Sen. Warner Calls for HHS to Develop Mandatory Minimum Cybersecurity Standards for Healthcare
Cyberattacks on the healthcare sector are increasing in severity, frequency, and sophistication and unless greater effort is made to harden defenses, attacks are likely to continue to increase. These attacks pose economic risks to the healthcare sector, but far more serious is the threat to patient safety. The February 2024 ransomware attack on Change Healthcare prevented patients from getting timely access to essential medications, and the cyberattack on Ascension caused a system outage that lasted for months, placing patients at serious risk of harm.
Sen. Mark Warner (D-VA)
On Friday, Sen. Mark Warner (D-VA) wrote to Department of Health and Human Services (HHS) Secretary Xavier Becerra and Deputy National Security Advisor Anne Neuberger calling for them to quickly develop minimum cybersecurity standards for the healthcare sector. Sen. Warner highlighted the lack of multifactor authentication at Change Healthcare, which allowed a ransomware affiliate to gain the required access to conduct a ransomware attack that took Change Healthcare’s systems out of action for weeks, caused massive financial hardship for many providers, and put patients at risk of harm. “Without basic security measures, these attacks are relatively easy to carry out and will happen with more frequency… the capability required of a threat actor to carry out an operation in the sector can be quite low,” said Sen. Warner.
The HIPAA Security Rule requires administrative, technical, and physical safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), but the HIPAA Security Rule is more than 2 decades old and is light on detail when it comes to specific security measures that should be implemented. While the HHS has implemented high-impact cybersecurity performance goals for the healthcare and public health sector those goals are voluntary.
“I write today to urge you to prioritize the development of mandatory minimum cyber standards and to propose them as soon as possible, given the increasing severity, frequency, and sophistication of cybersecurity threats and attacks,” wrote Sen. Warner. “Health care is one of the largest sectors in the U.S. economy, with health expenditures accounting for 17 percent of the United States’ gross domestic product in 2022, and expected to grow to nearly 20 percent by 2032. More important than the economic risks cyberattacks pose to the health care sector are the vulnerabilities to patients’ access to care and private health information. Simply put, inadequate cybersecurity practices put people’s lives at risk.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Sen. Warner is a Senate cybersecurity leader who cofounded the bipartisan Senate Cybersecurity Caucus, authored the Internet of Things (IoT) Cybersecurity Improvement Act, co-authored legislation that requires critical infrastructure entities to report cybersecurity incidents to the government, and in 2022, authored a paper, “Cybersecurity is Patient Safety,” which explored the current threat landscape and included several proposals for legislative solutions to strengthen cybersecurity in the healthcare sector. Since that paper was released, cyberattacks on the healthcare sector have continued to increase.
“The health care sector must be fully engaged in developing, implementing, and maintaining a coherent and effective cybersecurity regime; accepting cyberattacks due to lack of preparedness cannot and should not be a cost of doing business,” wrote Sen. Warner. “The stakes are too high, and the voluntary nature of the status quo is not working, especially regarding health care stakeholders that are systemically important nationally or regionally. Mandatory minimum cyber standards would ensure that all health care stakeholders prioritize cybersecurity in their work.”
