Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) has published “Cybersecurity is Patient Safety,” a policy options paper that outlines current cybersecurity threats facing healthcare providers and systems and offers potential policy solutions to improve healthcare security.

The white paper, assembled by Warner’s staff, drawing on input from healthcare and cybersecurity experts, argues that improving cybersecurity in the healthcare sector will require collaboration from both the public and private sectors, and calls for improving federal leadership, strengthening health care providers’ cybersecurity capabilities, and building a robust response system in order to efficiently recover from attacks.

“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate. The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities,” Warner says in a release.

Warner is releasing the policy options document with the intent of soliciting feedback from stakeholders on the potential options described within.

Divided in three parts, the white paper is organized as follows:

  • Chapter one covers areas that the federal government needs to address to improve our national risk posture when it comes to cybersecurity in the health care sector. It notes key challenges facing federal government agencies with jurisdiction over healthcare providers and cybersecurity, details the current state of play regarding cybersecurity threats, and outlines policy options for shoring up existing vulnerabilities.   
  • Chapter two covers ways that the federal government can help the private sector meet this threat through a combination of potential mandates and voluntary incentives to adopt best practices.
  • Chapter three covers policies that could help health care providers respond to attacks in the event of a cybersecurity failure. It notes ways institutions can recover following successful cyberattacks, and how to limit the resulting impact on patients and systems.

Earlier, Warner had recognized that cybersecurity is an increasingly complex issue that affects the health, economic prosperity, national security, and democratic institutions of the United States, and subsequently cofounded the bipartisan Senate Cybersecurity Caucus with former Senator Cory Gardner (R-CO) in 2016.  A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act with Gardner. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Warner co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022.

Warner has also examined cybersecurity in the healthcare sector specifically. In 2019, Warner sent a letter to several healthcare providers and industry trade associations asking a series of questions related to the steps their organizations and/or members had taken to improve their cybersecurity posture.