Last week, U.S. Sen. Mark R. Warner, D-Va., wrote to Health and Human Services Secretary Xavier Becerra and Deputy National Security Adviser Anne Neuberger asking them to quickly develop and publish mandatory minimum cybersecurity standards for the health care sector.
“Both the scale and increasingly interconnected nature of this industry create a vulnerable attack surface,” Warner said.
WHY IT MATTERS
Warner, who co-founded the Senate Cybersecurity Caucus, said he was concerned not only about the economic risk to one of the largest sectors of the US economy, with healthcare spending “expected to increase by nearly 20% by 2032,” but also about the risk to providers and patients.
“Simply put, inadequate cybersecurity measures can put human lives at risk,” he wrote in the letter.
Financially motivated threat actors know that PHI is valuable—“health records are worth more than credit card records on the black market,” he said—and that disrupting a health care provider’s operations, leaving patients without care and their PHI potentially for sale to the highest bidder on the dark web, is all too easy.
In the letter, he made no allusion to known security vulnerabilities at multiple organizations, including Change Healthcare.
The for-profit healthcare payment processor was crippled by a ransomware attack in February, causing widespread disruptions to provider operations and patient care. The Change outage also threatened to close small clinics and prevented pharmacists from verifying patients’ drug coverage.
“Given that some entities failed to implement basic cybersecurity best practices, such as the lack of multi-factor authentication that led to the successful attack on Change Healthcare, the threat actor’s capabilities to conduct an operation in this area may be quite low,” Warner alleged.
He also highlighted the recent cyberattack on Ascension, one of the largest nonprofit health care systems in the United States, and the significant delays in care it caused.
Noting that policymakers, cybersecurity experts and patients are calling voluntary healthcare cybersecurity “insufficient and dangerous,” Warner urged Becerra and Neuberger to ensure that the healthcare industry is fully engaged in “developing, implementing and maintaining a unified and effective cybersecurity regime” through mandatory cybersecurity requirements.
THE BIGGER TREND
The scope of cyber threats has increased in severity and cost since the healthcare industry saw three major data breaches in 2015.
In 2022, Warner called for a federal healthcare cybersecurity leader and presented several regulatory options in the Cybersecurity is Patient Safety policy document to spur government action.
While the U.S. Department of Health and Human Services proposed new cybersecurity requirements for hospitals and outlined specific cybersecurity performance goals for the health care industry in December, the American Hospital Association opposed the proposal to penalize breached organizations, telling lawmakers that penalties for hospitals like Ascension and other health care organizations would reduce funding for their cyber defenses and threaten to shut down cash-strapped HCOs.
“The cybersecurity proposal included in the President’s fiscal year 2025 budget that penalizes hospitals is misguided and will not improve the overall cybersecurity posture of the health care industry,” the AHA said at an HHS budget hearing in April.
We have reached out to AHA for comment and will update this story if available.
ON PROFILE
“The stakes are too high and the voluntary nature of the current status quo is ineffective, particularly for stakeholders in health care that are systemically important at the national or regional level,” Warner said in the letter.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place from October 31 to November 1 in Washington, D.C. Learn more and sign up.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
