Healthcare Cybersecurity Improvement Act

(1) the Department of Health and Human Services found that ransomware attacks on hospitals have more than doubled from 2019 to 2020, with more than 239,000,000 attacks attempted;

(2) in 2020, over 630 health care organizations were subject to data breaches, leading to over 29,000,000 health records publicly released; and

(3) studies indicate that attacks on our nation’s health care systems will only increase as hospitals are forced to balance health care costs with an increasingly digital health care system.

Not later than 120 days after the date of the enactment of this Act, the Secretary of Health and Human Services (in this Act referred to as the Secretary) shall, in consultation, as appropriate, with other relevant officials within the Department of Health and Human Services, including the Commissioner of Food and Drugs, the Assistant Secretary for Preparedness and Response, and the Officer for Civil Rights and Civil Liberties, establish a center for purposes of coordinating cybersecurity across the health care sector to be known as the Health Sector Cybersecurity Coordination Center (in this section referred to as the Center).

The Center shall—

(1) support the defense of the information technology infrastructure of the health care sector, including by—

(A) strengthening coordination and information sharing within the sector; and

(B) developing a plan to protect, detect, respond to, and recover from cybersecurity risks and incidents, including for entities with limited technical capacity; and

(2) develop and support technical capabilities and provide advice regarding the development of standards, to prevent and mitigate cyber attacks, including—

(A) the Commissioner of Food and Drugs; and

(B) the Assistant Secretary for Preparedness and Response.

Not later than 1 year after the date of the enactment of this Act, the Secretary shall establish a program to be known as the Health Care Cybersecurity Grant Program for the purpose of awarding grants to eligible entities to obtain equipment and software and hire information technology staff to ensure the protection of critical information systems.

Not later than 90 days after funds are made available to carry out this section, the Secretary shall publish the maximum amount of a grant available under this section, as determined by the Secretary.

Not later than 5 years after the date of the enactment of this Act, the Secretary shall prepare and submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives a report on the activities and outcomes of the grant program under this section.

In this section:

The term eligible entity means a—

(A) hospital with fewer than 300 beds for the provision of patient care; or

(B) rural health clinic.

The term hospital means a hospital, as defined in section 1861(e) of the Social Security Act (42 U.S.C. 1395x(e)), or a critical access hospital, as defined in section 1861(mm)(1) of such Act (42 U.S.C. 1395x(mm)(1)).

The term rural health clinic has the meaning given such term in section 1861(aa) of the Social Security Act (42 U.S.C. 1395x(aa)(2)).

There are authorized to be appropriated to carry out this section $100,000,000 for fiscal year 2022, to remain available through fiscal year 2023.

Not later than 1 year after the date of the enactment of this Act, the Director of the National Institute of Standards and Technology, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency and the heads of appropriate Federal agencies, shall develop standards for the protection of information security networks and digital medical devices in hospitals.

In developing standards under subsection (a), the Director shall take into consideration—

(1) current Federal standards and guidelines, including—

(A) standards and guidelines developed under section 4 of the Internet of Things Cybersecurity Improvement Act of 2020 (15 U.S.C. 278g–b);

(B) standards promulgated under section 405(d) of the Cybersecurity Act of 2015 (6 U.S.C. 1533); and

(C) standards developed by the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security with respect to critical infrastructure (as defined in section 1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)); and

(2) general security practices, including—

(A) network segmentation between medical devices and patient information; and

(B) the methods used to detect medical devices connected to the internal network of a hospital.

Section 1866(a)(1) of the Social Security Act (42 U.S.C. 1395cc(a)(1)) is amended—

(A) in subparagraph (X), by striking and at the end;

(B) in subparagraph (Y)(ii)(V), by striking the period and inserting, and; and

(C) by inserting after subparagraph (Y) the following new subparagraph:

(Z) in the case of a hospital or a critical access hospital, beginning on the date that is 2 years after the date of the enactment of this subparagraph, to comply with the standards developed under section 5(a) of the Healthcare Cybersecurity Improvement Act.

Section 1902(a) of the Social Security Act (42 U.S.C. 1396a(a)) is amended—

(A) in paragraph (86), by striking and at the end;

(B) in paragraph (87)(D), by striking the period and inserting; and; and

(C) by inserting after paragraph (87) the following new paragraph:

(88) provide that, beginning on the date that is 2 years after the date of the enactment of this paragraph, no hospital be eligible to participate under the plan (or a waiver of such plan) unless such hospital complies with the standards developed under section 5(a) of the Healthcare Cybersecurity Improvement Act.

Not later than 5 years after the date on which the Secretary publishes the standards under subsection (a), and not less frequently than once every 5 years thereafter, the Secretary, shall review and revise such standards, as appropriate.

Notwithstanding any other provision of law, a large hospital shall not be liable in any covered civil action to a smaller health entity if such hospital provided cybersecurity assistance to such entity with respect to electronic data, unless such entity can prove by clear and convincing evidence that the alleged harm was caused by gross negligence or willful misconduct.

For purposes of this section, any acts or omissions by a large hospital resulting from a resource or staffing shortage shall not be considered willful misconduct or gross negligence.

In this section:

The term covered civil action means a civil action under State law from harm resulting from the acquisition, storage, security, use, misuse, disclosure, or transmission of electronic data of any kind, including—

(A) information security and privacy;

(B) penalties, including for regulatory defense;

(C) misuse of website media content; and

(D) disclosure, misuse, or improper (or inadequate) storage or security of personal and confidential information.

The term large hospital means a hospital with 300 or more beds for the provision of patient care.

The term hospital has the meaning given such term in section 1861(e) of the Social Security Act (42 U.S.C. 1395x).

The term rural health clinic has the meaning given such term in section 1861(aa) of the Social Security Act (42 U.S.C. 1395x(aa)(2)).

The term small health entity means—

(A) a hospital with fewer than 299 beds for the provision of patient care; and

(B) a rural health clinic.