Senator Warner issues healthcare cybersecurity policy options

His paper calls for a federal healthcare cybersecurity leader and discusses key challenges for regulatory agencies, as well as potential mandates and incentive programs. One industry CISO comments.

By Andrea Fox | Published Nov. 7, 2022 | HealthcareIT News

Cyberattacks can lock physicians out of patient information systems, compromise protected data, shut down hospital equipment and delay patient care, but they can also trigger lawsuits and penalties on healthcare organizations.

One industry expert asks: Is the healthcare industry set up to fail?

Call for a healthcare cybersecurity czar

Senator Mark Warner, D-Va., divides his new policy paper, Cybersecurity is Patient Safety, into three sections:

• National risk posture and federal leadership.
• Cyberattack recovery and requirements.
• Incentives that may improve healthcare cybersecurity capabilities.

He cites stakeholders for reporting a lack of coordination between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency (CISA) in his call to establish a new senior leader accountable for healthcare cybersecurity under the executive agency secretary.

“Is [HHS] succeeding in its role as the sector risk management agency for healthcare and is HHS the most appropriate SRMA?” Warner asks in the paper, which also questions if the 405(d) program, mandated under the Cybersecurity Act of 2015, should continue to be the partnership between the federal government and the industry, along with other questions about HHS oversight.

Previously, leading health system CISOs have told Healthcare IT News that collaboration with HHS on cybersecurity is happening at all levels.

Focusing Congress on healthcare cybersecurity

Warner is a cofounder of the Senate Cybersecurity Caucus. He has been the mover behind the Internet of Things (IoT) Cybersecurity Improvement Act and other cybersecurity legislation.

In 2019, he sent a series of questions to several healthcare providers and industry trade associations, and he corresponded with them about the steps they have taken to improve their cybersecurity posture, according to the paper’s announcement via his office.

Some of the policies under consideration in Warner’s healthcare cybersecurity policy paper call for Congress to:

• Expand and require HHS to perform more regular updates to HIPAA, particularly regarding applications and consumer devices that collect and share health information that are not obligated to adhere to the law.
• Consider establishing a workforce development program that focuses specifically on healthcare cybersecurity, due to cybersecurity workforce shortage happening across industries.
• Mandate the creation of minimum cyber hygiene practices, with incentives for compliance and penalties for noncompliance.
• Review a number of incentives to address outdated legacy systems, medical devices and equipment to minimize or eliminate life cycle gaps, like rebate programs and legacy product replacement, and review market incentive programs for and mandates on medical equipment manufacturers.
• Require a software bill of materials for all software and devices used in healthcare.

Warner’s report also suggests a number of industry-incentivizing programs, such as student loan forgiveness for providing healthcare cybersecurity service in rural areas and establishing federal disaster relief for cyberattacks, which Federal Emergency Management Agency provides to hospitals after other disasters.

Relief could help healthcare organizations recover with grants, equipment loans and federal assistance.

The Virginia senator has not stopped at cyberattacks in prioritizing patient protections around user data and privacy.

He introduced the 2019 DASHBOARD Act to increase transparency around data collection and recently wrote to Mark Zuckerberg asking about patient information-gathering practices by Meta Pixel, a consumer data tool installed on hospital websites to convert impressions into customers.

But Senator Warner is not the only federal lawmaker looking to strengthen healthcare cybersecurity to protect patient data.

In September, the Healthcare Cybersecurity Act – introduced by representatives Jason Crow, D-Colo., and Brian Fitzpatrick, R-Pa., in the House and Senator Jacky Rosen, D-Nev., in the Senate – would direct CISA to collaborate with HHS to increase cyber resilience in healthcare.

‘We’ve set up our health system to fail’

After a briefing on the policy report by Senator Warner’s team, Chris Bowen, CISO at ClearDATA, shared with Healthcare IT News by email that “we’ll be providing additional inputs to these policy options to try to help level the playing field.

“Some healthcare organizations have proven to be lax in their security controls,” said Bowen. “But many are doing everything right and yet still fall victim to attacks by nation-state actors, or criminal syndicates funded by nation-states. How can a healthcare provider effectively go to battle with China or Russia? And so the crux of the matter becomes, what happens when I’m doing everything right and still get crushed?” he wrote.

In his report Warner highlighted a “painfully slow and inadequate transition” to improve the industry’s cybersecurity posture.

“Over the past decade, the American public has witnessed increasingly brazen and disruptive attacks on its healthcare sector that jeopardize sensitive personal information, delay treatment, and ultimately lead to increased suffering and death,” he wrote.

However, Warner’s policy report suggests a considerable amount of governance, and there are sure to be a number of comments from the industry in response.

Bowen, who is also a member of the Healthcare and Public Health Sector Coordinating Council Joint Cyber Security Working Group – which develops and disseminates a number of recommended cybersecurity practices guidance – offers an industry point of view:

“When a provider is attacked by ransomware, it suffers reputational harm, operational setbacks and its patients may actually die if access to care is inhibited. And even as it recovers, trial lawyers build class action lawsuits while regulators look for ways to ‘send a message’ with a fine that the provider cannot afford in the first place. We’ve set up our health system to fail in these circumstances,” he wrote.

Warner is looking for feedback from healthcare stakeholders on the policy options, according to the announcement. To respond, write to cyber@warner.senate.gov.

“The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities,” said Warner.