Last week, Sen Rosen (D,NV) introduced S 3904, the Healthcare Cybersecurity Act of 2022. The bill would task the Cybersecurity and Infrastructure Security Agency (CISA) with specific responsibilities for supporting the Department of Health and Human Services (HHS) efforts to improve cybersecurity practices within the Healthcare and Public Health Sector. No funding is authorized in this bill.
Moving Forward
Rosen and one of her two cosponsors {Sen Hassan (D,NH)} are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that this bill would receive bipartisan support in Committee.
The bill is unlikely to make it to the floor of the Senate under regular order. There is a remote possibility that the bill could be taken up by the Senate under the unanimous consent process. The most likely way the bill would move forward would be for it to be included as part of a larger piece of legislation, perhaps as an amendment.
Commentary
In many ways this is just another feel good cybersecurity bill that would make it look like Congress was taking action on a very real problem. The study required in the bill would be the most helpful component of the legislation, but CISA is not required to present it to Congress who would be required to take legislative action to approve additional funding or program authorizations to allow HHS to take significant actions to improve healthcare cybersecurity. And the bill only ‘allows’ HHS to consider the provisions in the report when updating the Healthcare and Public Health Sector Specific Plan. It does not require an update or mandate that the recommendations made be considered when an update is completed. There is not even a requirement for a follow-up GAO report.
The biggest ‘feel good without doing anything of significance’ actions in the bill have to do with the two requirements dealing with Cyber Security Advisors; training and incident response. CSAs are a very limited resource within CISA, with only four or five available per region. At most they are only going to be able to provide corporate level cybersecurity-overview training or ‘report back to CISA’ incident response reviews. And even that will be limited as they are also required to support all of the other critical infrastructure sectors as well.
For more details about the requirements of the bill, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3904-introduced
- subscription required.
No comments:
Post a Comment