Getty Images/iStockphoto
How Sen. Warner Aims to Mitigate Healthcare Cybersecurity Risks Through Legislation
Senator Mark Warner spoke with HealthITSecurity about the healthcare cybersecurity challenges discussed in his recent policy options paper and how he plans to address them.
Since releasing his policy options paper in November, Senator Mark R. Warner (D-VA) has been collecting feedback from industry experts on healthcare cybersecurity challenges and how to tackle them through policy and legislation.
As exemplified in the paper, appropriately titled “Cybersecurity is Patient Safety,” the sector faces no shortage of obstacles when it comes to managing cyber risk. Ransomware, legacy medical devices, and healthcare cybersecurity leadership gaps within the federal government are just a few pain points.
The policy options paper brought significant attention to problems that have troubled healthcare cybersecurity professionals for years. But the next step is to introduce meaningful policies and legislation that help the evolving sector enhance its security posture from the ground up, Warner acknowledged.
“I don't underestimate the challenge,” Warner stated in an interview with HealthITSecurity. With these complexities in mind, Warner said he hopes to introduce healthcare cybersecurity legislation by the end of this quarter.
Senator Warner’s History In Cyber
Senator Warner, who serves as chair of the Senate Intelligence Committee, has a history of prioritizing cybersecurity in past legislative efforts.
“I have seen how hard it is to pass things into law that I thought should have been no-brainers,” Warner explained.
As a former technology entrepreneur and co-founder of the Senate Cybersecurity Caucus, Warner has repeatedly championed the creation of new cybersecurity standards in healthcare and other industries.
For example, in 2019, Warner wrote letters to healthcare stakeholders seeing input on ways to improve cybersecurity in the sector. Additionally, in October 2022, Warner expressed significant health data privacy concerns surrounding the Meta pixel tracking tool in a letter to Meta CEO Mark Zuckerberg.
The Virginia Senator also authored the Internet of Things (IoT) Cybersecurity Improvement Act alongside Senator Cory Gardner (R-CO), which established minimum security standards for any IoT device purchased using federal funds. President Trump signed the legislation into law in December 2020.
In the aftermath of the SolarWinds and Colonial Pipeline cyberattacks, Warner was outspoken about requiring critical infrastructure owners and operators to report cyber incidents to the government in a timely manner. As a result, Warner co-authored legislation surrounding cyber incident notification requirements, some of which were signed into law last year.
Through his experience, Warner knows how difficult it can be to pass comprehensive cyber laws without watering down the final legislation.
For example, Warner expressed concern about the amount of time it could take to implement the final cyber incident reporting law. The process may take upwards of five years, Warner said, which does not necessarily match up with the urgency of current cyber threats.
Similarly, the healthcare sector is facing a variety of time-sensitive cyber challenges that must be addressed sooner rather than later. However, passing a comprehensive bill in a timely manner that adequately addresses healthcare cybersecurity complexities remains a challenge.
“This is all compounded because we still don't have an overriding privacy bill in this country, [which] makes this all more difficult,” Warner added.
Warner addressed those challenges and potential solutions in the policy options paper and will use the feedback garnered by the paper to inform future legislative efforts.
Today’s Top Healthcare Cybersecurity Challenges
“Just from following, learning, and listening to providers, equipment manufacturers, and hospital systems, it has become evident that healthcare is the most lucrative ransomware [target] there is,” Warner said in the interview.
Threat actors can fetch a hefty sum on the black market for medical records, and the risk to patient safety is enough to make some organizations pay the ransom. In addition, the cost of recovery for a healthcare data breach cost $10.1 million on average, according to IBM. In addition, cyberattacks have been anecdotally linked to increased patient mortality rates.
“Thank goodness we haven't had a lot of public examples of that, but I think it's probably naïve to think we won’t have an example of that at some point,” Warner continued.
The healthcare sector will likely remain an enticing target for threat actors in the coming years, but a more streamlined approach to tackling cyber risk at the federal level is urgently needed. Warner shed light on this issue by first addressing the current patchwork of cyber leadership within the federal government.
“There are four different cabinet secretaries and sixteen different federal agencies that touch on healthcare,” Warner pointed out.
Even within HHS, agencies such as the Office for Civil Rights (OCR), the Office of the National Coordinator for Health Information Technology (ONC), and the Health Sector Cybersecurity Coordination Center (HC3) all have varying levels of oversight and expertise.
The question now, Warner explained, is “how do you put somebody in charge, or at least in charge of coordinating, so that you can take a holistic approach?”
This role would ideally help HHS “speak with one voice regarding cybersecurity in [healthcare],” the policy options paper stated, facilitating communication and collaboration between HHS and other entities such as the Cybersecurity and Infrastructure Security Agency (CISA).
In addition to addressing leadership gaps, Warner stressed the industry’s ongoing struggles with legacy systems and medical devices.
“A thing we're still struggling with is [that] in healthcare, you have this problem of legacy software systems, but you also have legacy hardware, and the idea that cybersecurity almost always becomes kind of a bolted-on afterthought, rather than being built into the design,” Warner reasoned.
“With all the new wearables and personal health monitoring devices, some of them have decent cyber protections, but many of them do not. And it is not going to be perfect, because you're not going to rip out an MRI in a rural hospital that has a 10-year life left.”
The challenge, from a legislative perspective, is integrating strong cyber requirements for new medical devices at the pre-market stage and throughout the device’s lifecycle.
Lawmakers made significant progress on this issue in December 2022, when the House and Senate Appropriations Committees passed an omnibus appropriations bill that included key medical device security provisions, such as software bill of materials (SBOM) requirements.
While additional security requirements for medical device manufacturers are on their way, minimum cyber hygiene standards for the sector as a whole are still missing. Warner said his office has received mixed feedback surrounding the “age-old voluntary or mandate” debate when it comes to minimum cyber requirements in healthcare.
“A lot of lobbying groups came back and said, ‘We know there is a problem, but we want voluntary standards,’” Warner noted.
But the Senator’s office also heard from numerous doctors and hospitals that championed mandatory standards.
“It was a real telling comment that those who were on the front line realized that the kind of iterative pattern we have at this point just isn't getting it done. You have to have some level of mandatory standards,” Warner continued.
Establishing and incentivizing these standards is no easy feat. Proposed policies must consider the financial and administrative implications of establishing minimum cyber hygiene requirements, as well as determine which government entities would be responsible for development and implementation.
“Given the risks to patient safety that result from cybersecurity intrusions, all health care organizations should be familiar with and apply certain minimum cybersecurity practices as standard operating procedure,” the policy options paper stated.
“Any regulation should be proportionate to the risk it is mitigating, but cybersecurity should be seen as critical to patient health and safety as air quality and infection control.”
What’s Next?
Warner’s office received more than 60 responses from industry groups and individuals. Warner said his team is now “in the refinement stage” as they work to incorporate feedback into future legislation and visit other Senators who have been working in this space.
“Do you try to do a comprehensive bill, or do you try to introduce two or three small bills, and partner with other folks?” Warner added.
“So, we have to resolve that, but my hope is to have some legislation ready by the end of the first quarter.”
With legislation on the horizon, it is clear that cybersecurity is increasingly being recognized as a patient safety issue at the federal level.
“Any delays caused by cybersecurity inevitably affect patient care negatively. Unless we act now, this situation will get worse,” Warner’s policy options paper stated.
“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate. The federal government and the health sector must find a balanced approach to meet the dire threats, together as partners with shared responsibilities.”