Cyberspace Solarium Co-Chairs Call For HHS Briefing on Healthcare Cybersecurity

August 15, 2022 - US Senator Angus King (I-ME) and Representative Mike Gallagher (R-WI), both co-chairs of the Cyberspace Solarium Commission (CSC), wrote a letter to HHS Secretary Xavier Becerra asking about the current status of HHS’ healthcare cybersecurity efforts.

King and Gallagher, who also authored the Sector Risk Management Agency (SRMA) legislation, urged HHS and the Biden administration to bolster cybersecurity efforts and called on HHS to hold an urgent briefing on the administration’s current cybersecurity posture and plans for improvement.

“Ransomware attacks on the HPH sector have skyrocketed in the past two years as opportunistic criminals recognized that hospitals may pay quickly to resolve issues and protect patient safety,” the CSC co-chairs wrote.

“Meanwhile, the troves of personally identifiable information and personal health information make organizations in the sector valuable targets for both criminal and nation-state hackers.”

As security concerns mount, King and Gallagher noted the administration’s recent positive steps toward improving healthcare cybersecurity, including an executive forum on healthcare cybersecurity hosted by the White House, and the US Food and Drug Administration’s (FDA) increased focus on medical device security.

“We remain concerned, however, about the lack of robust and timely sharing of actionable threat information with industry partners and the need to dramatically scale up the Department’s capabilities and resources,” the letter explained.

“With cyber threats growing exponentially, we must prioritize addressing the HPH sector’s cybersecurity gaps.”

King and Gallagher requested a briefing from HHS to learn about the “status of efforts to strengthen the department’s capabilities as the SRMA and to operationalize collaboration with the organizations throughout the sector.”

As part of the briefing, King and Gallagher specifically requested an assessment of the current organizational structure, roles, and responsibilities that HHS employs to support healthcare cybersecurity, including intra-department coordination.

Additionally, the briefing would ideally shed light on the current gaps in authorities that HHS has to ensure healthcare cybersecurity and the resources HHS has and requires to serve as an effective sector risk management agency. King and Gallagher also inquired about the interagency coordination structures, successes, and challenges involved in supporting HHS’ healthcare cybersecurity efforts.

“We and our colleagues can only conduct effective oversight if we understand the challenges that your department and the HPH sector are facing,” the letter continued.

“As such, as part of the briefing, I would welcome an unclassified threat briefing from your office on the cybersecurity risks to this most vital critical infrastructure sector.”