Congressional report finds health care sector ‘uniquely vulnerable’ to cyber attacks

Sen. Mark Warner (D-Va.), chairman of the Senate Intelligence Committee, released a report on Thursday outlining cybersecurity threats in the health care sector and ways the federal government can improve security standards in the industry.

The report, which is divided into three sections, recommends that the federal government improve the country’s cybersecurity risk posture in the health care sector, help the private sector mitigate cyber threats and assist health care providers in responding and recovering from cyberattacks.  

“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate,” Warner said in the report.

“The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities,” he added.

In the first section, Warner recommends that the federal government enhance its cybersecurity leadership within the health care sector and protect health care research and development from cyberattacks. 

Warner also suggested that the government mandate a regular process to improve the Health Insurance Portability and Accountability Act (HIPAA) regulations to address cyber threats. HIPAA is a federal law that requires standards to protect sensitive patient data from being disclosed.

The second section of Warner’s report dives into ways the federal government can help the private sector reduce cyber risks. The report recommends that the government incentivize and require all health care organizations to adopt minimum cybersecurity hygiene practices to mitigate threats, especially those that could jeopardize patients’ health and safety. 

The third area focuses on policies that could help the health care sector better respond and recover from cyberattacks. The report recommends that health care organizations have an emergency plan in place and train hospital staff to respond to such attacks.

The report also suggested that health care organizations establish a cyber disaster relief program to help them recover faster after a cyber incident. 

Warner also proposed the establishment of a federal reinsurance program to help insurance companies cover some of the costs related to cyberattacks. 

The federal government has been contemplating whether it should assist private insurance companies cover cyber-related costs.

In September, the Treasury Department and Cybersecurity and Infrastructure Security Agency asked stakeholders in the cyber insurance industry to weigh in on whether there’s a need for a federal insurance response to “catastrophic” cyber incidents.

This came after private insurance companies significantly increased premiums for companies seeking cyber coverage. 

Warner is the latest lawmaker to express concerns regarding cybersecurity threats in the health care sector. 

In August, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) sent a letter to the Department of Health and Human Services urging the agency to better protect the health care and public health sector from the growing number of cyber threats targeting the industry.