Cybersecurity

Here’s how lawmakers are tackling rising cyber threats in the health sector

The doctor's stethoscope is placed on the notebook computer.

Congress is increasingly sounding the alarm over cyber threats targeting the health care sector. 

Several congressional lawmakers have stepped up their efforts to protect the industry amid a rise in cyberattacks by introducing policies and recommendations aimed at addressing and mitigating such threats.

“Over the past decade, the American public has witnessed increasingly brazen and disruptive attacks on its health care sector that jeopardize sensitive personal information, delay treatment, and ultimately lead to increased suffering and death,” Sen. Mark Warner (D-Va.), chairman of the Senate Intelligence Committee, noted in a report published this week, before outlining recommendations on ways the federal government can improve security standards in the sector to combat those attacks.

The report, which is divided into three sections, recommends that the federal government improve the country’s cybersecurity risk posture in the health care sector, help the private sector mitigate cyber threats and assist health care providers in responding to and recovering from cyberattacks.  

“The senator’s report addresses areas of weakness that hospitals have worked tirelessly to mitigate for a long time,” said Christopher Plummer, a senior cybersecurity architect at Dartmouth Health.

“Just seeing an acknowledgement of this in writing, and from this level of the government, gives a lot of hope,” Plummer added.

Plummer said that the rising challenges of cybersecurity insurance and the labor shortage of cyber workers across industries were among a few topics in the report that resonated with him.

He added that the resources hospitals need to combat threats will vary greatly based on the size and cyber capabilities of the company.

“What we, as a nation, do with this report is the critical next move,” Plummer said.

“The discussion points are on the table — now it’s time to substantively address these challenges,” he added. 

The health care sector has been particularly vulnerable to cyberattacks because it stores sensitive data and handles patients’ safety and health.

Experts have said that the industry is a prime target for cyber criminals because some hospitals are willing to pay ransoms to save lives and recover stolen data. It can be a matter of life and death in certain situations, they said. 

They’ve also said that hackers are additionally after sensitive information related to medical research and technology. 

An August report from Kroll, an investigation and risk consulting firm, found a 90 percent increase in the number of attacks against health care organizations in the second quarter of this year compared to the first quarter. 

The report also found that ransomware is the most common type of cyberattack used against the health care sector, closely followed by email compromise.

Warner in the report also said that cyberattacks targeting health care providers reached an all-time high in 2021, noting a study that found that more than 45 million people were affected by such attacks.

Warner is the latest of a number of lawmakers who have raised the alarm and taken steps to address the issue in recent months.

Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) have also expressed their concerns.

In August, the lawmakers sent a letter to the Department of Health and Human Services (HHS) urging the agency to better protect the health care and public health sector from the growing number of cyber threats targeting the industry. 

“With cyber threats growing exponentially, we must prioritize addressing the [health care and public health] sector’s cybersecurity gaps,” wrote King and Gallagher, who both co-chair the Cyberspace Solarium Commission.

Ransomware attacks on the [health care and public health] sector have skyrocketed in the past two years as opportunistic criminals recognized that hospitals may pay quickly to resolve issues and protect patient safety,” the letter said.

In the letter, the lawmakers requested an urgent meeting with health officials in the Biden administration for an update on their current cyber posture. They also said that they were concerned about HHS’s lack of timely information-sharing about ongoing threats with industry partners. 

Sen. Jacky Rosen (D-Nev.) is another lawmaker who has been pushing the federal government to do more to protect critical infrastructure, including the health care sector, from cyberattacks. 

In March, she and Sen. Bill Cassidy (R-La.) introduced a bipartisan bill that would require that the Cybersecurity and Infrastructure Security Agency (CISA) collaborate with HHS to improve cybersecurity standards in the health care and public health sector.

The legislation would also require both agencies to share information with the private sector to increase cyber resilience.

As lawmakers have taken these actions, federal agencies have been monitoring the sector and alerting the public about current cyber threats facing the industry.  

Over the summer, U.S. federal agencies issued a warning that a ransomware known as “Maui” has been targeting U.S. health care and public health sector organizations. The ransomware has been linked to the North Korean government. 

The agencies also discouraged health care providers from paying ransoms because doing so does not guarantee the recovery of stolen data. They instead recommended that health sector organizations adopt cybersecurity best practices and report ransomware attacks to law enforcement.

“When it comes to cyberattacks affecting patient care, the question is no longer a matter of if or when, but how often and how catastrophic the consequences,” Warner said in the report.