The healthcare industry is facing more severe and sophisticated cyberattacks. Greater effort is necessary to strengthen protection, attacks will likely keep increasing. These attacks present economic challenges to the healthcare industry, yet a lot more critical is the danger to the safety of patients. The February 2024 ransomware attack on Change Healthcare kept patients from having prompt access to important medicines, and the cyberattack on Ascension brought about a system shutdown that continued for months, putting patients at critical risk of hurt.
Sen. Mark Warner (D-VA) sent a letter to Deputy National Security Advisor Anne Neuberger and Department of Health and Human Services (HHS) Secretary Xavier Becerra asking them to immediately create minimum cybersecurity criteria for the healthcare industry. Sen. Warner pointed out that Change Healthcare lacked multifactor authentication, which permitted a ransomware affiliate to get the necessary access to execute a ransomware attack taking down Change Healthcare’s systems for weeks, causing financial difficulty for many companies, and putting patient safety in danger. Without basic security procedures, these cyberattacks are simple and easy to undertake and will occur more frequently. A threat actor with low-level skills can execute an attack in the industry.
The HIPAA Security Rule requires implementing administrative, technical, and physical safety measures to protect the confidentiality, availability, and integrity of electronic protected health information (ePHI). However, the HIPAA Security Rule is over 20 years old and lacks detail concerning particular security measures that ought to be enforced. Although the HHS has applied high-impact cybersecurity performance objectives for the healthcare and public health industry, those goals are voluntary.
Sen Warner wrote to urge the HHS to prioritize the creation of compulsory minimum cyber requirements and to recommend them immediately considering the growing severity, regularity, and complexity of cybersecurity threats and attacks. Healthcare is a big industry in the U.S. economy, as healthcare cost was 17% of the United States GDP in 2022, and is likely to increase to almost 20% by 2032. Cyberattacks pose economic risks to the healthcare industry impacting patients’ access to treatment and private health data. Without proper cybersecurity practices, people’s lives are at stake.
Sen. Warner authored the Internet of Things (IoT) Cybersecurity Improvement Act, cofounded the bipartisan Senate Cybersecurity Caucus, co-authored the bill that mandates critical infrastructure entities to file cybersecurity incident reports to the federal government. In 2022, Sen. Warner also authored a report, “Cybersecurity is Patient Safety,” which looked into the present threat landscape and provided several recommendations for legislative options to reinforce healthcare cybersecurity. Since the release of that report, attacks on the healthcare industry have consistently grown.
The healthcare industry should be completely involved in creating, enforcing, and keeping a coherent and efficient cybersecurity program; because of lack of preparation, cyberattacks occur and must not be a cost of conducting business. The risks are too much, and the voluntary character of the status quo isn’t doing any good, particularly concerning healthcare stakeholders that are essential nationally or regionally. Obligatory minimum cyber requirements would make sure that all healthcare stakeholders are prioritizing cybersecurity in the workplace.