On February 21, 2019, Senator Mark Warner (D-VA), the vice chair of the Senate Intelligence Committee and co-chair of the Senate Cybersecurity Caucus, sent letters to twelve healthcare organizations and four federal agencies soliciting feedback via a series of questions on the security and resiliency of the healthcare sector. In the letter, he stated: “I would like to work with you and other industry stakeholders to develop a short- and long-term strategy for reducing cybersecurity vulnerabilities in the health care sector.”
In the letters, Senator Warner asked leaders to share, among other things:
- How they identify and reduce vulnerabilities
- Whether they maintain an up-to-date inventory of all of the connected systems within their facilities
- If these groups have real-time data for the patching status of these systems
- How many systems rely on end-of-life software and operating systems
- What steps they’ve taken to reduce risks that could be nationally implemented.
- Details on the cybersecurity staffing shortage
- How organizations have increased security awareness and otherwise improved cyber-hygiene.
Several of the responses from the organizations emailed were made public in late March. In this publication, entitled “An Analysis of Responses to Senator Warner’s Health Sector Cybersecurity Inquiries: The Benefits of Proactive Engagement and What We Can Glean from These Questions and Responses,” ICIT offers an analysis highlighting common themes and takeaways from the responses to-date. Some of the key takeaways discussed in this paper include:
- Healthcare Entities Need to Collaborate
- Healthcare Stakeholders Need to Be Proactive About Cybersecurity
- Healthcare Networks are Becoming More Complex Because of IT/OT Convergence and Must Be Secured
- Emerging Cybersecurity Legislation Should be Proactive and Actionable
- A National Strategy is Necessary and Federal Guidance Must be Clarified
- Governance Should Incentivize Security Rather than Penalize Infractions
- Safe Harbor May Be Necessary for Certified and HIPAA Compliant Entities
- Certification Programs Would Increase Security Past Minimal Compliance
This publication contains direct quotes from the responses of AdvaMed, American Hospital Association (AHA), American Medical Association (AMA), College of Healthcare Information Management Executives (CHIME), Healthcare Leadership Council (HLC), HITRUST, and Virginia Hospital and Healthcare Association (VHHA).