Review - HR 8415 Introduced – HHS Cybersecurity

In May, Rep Steel (R,CA) introduced HR 8415, the Strengthening Cybersecurity in Health Care Act. The bill would require the Health and Human Service Department Inspector General to conduct penetration tests and other testing procedures to determine how systems processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of the Department is currently, or could be compromised. No new funding is provided by the bill.

The bill is very similar S 3773, introduced in February by Sen Rubio (R,FL). No action has been taken in the Senate on that legislation.

Moving Forward

While Steel is not a member of the House Energy and Commerce Committee to which this bill was assigned for consideration, one of her cosponsors {Rep Miller-Meeks (R,IA)} is a member of that Committee. This means that there may be sufficient influence to see the bill considered in committee. I suspect that there will be some level of bipartisan support for this legislation, but I am not sure that it would be sufficient to allow the bill to be considered under the suspension of the rules process which requires a super majority for passage.

Commentary

As I noted in my post on S 3773, HHS has little in the way of internal clinics that might be affected by such testing, so it is unlikely that there will be any medical devices covered by the requirements of this bill. I really mention it here because of the unique requirement for IG cybersecurity testing. This is well within the scope of operations of inspectors general, if probably outside of the existing skill sets for those organizations. While not wishing to see CISA’s prominence in government cybersecurity efforts diminished, I think that this might be a good requirement for each inspector general office in the federal government. And it might provide an interesting internal skill set that could be used in other IG investigations.

 

For more details about the provisions of this bill and its differences from S 3773, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8415-introduced - subscription required.

Bills Introduced – 5-15-24

Yesterday, with both the House and Senate in session, there were 56 bills introduced. One of those bills will receive additional attention in this blog:

HR 8415 To require the Inspector General of the Department of Health and Human Services to evaluate the cybersecurity practices and protocols of the Department, and for other purposes. Steel, Michelle [Rep.-R-CA-45]

This bill seems to be similar in intent to S 3773, the Strengthening Cybersecurity in Health Care Act, which was introduced last month by Sen Rubio (R,FL). That bill has seen no action in the Senate.

Review - S 3773 Introduced – HHS Cybersecurity Testing

In February, Sen Rubio (R,FL) introduced S 3773, the Strengthening Cybersecurity in Health Care Act. The bill would require the Health and Human Service Department Inspector General to conduct penetration tests and other testing procedures to determine how systems processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of the Department is currently, or could be compromised. No new funding is provided by the bill.

Moving Forward

While Rubio is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Hassan (D,NH)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything that would engender any organized opposition to the bill. I suspect that there would be some level of bipartisan support for the legislation if it were considered.

This bill is not politically important enough to consume the time necessary for consideration in the Senate under regular order. This bill might be able to pass under the Senate’s unanimous consent process, but that process always faces the potential for opposition unrelated to the provisions of the bill. This bill is well suited to being included in the annual HHS spending bill and Rubio, a member of the Senate Appropriations Committee, is well placed to see that happen.

Commentary

HHS has little in the way of internal clinics that might be affected by such testing, so it is unlikely that there will be any medical devices covered by the requirements of this bill. I really mention it here because of the unique requirement for IG cybersecurity testing. This is well within the scope of operations of inspectors general, if probably outside of the existing skill sets for those organizations. While not wishing to CISA’s prominence in government cybersecurity efforts diminished, I think that this might be a good requirement for each inspector general office in the federal government. And it might provide an interesting internal skill set that could be used in other IG investigations.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3773-introduced - subscription required.

Bills Introduced – 2-8-24

Yesterday, with just the Senate in session, there were 35 bills introduced. Two of those bills may receive additional attention here:

S 3773 A bill to require the Inspector General of the Department of Health and Human Services to evaluate the cybersecurity practices and protocols of the Department, and for other purposes. Rubio, Marco [Sen.-R-FL]

S 3792 A bill to expand the functions of the National Institute of Standards and Technology to include workforce frameworks for critical and emerging technologies, to require the Director of the National Institute of Standards and Technology to develop an artificial intelligence workforce framework, and periodically review and update the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity, and for other purposes.

I will be watching S 3773 for language and definitions that would specifically include operational technology like building control systems and security systems within the scope of the requirements.

I will be watching S 3792 for language and definitions that would specifically include or enhance