U.S. Senator Mark R. Warner calls upon the administration to swiftly develop and implement mandatory minimum cyber standards across the healthcare sector. The move follows ongoing concerns about cyberattackers exploiting vulnerabilities in existing systems, and a major cybersecurity incident at Change Healthcare that affected billing and care authorization portals and led to prescription backlogs and missed revenue for providers.
In a letter to Xavier Becerra, Secretary at the Department of Health and Human Services (HHS), and Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, Senator Warner identified that the healthcare sector must be fully engaged in developing, implementing, and maintaining a coherent and effective cybersecurity regime; accepting cyberattacks due to lack of preparedness cannot and should not be a cost of doing business.
“The stakes are too high, and the voluntary nature of the status quo is not working, especially regarding health care stakeholders that are systemically important nationally or regionally,” the Senator wrote. “Mandatory minimum cyber standards would ensure that all healthcare stakeholders prioritize cybersecurity in their work.”
Highlighting that policymakers, cybersecurity professionals, and patients alike have long been raising the alarm that the voluntary nature of cybersecurity in healthcare is insufficient and dangerous, Senator Warner said, “It’s critical that the Administration expeditiously act to create mandatory, enforceable policies in the health care sector.”
Warner outlined that the Change Healthcare attack, and other similar attempts, pose a serious risk to regular business operations and patient care. He further highlighted that without basic security measures, these attacks are relatively easy to carry out and will happen with more frequency.
“I write today to urge you to prioritize the development of mandatory minimum cyber standards and to propose them as soon as possible, given the increasing severity, frequency, and sophistication of cybersecurity threats and attacks,” the Democrat Senator from Virginia wrote in his letter. “Healthcare is one of the largest sectors in the U.S. economy, with health expenditures accounting for 17 percent of the United States’ gross domestic product in 2022, and expected to grow to nearly 20 percent by 2032.”
He highlighted that more important than the economic risks cyberattacks pose to the healthcare sector are the vulnerabilities to patients’ access to care and private health information. “Simply put, inadequate cybersecurity practices put people’s lives at risk.”
Warner flagged that financially motivated threat actors realize that the sector has highly valuable data in its possession and also faces tremendous pressure to respond quickly to a ransomware demand.
“Health records are more valuable than credit card records on the dark market and disruptions to operations of healthcare providers have direct impact on the life and well-being of their patients,” the Senator identified. “Due to some entities failing to implement basic cybersecurity best practices, such as the lack of multi-factor authentication resulting in the successful attack on Change Healthcare, the capability required of a threat actor to carry out an operation in the sector can be quite low. Further, both the size and increasingly interconnected nature of the sector create a vulnerable attack surface.”
He observed that not only do attacks against the sector often result in the loss of highly personal and sensitive data, but those attacks have also affected the ability of providers to maintain the availability and quality of their care.
“We have seen devastating incidents, including the recent cyberattack on Change Healthcare, that ultimately took down the ability of providers to pay their workers and prevented pharmacists from looking up patient insurance and co-pay information,” according to the senator. “The recent cyberattack on the nationwide provider, Ascension, has also resulted in delays in care. And we have a growing body of evidence that clearly demonstrates that cybersecurity is, above all else, a patient safety issue.”
In November 2022, Senator Warner published a policy paper highlighting the vulnerability of the healthcare sector to cyberattacks brought about largely by the reliance on legacy technology. It also focuses on a highly varied attack surface that grows more complex from an increasing number of connected devices, high-pressure environments, chronic funding constraints, and an outdated mode of thinking that views cybersecurity as a secondary or tertiary concern.
Since the publication, he has launched the Health Care Cybersecurity Working Group with a bipartisan group of colleagues to examine and propose potential legislative solutions to strengthen cybersecurity in the healthcare and public health sectors.
This post was originally published on 3rd party site mentioned in the title of this site
