VA Senator Seeks Feedback on Healthcare Cybersecurity Policy Options

November 03, 2022 - Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) released a policy options paper entitled “Cybersecurity is Patient Safety,” to address key healthcare cybersecurity challenges and examine potential policies that could help the sector improve its security posture and incentivize proper cyber hygiene.

Specifically, the paper explored the challenges faced by federal agencies when it comes to jurisdiction over healthcare cybersecurity, ways that the government could help the sector tackle threats via mandates and incentives, and policies that could help the sector respond to cyberattacks.

Senator Warner is seeking feedback from individuals, advocacy groups, researchers, and businesses on the policy options by December 1.

Addressing Leadership Gaps

The paper first identified the web of federal authorities that have varying levels of jurisdiction over healthcare cybersecurity and privacy efforts. HHS is the designated Sector Risk Management Agency (SRMA) for the healthcare sector. But HHS also includes CMS and the FDA, each of which has its own cybersecurity policies.

“Given the large number of actors and lack of clearly defined roles, particularly across operational divisions within the Department of Health and Human Services, there is a need for a senior leader at HHS who reports directly to the Secretary of Health and Human Services to lead the Department’s work on and be accountable for cybersecurity,” Warner’s team suggested.

“The person in this role should be empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role.”

Call to Modernize HIPAA

In addition to raising questions about leadership and coordination, the paper also brought up considerations about modernizing HIPAA. Warner suggested that HIPAA has not been adequately updated to address emerging threats to data integrity and availability.

The paper sought answers to questions surrounding the current gaps in HIPAA, how HIPAA should align with other regulations such as the Federal Trade Commission’s Health Breach Notification Rule, and whether it is appropriate to address privacy and security under a single enforcement regime.

“One proposal under consideration is mandating a regular process to modernize HIPAA regulations to address a broader scope of cybersecurity threats instead of just focusing on covered entities’ responsibility to protect a patient’s personal health information,” the paper noted.

“Congress could direct HHS to update HIPAA to expand what entities are covered and what actions are permitted.”

Enhancing, Incentivizing Cybersecurity Requirements

Experts consulted for the paper “repeatedly shared their concern with gaps within health care organizations related to managing enterprise-wide security.”

Current policy under consideration is aimed at establishing minimum cyber hygiene practices, addressing insecure legacy systems and medical devices, and implementing software bills of materials (SBOMs). Warner called for further incentives and mandates that would streamline information sharing and address device securty gaps. 

In addition to prevention, Warner called out a need to further assist healthcare organizations with cyber incident preparedness and response. Some proposals presented the idea of creating a federal reinsurance program that covers plans that require minimum cyber hygiene, or providing incentives for insurance companies to adopt standardized coverage elements.

“Unfortunately, the [healthcare] sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate,” Warner wrote.

“The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities.”