A senator is pressing stakeholders from across the healthcare spectrum, including federal agencies and healthcare entities, to work better to protect patient data and mitigate vulnerabilities.
Senator Mark Warner (D-VA) asked four agencies on Monday - the Food and Drug Administration, the Department of Health and Human Services, the Centers for Medicare and Medicaid Services, and the National Insitute of Standards and Technology - what the departments have been doing and what they plan on doing to remediate cybersecurity vulnerabilities in the healthcare sector.
Warner, calling the industry a "lucrative target," cited several statistics of late in his letters, including a Government Accountability Office report that over 113 million patient healthcare records were stolen in 2015 and a study by Accenture from the same year that posited healthcare cyberattacks would cost the industry $305 billion (.PDF) over a five year period.
"A successful breach of a patient's health record often yields information such as social security numbers, home addresses, health histories and other sensitive records that can be sold or used for identity theft. Additionally, hackers know they can obtain large payments from ransomware attacks on health care entities that have valuable patient records and sensitive operations impacting patient safety," Warner wrote in the letters.
The letters, essentially a fact-finding mission by Warner, followed a similar effort, nearly identical letters to a handful of healthcare organizations, last Thursday.
Warner mailed letters to a dozen organizations including the American Hospital Association, the Healthcare Information and Management Systems Society (HIMSS), and the American Medical Association, in addition to orgs in his own constituency, like the Virginia Hospital and Healthcare Association and the Virginia Association of Health Plans.
According to Warner, who also serves as a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, the aim of all the letters is to develop a national strategy to improve the "safety, resilience, and security of our health care industry.”
The questions are all-encompassing and really run the gamut; Warner is curious what organizations are doing to identify and mitigate vulnerabilities, yes, but he's also wondering what their patching process is like, if their networks are built on legacy systems, and if they're taken the right steps to amplify "security awareness" within their organization. More importantly perhaps, Warner is making sure the government is doing all it can to help healthcare organizations combat cyberattacks. He's asking officials at both federal agencies and healthcare entities whether they have any recommendations for improving cybersecurity throughout the sector, whether there are any laws or regulations they'd change, and essentially whether Congress is doing enough.
The questions the senator asked Monday include:
- To date, what proactive steps has your Department/Agency taken to identify and reduce cyber security vulnerabilities in the health care sector?
- How has your Department/Agency worked to establish an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector?
- Has your Department/Agency engaged private sector health care stakeholders to solicit input on successful strategies to reduce cybersecurity vulnerabilities in the health care sector? If so, what has been the result of these efforts?
- Has your Department/Agency worked collaboratively with other federal agencies and stakeholders to establish a federal strategy to reduce cybersecurity vulnerabilities in the health care sector? If so, who has led these efforts and what has been the result?
- Are there specific federal laws and/or regulations that you would recommend Congress consider changing in order to improve your efforts to combat cyberattacks on health care entities?
- Are there additional recommendations you would make in establishing a national strategy to improve cybersecurity in the health care sector?
Warner has been one of the more outspoken advocates when it comes to privacy and cybsecurity regulation of late. He's been at the forefront of efforts to ban Huawei, calling the Chinese telecom a threat to national security and He also went on record in December proposing a new U.S. "cyber doctrine" to respond to cyber and misinformation threats facing the country.
Warner's concerns over healthcare security come - pardon the pun - amid an epidemic for the industry. Research released last week said there was at least one health data breach a day and 503 overall in 2018. While those numbers are high, it's the increase of actual breached records, 5,579,438 records in 2017 to 15,085,302 records in 2018, that drew eyes last week.
