U.S. Senator Mark R. Warner, D-Va., wrote to the U.S. Health and Human Services Secretary Xavier Becerra and Deputy National Security Advisor Anne Neuberger this past week and asked them to quickly develop and release mandatory minimum cyber standards for the healthcare sector.
“Both the size and increasingly interconnected nature of the sector create a vulnerable attack surface,” Warner said.
WHY IT MATTERS
Warner, a cofounder of the Senate Cybersecurity Caucus, said that he is concerned not only about the economic risk to one of the largest sectors in the U.S. economy, with health expenditures “expected to grow to nearly 20% by 2032,” but also the risks to providers and patients.
“Simply put, inadequate cybersecurity practices put people’s lives at risk,” he said in the letter.
Financially motivated threat actors know that PHI is highly valuable – “health records are more valuable than credit card records on the dark market,” he said, and it’s all too easy to disrupt healthcare-provider operations leaving patients without access to care and their PHI potentially sold to the highest bidder on the dark web.
In the letter, he did not mince words over known security lapses by organizations, including Change Healthcare.
The for-profit healthcare payment processing organization was crippled after a February ransomware attack, inflicting widespread provider operational and patient care disruptions as a result. The Change provider-payments outage also threatened the closure of small practices and prevented pharmacists from confirming patient drug coverage.
“Due to some entities failing to implement basic cybersecurity best practices, such as the lack of multi-factor authentication resulting in the successful attack on Change Healthcare, the capability required of a threat actor to carry out an operation in the sector can be quite low,” Warner charged.
He also highlighted the recent cyberattack on Ascension, one of the largest nonprofit healthcare systems in the U.S., and the significant delays in care it caused.
Noting that policymakers, cybersecurity professionals and patients are calling voluntary healthcare cybersecurity “insufficient and dangerous,” Warner urged Becerra and Neuberger to ensure that the healthcare sector is required to be fully engaged in “developing, implementing and maintaining a coherent and effective cybersecurity regime” through mandatory cybersecurity requirements.
THE LARGER TREND
The scope of cyber threats has only escalated in severity and cost since healthcare experienced the top three largest data breaches of 2015.
In 2022, Warner called for a federal healthcare cybersecurity leader and presented several regulatory options in the policy paper Cybersecurity is Patient Safety to stimulate government action.
While the U.S. Health & Human Services proposed new cybersecurity requirements for hospitals and outlined voluntary healthcare-specific cybersecurity performance goals in December, the American Hospital Association pushed back on the proposal to penalize breached organizations, telling lawmakers that penalties on hospitals like Ascension and other healthcare organizations diminish funding for their cyber defenses and threaten the closure of cash-strapped HCOs.
“The cybersecurity proposal put forward in the President’s FY 2025 budget that would penalize hospitals is misguided and will not improve the overall cybersecurity posture of the healthcare sector,” AHA said in April at an HHS budget hearing.
We reached out to AHA for a comment and will update this story if one is made available.
ON THE RECORD
“The stakes are too high, and the voluntary nature of the status quo is not working, especially regarding healthcare stakeholders that are systemically important nationally or regionally,” Warner said in the letter.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.