WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, wrote to various health care stakeholders to seek input on ways to best improve cybersecurity in the health care industry. In the letters, Sen. Warner pointed to apparent gaps in oversight, expressed concern about the impact of cyber-attacks on the health care sector, and conveyed his desire to work alongside health care entities to develop strategies that strengthen information security.
“The increased use of technology in health care certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending. However, the increased use of technology has also left the health care industry more vulnerable to attack,” said Sen. Warner. “As we welcome the benefits of health care technology we must also ensure we are effectively protecting patient information and the essential operations of our health care entities.”
According to the Government Accountability Office, more than 113 million care records were stolen in 2015. A separate study conducted that same year estimated that the cost of cyberattacks would cost our health care system $305 million over a five-year period. Furthermore, a 2017 report by Trend Micro found that over 100,000 healthcare devices and systems were exposed directly to the public internet, including electronic health record systems, medical devices, and network equipment.
“I would like to work with you and other industry stakeholders to develop a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector,” Sen. Warner concluded. “It is my hope that with thoughtful and carefully considered feedback we can develop a national strategy that improves the safety, resilience, and security of our health care industry.”
The sensitive nature of medical information makes the health care industry a lucrative target for criminals seeking to profit from personally identifiable information. Medical records often contain private information, including a patient’s social security number, address, and health history. When stolen, this information can be used to conduct identity theft. The importance of continued availability of health data also makes health care organizations lucrative targets for ransomware attacks.
In order to start a dialogue and gather facts about cybersecurity vulnerabilities, Sen. Warner also asked the following questions:
1. What proactive steps has your organization taken to identify and reduce its cyber security vulnerabilities?
2. Does your organization have an up-to-date inventory of all connected systems in your facilities?
3. Does your organization have real-time information on that patch status of all connected systems in your facilities?
4. How many of your systems rely on beyond end-of-life software and operating systems?
5. Are there specific steps your organization has taken to reduce its cybersecurity vulnerabilities that you recommend be implemented industry wide?
6. One of the imperatives from the Health Care Industry Cybersecurity Task Force Report is for the sector to “develop the heath care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.” To that end, what workforce and personnel challenges does your organization face in terms of security awareness and technical capacity? What steps have you taken to develop the security awareness of your workforce and/or add or grow technical expertise within your organization?
7. Has the federal government established an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector? If not, what are your recommendations for improvement?
8. Are there specific federal laws and/or regulations that you would recommend Congress consider changing in order to improve efforts to combat cyberattacks on health care entities?
9. Are there additional recommendations you would make in establishing an industry wide strategy to improve cybersecurity in the health care sector?
Letters were sent to some of the nation’s largest health stakeholders: the American Hospital Association, AdvaMed, America's Health Insurance Plans, Healthcare Information and Management Systems Society, American Medical Association, Virginia Hospital and Healthcare Association, Virginia Association of Health Plans, National Rural Health Association, Federation of American Hospitals, Healthcare Leadership Council, Health Information Sharing and Analysis Center, and Med ISAO.