Senator Mark Warner, D-Va., has sent letters to four federal agencies and 12 healthcare associations posing long lists of questions as a prelude to developing strategies for improving healthcare cybersecurity.
On Monday, letters were sent to the Department of Health and Human Services’ Secretary Alex Azar and leaders at the Food and Drug Administration, the Centers for Medicare and Medicaid Services, and the National Institute of Standards and Technology were similar to letters Warner sent on Feb. 21 to several healthcare associations, including the Healthcare Information Management and Systems Society, the Health Information Sharing and Analysis Center, the American Hospital Association and the American Medical Association.
In each letter, Warner provided strategies on ways to improve cybersecurity in the healthcare sector.
Warner asked for each recipient to respond by March 22 with feedback on how they can develop a national strategy that improves the safety, resilience and security of our healthcare industry.
According to the letter, the Government Accountability Office, more than 113 million healthcare records were stolen in 2015. Also, a separate study conducted that same year estimated that cyberattacks would cost the U.S. healthcare system $305 million over a five-year period, Warner wrote.
Questions for Agencies
Some of the questions that Warner posed to the the federal agencies are:
- To date, what proactive steps has your agency taken to identify and reduce cybersecurity vulnerabilities in the healthcare sector?
- How have you worked to establish an effective national strategy to reduce cybersecurity vulnerabilities in the healthcare sector?
- Has your agency engaged private sector healthcare stakeholders to solicit input on successful strategies to reduce cybersecurity vulnerabilities in the healthcare sector? If so, what has been the result of these efforts?
- Have you worked collaboratively with other federal agencies and stakeholders to establish a federal strategy to reduce cybersecurity vulnerabilities in the healthcare sector? If so, who has led these efforts and what has been the result?
Queries for Industry Groups
The letters to the dozen healthcare sector organizations asked similar questions, as well as a few additional queries, including:
- Does your organization have an up-to-date inventory of all connected systems in your facilities and does your organization have real-time information on that patch status of all connected systems in your facilities?
- How many of your systems rely on beyond end-of-life software and operating systems?
- Are there specific steps your organization has taken to reduce its cybersecurity vulnerabilities that you recommend be implemented industrywide?
- Has the federal government established an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector? If not, what are your recommendations for improvement?
Warner’s letters to healthcare sector organizations included the Health Care Industry Cybersecurity Task Force’s report issued last year which urges the sector to develop the workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
Furthermore, his letters asks organizations to describe steps already being taken to improve security awareness and grow technical expertise.
In January, HHS in collaboration with the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership issued a four-volume set of recommended cybersecurity best practices for healthcare organizations .
The foundation of the four-volume publication was in response to a mandate under the Cybersecurity Information Sharing Act of 2015 to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry.
Adam Greene attorney at Davis Wright Tremaine law firm says the letters from Warner were a positive move.
According to Greene, Federal agencies have a lot on their plates. Sometimes it takes letters like these to ensure that cybersecurity remains at the top of the list of priorities.”
Greene hopes to see plans emerge that encourage healthcare sector entities to be more proactive about cybersecurity.
He also states that the healthcare sector, need incentives and easiness to implement improved cybersecurity.
Some healthcare practices don’t need additional unfounded mandates – they need help. Their focus is patient care, and they have neither the time nor resources to become information security experts.