WASHINGTON – Today, Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) published “Cybersecurity is Patient Safety,” a policy options paper, outlining current cybersecurity threats facing health care providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry.
Over the last decade cyberattacks in the health care sector have risen exponentially, with attacks on providers reaching an all-time high in 2021. The white paper, assembled by Sen. Warner’s staff, drawing on input from health care and cybersecurity experts, argues that improving cybersecurity in the health care sector will require collaboration from both the public and private sectors, and calls for improving federal leadership, strengthening health care providers’ cybersecurity capabilities, and building a robust response system in order to efficiently recover from attacks.
“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate. The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities,” wrote Sen. Warner.
Divided in three parts, the white paper is organized as follows:
- Chapter one covers areas that the federal government needs to address to improve our national risk posture when it comes to cybersecurity in the health care sector. Specifically, it notes seven key challenges facing federal government agencies with jurisdiction over health care providers and cybersecurity, details the current state of play regarding cybersecurity threats, and outlines policy options for shoring up existing vulnerabilities.
- Chapter two covers ways that the federal government can help the private sector meet this threat through a combination of potential mandates and voluntary incentives to adopt best practices.
- Chapter three covers policies that could help health care providers respond to attacks in the event of a cybersecurity failure. Specifically, it notes ways institutions can recover following successful cyberattacks, and how to limit the resulting impact on patients and systems.
Sen. Warner has been a leader in the cybersecurity realm throughout his time in the Senate, crafting numerous pieces of legislation aimed at addressing these threats facing our nation. Recognizing that cybersecurity is an increasingly complex issue that affects the health, economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus with former Sen. Cory Gardner (R-CO) in 2016. A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act with Sen. Gardner. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022.
Sen. Warner has also examined cybersecurity in the health care sector specifically. In 2019, Sen. Warner sent a letter to several health care providers and industry trade associations – from large hospital networks to trade associations representing rural providers and medical technology vendors – asking a series of questions related to the steps their organizations and/or members had taken to improve their cybersecurity posture. Sen. Warner received a number of thoughtful responses to those questions that revealed a wide-range of cybersecurity capabilities and depth of understanding of the problems health care providers are facing.
Sen. Warner is releasing this policy options document with the intent of soliciting feedback from stake-holders on the potential options described within. Any individuals, researchers, businesses, organizations, or advocacy groups that are interested in submitting comments – specific to the content and questions outlined in this document or additional ideas or language for inclusion in eventual legislation – should send a letter or an email to email@example.com.
A copy of full policy options paper can be found here.