Senator Warner Urges HHS to End Voluntary Cybersecurity Requirements

U.S. Senator Mark R. Warner (D-Va.) wrote a letter last week to U.S. Secretary of Health and Human Services Xavier Becerra and Deputy National Security Advisor Anne Neuberger asking them to quickly develop and publish mandatory minimum cyber security standards for the health care sector.

“Both the size and increasing interconnectedness of the sector create a vulnerable attack surface,” Warner said.

WHY IT MATTERS

Warner, co-founder of the Senate Cybersecurity Caucus, said he is concerned not only about the economic risk to one of the largest sectors of the U.S. economy, with health care spending “expected to grow nearly 20% through 2032,” but also about the risks to health care providers and patients.

“Simply put, inadequate cybersecurity practices put people’s lives at risk,” he said in the letter.

Financial threat actors know that PHI is extremely valuable — “medical data is more valuable on the dark market than credit card information,” he said — and it’s all too easy to disrupt healthcare providers’ operations, leaving patients unable to access care and potentially selling their PHI to the highest bidder on the dark web.

In the letter, he did not address known security vulnerabilities at organizations, including Change Healthcare.

The for-profit healthcare payment processing organization was crippled after a ransomware attack in February caused widespread disruptions to operations and patient care. The outage at Change Provider Payments also threatened to close small practices and prevented pharmacists from confirming patients’ drug coverage.

“With some entities failing to implement basic cybersecurity best practices, such as the lack of multi-factor authentication resulting in the successful attack on Change Healthcare, the ability expected of a malicious actor to conduct an operation in the sector may be quite low,” Warner said.

He also highlighted the recent cyberattack on Ascension, one of the largest healthcare nonprofits in the US, and the significant delays in care it caused.

Warner noted that policymakers, cybersecurity professionals and patients have called voluntary cybersecurity in health care “inadequate and dangerous.” He urged Becerra and Neuberger to ensure that the health care industry is fully engaged in “developing, implementing and maintaining a coherent and effective cybersecurity regime” through mandatory cybersecurity requirements.

THE BIGGER TREND

The scale of cyber threats has only increased in severity and cost since healthcare suffered the three largest data breaches of 2015.

In 2022, Warner called for a federal leader in healthcare cybersecurity and presented several regulatory options to spur government action in the policy document Cybersecurity is Patient Safety.

While the U.S. Department of Health and Human Services in December proposed new cybersecurity requirements for hospitals and set voluntary, specific goals for cybersecurity in healthcare, the American Hospital Association opposed the proposal to penalize organizations that violate the rules. The association told lawmakers that sanctions would deprive hospitals like Ascension and other healthcare organizations of funding for their cyber defenses and threaten the closure of cash-strapped healthcare facilities.

“The President’s cybersecurity proposal in his 2025 budget that would penalize hospitals is misguided and will not improve the overall cybersecurity of the health care sector,” AHA said during an HHS budget hearing in April.

We have reached out to AHA for comment and will update this story once a response is available.

ON THE RECORD

“The stakes are too high and the voluntary nature of the status quo does not work, especially when it involves health care stakeholders that are of systemic importance nationally or regionally,” Warner said in the letter.

Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.