Sen. Warner Demands Answers on Healthcare CybersecurityWrites Letters to HHS, NIST, Industry Groups Posing Long Lists of Questions
Senator Mark Warner, D-Va., has sent letters to four federal agencies and 12 healthcare associations posing long lists of questions as a prelude to developing short-term and long-term strategies for improving healthcare cybersecurity.
The letters sent Monday to the Department of Health and Human Services' Secretary Alex Azar and leaders at the Food and Drug Administration, the Centers for Medicare and Medicaid Services, and the National Institute of Standards and Technology were similar to letters Warner sent on Feb. 21 to a dozen healthcare associations, including the Healthcare Information Management and Systems Society, the Health Information Sharing and Analysis Center, the American Hospital Association and the American Medical Association.
In each letter, Warner - who is a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus - sought input on the best ways to improve cybersecurity in the healthcare sector.
Warner asked for each recipient to respond by March 22.
"It is my hope that with thoughtful and carefully considered feedback, we can develop a national strategy that improves the safety, resilience and security of our healthcare industry," Warner wrote in the letters and in a statement.
The letters noted that according to the Government Accountability Office, more than 113 million healthcare records were stolen in 2015. A separate study conducted that same year estimated that cyberattacks would cost the U.S. healthcare system $305 million over a five-year period, Warner wrote.
Questions for Agencies
Among the questions that Warner posed to the the federal agencies are:
- To date, what proactive steps has your agency taken to identify and reduce cybersecurity vulnerabilities in the healthcare sector?
- How have you worked to establish an effective national strategy to reduce cybersecurity vulnerabilities in the healthcare sector?
- Has your agency engaged private sector healthcare stakeholders to solicit input on successful strategies to reduce cybersecurity vulnerabilities in the healthcare sector? If so, what has been the result of these efforts?
- Have you worked collaboratively with other federal agencies and stakeholders to establish a federal strategy to reduce cybersecurity vulnerabilities in the healthcare sector? If so, who has led these efforts and what has been the result?
- Are there specific federal laws or regulations that you would recommend Congress consider changing to improve your efforts to combat cyberattacks on healthcare entities?
- Are there additional recommendations you would make for establishing a national strategy to improve cybersecurity in the healthcare sector?
Queries for Industry Groups
The letters to the dozen healthcare sector organizations asked similar questions, as well as a few additional queries, including:
- Does your organization have an up-to-date inventory of all connected systems in your facilities and does your organization have real-time information on that patch status of all connected systems in your facilities?
- How many of your systems rely on beyond end-of-life software and operating systems?
- Are there specific steps your organization has taken to reduce its cybersecurity vulnerabilities that you recommend be implemented industrywide?
- Has the federal government established an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector? If not, what are your recommendations for improvement?
Warner's letters to healthcare sector organizations note that the Health Care Industry Cybersecurity Task Force's report issued last year urged the sector to develop the workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
"Sometimes it takes letters like these to ensure that cybersecurity remains at the top of the list of priorities."
—Adam Greene, Davis Wright Tremaine
In his letters, he asks organizations to describe steps already being taken to improve security awareness and grow technical expertise.
In January, HHS in collaboration with the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership issued a four-volume set of recommended cybersecurity best practices for healthcare organizations (see: HHS Publishes Guide to Cybersecurity Best Practices).
The creation of the four-volume publication was in response to a mandate under the Cybersecurity Information Sharing Act of 2015 to develop "practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry."
A spokeswoman for Warner declined to comment on what the senator plans to do next once he receives responses to his letters.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the letters from Warner are a positive move.
"Letters such as Senator Warner's help maintain a spotlight on federal agencies' cybersecurity efforts. I much prefer a proactive Congressional letter, rather than a large breach, to keep agencies focused on prioritizing information security," he says.
"I am glad that Congress, in its oversight capacity, is watching to make sure that all federal agencies are vigilantly addressing cybersecurity risks in their respective backyards. Federal agencies have a lot on their plates. Sometimes it takes letters like these to ensure that cybersecurity remains at the top of the list of priorities."
Greene hopes to see plans emerge that encourage healthcare sector entities to be more proactive about cybersecurity.
"For much of the healthcare sector, there need to be incentives and easiness to implement improved cybersecurity," he says.
"Small healthcare practices don't need additional unfounded mandates - they need help. Their focus is patient care, and they have neither the time nor resources to become information security experts. Unless cybersecurity becomes easier and better incentivized, it will remain difficult for much of the healthcare sector to turn their attention to it."