§1533 — Title 6 Domestic Security | U.S. Code

Summary

Requires the Secretary of Health and Human Services to do three main things: by December 18, 2016, send a report to the Senate Committee on Health, Education, Labor, and Pensions and the House Committee on Energy and Commerce about how ready HHS and health care organizations are to handle cyber attacks; within 90 days after December 18, 2015 (by March 18, 2016), set up a task force with NIST, DHS, industry experts, and others to study other industries’ practices, the problems health care organizations face (including security of networked medical devices), make guidance to help providers prepare and respond, plan for real-time sharing of cyber threat information and defenses, and report its findings to the proper congressional committees; the task force must end one year after it starts and the Secretary must share the task force’s guidance within 60 days after it ends. The Secretary must also work with DHS, NIST, and industry groups to create voluntary, consensus-based best practices and tools that lower cyber risk, help organizations adopt protections, match existing federal privacy and security rules (including HIPAA and HITECH), and get updated regularly. The Secretary may use work already happening as of December 17, 2015. The rules are voluntary: the Secretary cannot audit compliance or force organizations to follow them for grants or contracts, and choosing not to follow them does not create liability. This section does not change certain antitrust or liability protections in other law. Definitions (one line each): “Appropriate congressional committees” — Senate: HELP, Homeland Security and Governmental Affairs, Select Committee on Intelligence; House: Energy and Commerce, Homeland Security, Permanent Select Committee on Intelligence. “Business associate,” “covered entity,” “health care clearinghouse,” “health care provider,” and “health plan” — defined in 45 C.F.R. 160.103 as of December 17, 2015. “Cybersecurity threat,” “cyber threat indicator,” “defensive measure,” “Federal entity,” “non‑Federal entity,” and “private entity” — have the meanings given in section 1501 of this title. “Health care industry stakeholder” — includes health plans, clearinghouses, providers, patient advocates, pharmacists, health IT developers/vendors, labs, drug and device makers, and others the Secretary selects. “Secretary” — the Secretary of Health and Human Services.

Title 6, §1533

Domestic Security — Source: USLM XML via OLRC

(a)In this section:

(1)The term “appropriate congressional committees” means—

(A)the Committee on Health, Education, Labor, and Pensions, the Committee on Homeland Security and Governmental Affairs, and the Select Committee on Intelligence of the Senate; and

(B)the Committee on Energy and Commerce, the Committee on Homeland Security, and the Permanent Select Committee on Intelligence of the House of Representatives.

(2)The term “business associate” has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations (as in effect on the day before December 18, 2015).

(3)The term “covered entity” has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations (as in effect on the day before December 18, 2015).

(4)The terms “cybersecurity threat”, “cyber threat indicator”, “defensive measure”, “Federal entity”, “non-Federal entity”, and “private entity” have the meanings given such terms in section 1501 of this title.

(5)The terms “health care clearinghouse”, “health care provider”, and “health plan” have the meanings given such terms in section 160.103 of title 45, Code of Federal Regulations (as in effect on the day before December 18, 2015).

(6)The term “health care industry stakeholder” means any—

(A)health plan, health care clearinghouse, or health care provider;

(B)advocate for patients or consumers;

(C)pharmacist;

(D)developer or vendor of health information technology;

(E)laboratory;

(F)pharmaceutical or medical device manufacturer; or

(G)additional stakeholder the Secretary determines necessary for purposes of subsection (b)(1), (c)(1), (c)(3), or (d)(1).

(7)The term “Secretary” means the Secretary of Health and Human Services.

(b)(1)Not later than 1 year after December 18, 2015, the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives a report on the preparedness of the Department of Health and Human Services and health care industry stakeholders in responding to cybersecurity threats.

(2)With respect to the internal response of the Department of Health and Human Services to emerging cybersecurity threats, the report under paragraph (1) shall include—

(A)a clear statement of the official within the Department of Health and Human Services to be responsible for leading and coordinating efforts of the Department regarding cybersecurity threats in the health care industry; and

(B)a plan from each relevant operating division and subdivision of the Department of Health and Human Services on how such division or subdivision will address cybersecurity threats in the health care industry, including a clear delineation of how each such division or subdivision will divide responsibility among the personnel of such division or subdivision and communicate with other such divisions and subdivisions regarding efforts to address such threats.

(c)(1)Not later than 90 days after December 18, 2015, the Secretary, in consultation with the Director of the National Institute of Standards and Technology and the Secretary of Homeland Security, shall convene health care industry stakeholders, cybersecurity experts, and any Federal agencies or entities the Secretary determines appropriate to establish a task force to—

(A)analyze how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries;

(B)analyze challenges and barriers private entities (excluding any State, tribal, or local government) in the health care industry face securing themselves against cyber attacks;

(C)review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record;

(D)provide the Secretary with information to disseminate to health care industry stakeholders of all sizes for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry;

(E)establish a plan for implementing subchapter I of this chapter, so that the Federal Government and health care industry stakeholders may in real time, share actionable cyber threat indicators and defensive measures; and

(F)report to the appropriate congressional committees on the findings and recommendations of the task force regarding carrying out subparagraphs (A) through (E).

(2)The task force established under this subsection shall terminate on the date that is 1 year after the date on which such task force is established.

(3)Not later than 60 days after the termination of the task force established under this subsection, the Secretary shall disseminate the information described in paragraph (1)(D) to health care industry stakeholders in accordance with such paragraph.

(d)(1)The Secretary shall establish, through a collaborative process with the Secretary of Homeland Security, health care industry stakeholders, the Director of the National Institute of Standards and Technology, and any Federal entity or non-Federal entity the Secretary determines appropriate, a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes that—

(A)serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations;

(B)support voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats;

(C)are consistent with—

(i)the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 272(c)(15) of title 15;

(ii)the security and privacy regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note); and

(iii)the provisions of the Health Information Technology for Economic and Clinical Health Act (title XIII of division A, and title IV of division B, of Public Law 111–5), and the amendments made by such Act; and

(D)are updated on a regular basis and applicable to a range of health care organizations.

(2)Nothing in this subsection shall be interpreted as granting the Secretary authority to—

(A)provide for audits to ensure that health care organizations are in compliance with this subsection; or

(B)mandate, direct, or condition the award of any Federal grant, contract, or purchase, on compliance with this subsection.

(3)Nothing in this section shall be construed to subject a health care industry stakeholder to liability for choosing not to engage in the voluntary activities authorized or guidelines developed under this subsection.

(e)In carrying out the activities under this section, the Secretary may incorporate activities that are ongoing as of the day before December 18, 2015 and that are consistent with the objectives of this section.

(f)Nothing in this section shall be construed to limit the antitrust exemption under section 1503(e) of this title or the protection from liability under section 1505 of this title.

Notes & Related Subsidiaries

Editorial Notes

References in Text

section 264(c) of the Health Insurance Portability and Accountability Act of 1996, referred to subsec. (d)(1)(C)(ii), is section 264(c) of Pub. L. 104–191, which is set out as a note under section 1320d–2 of Title 42, The Public Health and Welfare. The Health Information Technology for Economic and Clinical Health Act, referred to in subsec. (d)(1)(C)(iii), is title XIII of div. A and title IV of div. B of Pub. L. 111–5, Feb. 17, 2009, 123 Stat. 226, 467, also known as the HITECH Act. For complete classification of this Act to the Code, see

Short Title

of 2009 Amendment note set out under section 201 of Title 42, The Public Health and Welfare, and Tables.

§1533 Improving Cybersecurity in the Health Care Industry