The Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) recently published “Cybersecurity is Patient Safety,” a policy options paper, outlining current cybersecurity threats facing healthcare providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry. 

Over the last decade cyberattacks in the healthcare sector have risen exponentially, with attacks on providers reaching an all-time high in 2021. The white paper, assembled by Warner’s staff, drawing on input from healthcare and cybersecurity experts, argues that improving cybersecurity in the healthcare sector will require collaboration from both the public and private sectors, and calls for improving federal leadership, strengthening healthcare providers’ cybersecurity capabilities, and building a robust response system in order to efficiently recover from attacks.

“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate. The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities,” he wrote.

Divided in three parts, the white paper is organized as follows:

  • Chapter one covers areas that the federal government needs to address to improve our national risk posture when it comes to cybersecurity in the health care sector. Specifically, it notes seven key challenges facing federal government agencies with jurisdiction over healthcare providers and cybersecurity, details the current state of play regarding cybersecurity threats, and outlines policy options for shoring up existing vulnerabilities.   
  • Chapter two covers ways that the federal government can help the private sector meet this threat through a combination of potential mandates and voluntary incentives to adopt best practices.
  • Chapter three covers policies that could help healthcare providers respond to attacks in the event of a cybersecurity failure. Specifically, it notes ways institutions can recover following successful cyberattacks, and how to limit the resulting impact on patients and systems.

Warner has been a leader in the cybersecurity realm throughout his time in the Senate, crafting numerous pieces of legislation aimed at addressing these threats facing our nation. He cofounded the bipartisan Senate Cybersecurity Caucus with former Sen. Cory Gardner (R-CO) in 2016.  A year later, in 2017, he authored the Internet of Things (IoT) Cybersecurity Improvement Act with Gardner. This legislation, signed into law by President Donald Trump in December 2020, requires that any IoT device purchased with federal funds meet minimum security standards. As Chairman of the Senate Select Committee on Intelligence, Warner co-authored legislation that requires companies responsible for U.S. critical infrastructure report cybersecurity incidents to the government. This legislation was signed into law by President Joe Biden as part of the Consolidated Appropriations Act in March 2022.

Warner has also examined cybersecurity in the healthcare sector specifically. In 2019, he sent a letter to several healthcare providers and industry trade associations—from large hospital networks to trade associations representing rural providers and medical technology vendors—asking a series of questions related to the steps their organizations and/or members had taken to improve their cybersecurity posture. He received a number of thoughtful responses to those questions that revealed a wide-range of cybersecurity capabilities and depth of understanding of the problems healthcare providers are facing.

Warner is releasing this policy options document with the intent of soliciting feedback from stakeholders on the potential options described within.