Senator outlines potential cybersecurity mandates for health systems

This audio is automatically generated. Please let us know if you have any feedback.

Dive assignment:

  • Virginia Democratic Sen. Senate Select Committee on Intelligence Chairman Mark Warner released a white paper outlining a series of potential regulatory requirements for health systems aimed at improving cybersecurity across the industry.
  • Saying that cyber vulnerabilities increasingly threaten patient safety and leave organizations exposed to data theft, the paper argues “it has become readily apparent that the way cyber security is handled by those in the healthcare sector needs to change.”
  • The article, compiled by Warner staff with input from cybersecurity and healthcare experts, outlines the challenges facing care delivery organizations and offers suggestions aimed at strengthening providers’ cybersecurity capabilities and building response systems to help recover from attacks.

Dive Insight:

The report comes on the heels of the recent ransomware attack on CommonSpirit Health, one of the nation’s largest hospital systems, which disrupted access to electronic health records and delayed patient care.

With healthcare data breaches hitting a record high last year, efforts to improve cybersecurity have been “painfully slow and inadequate,” Warner wrote. “Unless we act now, this situation will get worse,” he said.

The policy document states that cybersecurity can no longer be treated as a secondary concern and must be incorporated into every organization’s core business model, from equipment manufacturers to healthcare providers.

Equipment must be designed and built with cybersecurity at its core, and minimum cyber hygiene practices are necessary for healthcare providers to protect everyone in the sector, especially patients, Warner said.

Financial constraints, the use of outdated devices not designed to withstand today’s cyber attacks, and limited education and awareness programs for healthcare professionals have increased the impact of cyber threats in the sector, the paper said. Some organizations have said they cannot afford to dedicate an IT staff member primarily to cybersecurity and lack the infrastructure to identify, detect and act on threats.

The paper proposes establishing minimum cyber hygiene practices for healthcare organizations, addressing insecure legacy systems, requiring a “software list” for medical devices and all healthcare industry software, streamlining information sharing and looking at how to change Medicare payment policies to include cyber security. expenses.

Warner co-authored legislation, signed into law by President Joe Biden in March as part of the Consolidated Appropriations Act, that requires companies responsible for U.S. critical infrastructure to report cybersecurity incidents to the government.

The senator asked for individuals, researchers, businesses, organizations and advocacy groups to submit feedback on the policy options in the document, or to offer additional ideas for inclusion in eventual legislation.

Related Posts