WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote today to the leaders of four federal agencies and departments, seeking details on any measures being taken by the federal government to reduce vulnerabilities in the health care sector. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care industry, asked for strategic recommendations, and conveyed his desire to work alongside federal agencies and health care entities to develop strategies that strengthen information security. Sen. Warner also sent letters last week to major health care entities, including the American Hospital Association, American Medical Association, Virginia Hospital and Healthcare Association, and others.

“The increased use of technology in health care certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending. However, the increased use of technology has also left the health care industry more vulnerable to attack,” said Sen. Warner. “As we welcome the benefits of health care technology we must also ensure we are effectively protecting patient information and the essential operations of our health care entities.” 

According to the Government Accountability Office, more than 113 million care records were stolen in 2015. A separate study conducted that same year estimated that the cost of cyberattacks would cost our health care system $305 million over a five-year period. Furthermore, a 2017 report by Trend Micro found that over 100,000 healthcare devices and systems were exposed directly to the public internet, including electronic health record systems, medical devices, and network equipment. 

Sen. Warner concluded the letters by noting that he would like to work with the agencies “to develop a short- and long-term strategy reducing cybersecurity vulnerabilities in the health care sector…It is my hope that with thoughtful and carefully considered feedback we can develop a national strategy that improves the safety, resilience, and security of our health care industry.”

The sensitive nature of medical information makes the health care industry a lucrative target for criminals seeking to profit from personally identifiable information. Medical records often contain private information, including a patient’s social security number, address, and health history. When stolen, this information can be used to conduct identity theft. The importance of continued availability of health data also makes health care organizations lucrative targets for ransomware attacks. 

In order to gauge existing risks and gather facts to develop a long- and short-term security strategy, Sen. Warner asked the following questions of each agency and department:

1. To date, what proactive steps has your Department/Agency taken to identify and reduce cyber security vulnerabilities in the health care sector?
2. How has your Department/Agency worked to establish an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector?
3. Has your Department/Agency engaged private sector health care stakeholders to solicit input on successful strategies to reduce cybersecurity vulnerabilities in the health care sector? If so, what has been the result of these efforts? 
4. Has your Department/Agency worked collaboratively with other federal agencies and stakeholders to establish a federal strategy to reduce cybersecurity vulnerabilities in the health care sector? If so, who has led these efforts and what has been the result?
5. Are there specific federal laws and/or regulations that you would recommend Congress consider changing in order to improve your efforts to combat cyberattacks on health care entities?
6. Are there additional recommendations you would make in establishing a national strategy to improve cybersecurity in the health care sector? 

Letters were sent to the Food and Drug Administration, Department of Health and Human Services, Centers for Medicare and Medicaid Services, and National Institute of Standards and Technology.

###