Senator Seeks Input on Health Care Cyber Strategy

Sen. Mark Warner, D-Va., is on a mission to strengthen the cybersecurity posture of the nation’s health care sector and is starting by soliciting feedback from the sector itself.

The senator sent a letter to 12 health care organizations, including hospital and insurance associations and the cybersecurity information sharing and analysis organizations, or ISAOs, that cover the medical industry.

“I would like to work with you and other industry stakeholders to develop a short- and long-term strategy for reducing cybersecurity vulnerabilities in the health care sector,” Warner wrote. “In the coming weeks I plan to seek broad input from leading public and private health care entities. I am reaching out to you to start that dialogue.”

The most high-profile attack on the health sector to date, the 2017 WannaCry ransomware worm, took hospitals and health networks offline in the United Kingdom, among other far-reaching disruptions. While the U.S. health sector was largely unscathed—in part due to fast action and cooperation from federal agencies and the private sector—the incident shows what a widescale attack could do.

Further, Warner cites statistics from the Government Accountability Office that 113 million patient records were stolen by cyberthieves in 2015, a number expected to climb year over year. A study by Accenture in the same year pegged the total cost of cyberattacks against health care providers at more than $305 billion over five years, he noted.

“These incidents have impacted some of our largest hospital systems, insurance companies, laboratories and the millions of patients who are served by them,” Warner wrote. “Despite past breaches, private and public sector security experts have observed that our nation’s vast health care economy is still fraught with cybersecurity vulnerabilities.”

Warner asked each of the recipients to answer nine questions:

• What proactive steps has your organization taken to identify and reduce its cybersecurity vulnerabilities?
• Does your organization have an up-to-date inventory of all connected systems in your facilities?
• Does your organization have real-time information on the patch status of all connected systems in your facilities?
• How many of your systems rely on beyond end-of-life software and operating systems?
• Are there specific steps your organization has taken to reduce its cybersecurity vulnerabilities that you recommend be implemented industrywide?
• One of the imperatives from the Health Care Industry Cybersecurity Task Force Report is for the sector to “develop the heath care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.” To that end, what workforce and personnel challenges does your organization face in terms of security awareness and technical capacity? What steps have you taken to develop the security awareness of your workforce and/or add or grow technical expertise within your organization?
• Has the federal government established an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector? If not, what are your recommendations for improvement?
• Are there specific federal laws and/or regulations that you would recommend Congress consider changing in order to improve efforts to combat cyberattacks on health care entities?
• Are there additional recommendations you would make in establishing an industrywide strategy to improve cybersecurity in the health care sector?