potential for release of toxic industrial chemicals, and if they had the knowledge would not have the funds necessary to prepare for an adequate response on a local basis.

Incidents like the 2015 rural release of acrylonitrile point out the potential problem. If that relatively minor railroad accident had occurred in an urban area or a more densely populated suburb the lack of availability of Cyanokits would have been a mass casualty event of staggering proportions. Or a potential incident like a chlorine attack could lead to a severe shortage of ventilators that could prevent a large number of deaths in such an attack. These are the types of issues that should have been included in this bill.

Unfortunately, this bill will not see any committee consideration and the suspension of the rules process under which it will be considered today does not provide for any possibility of floor amendments. If/when this bill is considered in the Senate, it will probably receive the same rubber stamp approach to passage.

The sad part is that the House Energy and Commerce Committee will try to address issues like this in their consideration of a bill to provide for long-term reauthorization of the Chemical Facility Anti-Terrorism Standards (CFATS) program. While that would certainly by a step forward the relatively small number of chemical facilities addressed in that manner and the total lack of coverage of transportation related issues would ensure that such an effort would only address a very small part of the problem.