Monday, July 29, 2024

Review - S 4697 Introduced – Healthcare Cybersecurity

Earlier this month, Sen Rosen (D,NV) introduced S 4697, the Healthcare Cybersecurity Act of 2024. The bill establishes requirements for: CISA-HHS coordination, CISA healthcare cybersecurity training, CISA developed sector security plans, and developing criteria for identifying high-risk covered assets. No new funding is authorized by this legislation.

Moving Forward

Rosen and one of her cosponsors {Sen Ossoff (D,GA)} are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see the bill considered in Committee. I suspect that there would be some level of bipartisan support for this bill, but the Ranking Member {Sen Paul (R,KY)} would be expected to oppose the bill. This would complicate passage in Committee.

Commentary

There is no discussion, or even mention, of the role cybersecurity vulnerabilities in medical software and devices have in the abetting the malicious cyberattacks discussed in the §3 findings. This bill would be the ideal place to formalize which agency (FDA or CISA) would be responsible for receiving, coordinating and publishing reports about vulnerabilities in medical software and devices. The FDA has the benefit of being the regulatory agency responsible for oversight of the safety and efficacy of such systems, thus lending gravitas to their potential coordination efforts. Meanwhile, CISA has the technical expertise and experience (and the current de facto responsibility) to manage this effort. I would suggest inserting a new §4(c) into the bill:

“(c) The Agency will assist the Department with establishing within the Food and Drug Administration an office to receive, coordinate, and make public information related to security vulnerabilities (as defined in 6 U.S.C. 650) in medical software and devices.”

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4697-introduced - subscription required.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */