WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA) wrote to Department of Health and Human Services (HHS) Secretary Xavier Becerra and Deputy National Security Advisor Anne Neuberger to quickly develop and release mandatory minimum cyber standards for the health care sector. This letter comes as cyberattackers continue to exploit vulnerabilities in many current systems.

“I write today to urge you to prioritize the development of mandatory minimum cyber standards and to propose them as soon as possible, given the increasing severity, frequency, and sophistication of cybersecurity threats and attacks. Health care is one of the largest sectors in the U.S. economy, with health expenditures accounting for 17 percent of the United States’ gross domestic product in 2022, and expected to grow to nearly 20 percent by 2032. More important than the economic risks cyberattacks pose to the health care sector are the vulnerabilities to patients’ access to care and private health information. Simply put, inadequate cybersecurity practices put people’s lives at risk,” Sen. Warner wrote. 

This letter comes months after a major cybersecurity incident at Change Healthcare affected billing and care authorization portals and led to prescription backlogs and missed revenue for providers. This attack, and other similar attempts, pose a serious risk not only to regular business operations, but also to patient care. In his letter, Sen. Warner highlighted that without basic security measures, these attacks are relatively easy to carry out and will happen with more frequency.  

Sen. Warner continued, “Due to some entities failing to implement basic cybersecurity best practices, such as the lack of multi-factor authentication resulting in the successful attack on Change Healthcare, the capability required of a threat actor to carry out an operation in the sector can be quite low.”

Sen. Warner has been a leader in the cybersecurity realm throughout his time in the Senate, crafting numerous pieces of legislation aimed at addressing these threats facing our nation. Recognizing that cybersecurity is an increasingly complex issue that affects the health, economic prosperity, national security, and democratic institutions of the United States, Sen. Warner cofounded the bipartisan Senate Cybersecurity Caucus in 2016.  A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Sen. Warner co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022.

Sen. Warner has also examined cybersecurity in the health care sector specifically. In 2022, Sen. Warner authored “Cybersecurity is Patient Safety,” a policy options paper, outlining current cybersecurity threats facing health care providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry.  Since publishing, Sen. Warner has launched the Health Care Cybersecurity Working Group with a bipartisan group of colleagues to examine and propose potential legislative solutions to strengthen cybersecurity in the health care and public health sector.

A copy of the letter can be found here are below. 

Dear Secretary Becerra and Ms. Neuberger:

Thank you for your continued commitment to improving cybersecurity in America’s health care system. I write today to urge you to prioritize the development of mandatory minimum cyber standards and to propose them as soon as possible, given the increasing severity, frequency, and sophistication of cybersecurity threats and attacks. Health care is one of the largest sectors in the U.S. economy, with health expenditures accounting for 17 percent of the United States’ gross domestic product in 2022, and expected to grow to nearly 20 percent by 2032. More important than the economic risks cyberattacks pose to the health care sector are the vulnerabilities to patients’ access to care and private health information. Simply put, inadequate cybersecurity practices put people’s lives at risk.

Financially-motivated threat actors realize that the sector has both highly valuable data in its possession and also faces tremendous pressure to respond quickly to a ransomware demand. Health records are more valuable than credit card records on the dark market and disruptions to operations of health care providers have direct impact on the life and well-being of their patients. Due to some entities failing to implement basic cybersecurity best practices, such as the lack of multi-factor authentication resulting in the successful attack on Change Healthcare, the capability required of a threat actor to carry out an operation in the sector can be quite low.

Further, both the size and increasingly interconnected nature of the sector create a vulnerable attack surface. Not only do attacks against the sector often result in the loss of highly personal and sensitive data, those attacks have also affected the ability of providers to maintain the availability and quality of their care. We have seen devastating incidents, including the recent cyberattack on Change Healthcare, that ultimately took down the ability of providers to pay their workers and prevented pharmacists from looking up patient insurance and co-pay information. The recent cyberattack on the nationwide provider, Ascension, has also resulted in delays in care. And we have a growing body of evidence that clearly demonstrates that cybersecurity is, above all else, a patient safety issue.

The health care sector must be fully engaged in developing, implementing, and maintaining a coherent and effective cybersecurity regime; accepting cyberattacks due to lack of preparedness cannot and should not be a cost of doing business. The stakes are too high, and the voluntary nature of the status quo is not working, especially regarding health care stakeholders that are systemically important nationally or regionally. Mandatory minimum cyber standards would ensure that all health care stakeholders prioritize cybersecurity in their work. 

Policymakers, cybersecurity professionals, and patients alike have long been raising the alarm that the voluntary nature of cybersecurity in health care is insufficient and dangerous. It’s critical that the Administration expeditiously act to create mandatory, enforceable policies in the health care sector.

Sincerely,

###