Senator outlines potential cybersecurity mandates for health systems

Dive Brief:

• Virginia Democrat Sen. Mark Warner, chairman of the Senate Select Committee on Intelligence, has released a white paper detailing a series of potential regulatory requirements for health systems aimed at improving cybersecurity across the industry.
• Saying that cyber vulnerabilities increasingly threaten patient safety as well as leaving organizations exposed to data theft, the paper argues “it has become readily apparent that the way that cybersecurity is treated by those in the healthcare sector needs to change.”
• Assembled by Warner’s staff with input from cybersecurity and healthcare experts, the paper outlines the challenges facing care delivery organizations and offers proposals aimed at strengthening providers’ cybersecurity capabilities and building response systems to help recover from attacks.

Dive Insight:

The report comes on the heels of the recent ransomware attack on CommonSpirit Health, one of the country's largest hospital systems, that interrupted access to electronic health records and delayed patient care.

With data breaches in healthcare reaching a record high last year, efforts to improve cybersecurity have been “painfully slow and inadequate,” Warner wrote. “Unless we act now, this situation will get worse,” he said.

The policy paper states that cybersecurity can no longer be treated as a secondary concern and must become incorporated into every organization’s core business model, from equipment manufacturers to healthcare providers.

Equipment must be designed and built with cybersecurity at its core, and minimum cyber hygiene practices are needed for healthcare providers to protect everyone in the sector, especially patients, Warner said.

Financial constraints, use of legacy devices that were not designed to resist today’s cyberattacks, and limited education and awareness programs for healthcare professionals have increased the impact of cyber threats in the sector, the paper said. Some organizations have said they cannot afford to dedicate an IT staff member primarily to cybersecurity and lack the infrastructure to identify, track and act on threats.

The paper proposes establishing minimum cyber hygiene practices for healthcare organizations, addressing insecure legacy systems, requiring a “software bill of materials” for medical devices and all healthcare industry software, streamlining information sharing and looking at how Medicare payment policies should be changed to incorporate cybersecurity expenses.

Warner co-authored legislation, signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March, that requires companies responsible for U.S. critical infrastructure to report cybersecurity incidents to the government.

The senator asked for individuals, researchers, businesses, organizations and advocacy groups to submit feedback on the policy options in the document, or offer additional ideas for inclusion in eventual legislation.

Comments are closed.