Senator Mark Warner (D-Va) has written letters to the leaders of the Department of Health and Human Services (HHS), the Centers for Medicare and Medicaid Services (CMS), the Food and Drug Administration (FDA), the National Institute of Standards and Technology (NIST), and 12 healthcare organizations to find out what is being done to improve healthcare cybersecurity.
Warner is co-chair of the Senate Cybersecurity Caucus and a member of the Senate Finance Committee. He is seriously concerned about the current state of cybersecurity in healthcare. The aim of the letters is to find out what steps have already been taken to address the current problems with protecting healthcare data and networks and to develop a short-term and long-term plan to reduce cybersecurity vulnerabilities in the health care industry and create a national strategy that increases security and resilience to healthcare cyberattacks.
Cybercriminals are targeting the healthcare industry and healthcare data breaches are increasing. 2015 was a record year for healthcare data breaches with 113 million healthcare records exposed or stolen. With the exception of 2016, healthcare data breaches have increased every year since records of healthcare data breaches first started to be published by the HHS in 2009.
In Warner’s letters, he referred to a 2015 GAO report that suggested $305 million in losses would be suffered in five years due to healthcare cyberattacks and a Trend Micro report that indicated 100,000 healthcare devices and systems were exposed over the web in the same year.
Healthcare data is highly valuable to cybercriminals and since hospitals store huge amounts of patient information, they are naturally targets for cybercriminals. Successful attacks could be extremely profitable. Healthcare data can be used for identity theft and other types of fraud and while ransomware attacks that prevent healthcare providers from accessing patient data can see sizable ransoms paid to regain access to data.
It’s not possible to prevent all cyberattacks from succeeding, but if resilience can be improved, it should be possible to substantially reduce the number of successful attacks and the amount of records that are stolen.
For starters, Warner requested information from each agency about the actions needed to identify and minimize vulnerabilities in the healthcare sector, and what every agency has done so far to create a national strategy to minimize vulnerabilities. Warner has sought suggestions on how vulnerabilities can be dealt with and whether there are any changes to present laws and regulations that would help to improve defenses against cyberattacks on healthcare entities.
The same questions were given to healthcare associations and agencies which include the American Hospital Association (AHA), the Healthcare Information Management and Systems Society (HIMSS), the Health Information Sharing and Analysis Center (H-ISAC) and the American Medical Association (AMA). They were also asked about how they have improved their security awareness and technical readiness.
Because of the large number of successful cyberattacks, state regulators are introducing new laws at the state level to enhance security and privacy protections and Congress is taking steps to create a national strategy to improve cybersecurity defenses. Warner hopes that his efforts will help to accelerate the process.