[MARKCR. WARNER comms
BANKING, HOUSING, AND.
URBAN AFFAIRS:
Wnited States Senate sioat
WASHINGTON, DC 20610-4606 IvTeLucence
RULES AND ADMINISTRATION
February 21, 2019
Dennis Matheis
Chairman
Virginia Association of Health Plans
1111 East Main Street
Suite 910
Richmond, VA 23219
Dear Mr. Matheis,
[As you are likely aware, in recent years the security of our nation’s health care industry
has been tested, with a range of incidents ranging from cyber-attacks to cyber-enabled crime
directed at and/or impacting the sector. These incidents have impacted some of our largest.
hospital systems, insurance companies, laboratories, and the millions of patients who are served
by them. Despite past breaches, private and public sector security experts have observed that our
nation’s vast health care economy is still fraught with cyber security vulnerabilities.
‘The health care industry has been identified as a lucrative target due to the valuable
personally identifiable information criminals can monetize, and the lucrative opportunities to
secure payment from victims of ransomware. A successful breach of a patient's health record
ofien yields information such as social security numbers, home addresses, health histories and
other sensitive records that can be sold or used for identify theft. Additionally, hackers know
they can obtain large payments from ransomware attacks on health care entities that have
valuable patient records and sensitive operations impacting patient safety. The Government
Accountability Office estimates that over 113 million patient health care records were stolen in
2015. A separate 2015 study by Accenture estimated cyberattacks would cost our health care
system $305 billion over a five-year period. A 2017 report by Trend Micro scanned Shodan, a
search engine for intemet-connected devices, and found over 100,000 healthcare devices and
systems exposed directly to the public internet, including BHR systems, medical devices, and
network equipment.!
The increased use of technology in health care certainly has the potential to improve the
quality of patient care, expand access to care (including by extending the range of services,
through telehealth), and reduce wasteful spending. However, the increased use of technology has
also left the health care industry more vulnerable to attack, as the industry has embraced
innovation that imbues ever-more products, processes, and services with internet connectivity
and software-based functionality ~ with security and resiliency often an afterthought. As we
Mayra Rosario Fuentes, “Cybercrime and Other Threats Faced by the Healthcare Industry,” Trend Micro (2017),
available at: hitps:/documents.trendmicro.com/assets/wp'wp-cybercrime-and-other-threais-faced-by-the-healthcare-
industry.patwelcome the benefits of health care technology we must also ensure we are effectively protecting
patient information and the essential operations of our health care entities.
T would like to work with you and other industry stakeholders to develop a short and long
term strategy for reducing cybersecurity vulnerabilities in the health care sector. In the coming
weeks I plan to seek broad input from leading public and private health care entities. 1 am
reaching out to you to start that dialogue and to gather facts and relevant information that may
assistant policymakers in advancing information security in the health care sector. Itis my hope
that with thoughtful and carefully considered feedback we can develop a national strategy that
improves the safety, resilience, and security of our health care industry. In that effort I would like
to know:
1. What proactive steps has your organization taken to identify and reduce its cyber security
vulnerabilities?
2. Does your organization have an up-to-date inventory of all connected systems in your
facilities?
3. Does your organization have real-time information on that patch status of all connected
systems in your facilities?
4. How many of your systems rely on beyond end-of-life software and operating systems?
5. Are there specific steps your organization has taken to reduce its cybersecurity
vulnerabilities that you recommend be implemented industry wide?
6. One of the imperatives from the Health Care Industry Cybersecurity Task Force Report*
is for the sector to “develop the heath care workforce capacity necessary to prioritize and
ensure cybersecurity awareness and technical capabilities.” To that end, what workforce
and personnel challenges does your organization face in terms of security awareness and
technical capacity? What steps have you taken to develop the security awareness of your
workforce and/or add or grow technical expertise within your organization?
7. Has the federal government established an effective national strategy to reduce
cybersecurity vulnerabilities in the health care sector? If not, what are your
recommendations for improvement?
8. Are there specific federal laws and/or regulations that you would recommend Congress
consider changing in order to improve efforts to combat cyberattacks on health care
entities?
9. Are there additional recommendations you would make in establishing an industry wide
strategy to improve cybersecurity in the health care sector?
? {Jalth Care industry Cybersecurity Task Force,” U.S. Departaent of Health end Human Services (2017), available at
hhups:/seww phe gov/Preparedness/planning/CyberIP/Documentstepor2017.pdf‘Thank you for your consideration of this letter. We look forward to your written responses to
these questions. Given the sensitive nature of these issues, we will treat your responses fully
confidentially. Please send your responses to oyber@ warmer senate.gov by Friday, March 22,
2019. [ook forward to receiving your response and to working in a collaborative way to address
this critical issue,
Sincerely,
Mob. K Mamet
MARK R. WARNER
United States Senator