Senator discusses future of cybersecurity in health care
Democratic Sen. Mark R. Warner of Virginia published the policy options paper “Cybersecurity Is Patient Safety: Policy Options in the Health Care Sector” in November 2022. Since then, he and his staff have been in study mode, asking physicians and medical organizations to answer questions about risk, cybersecurity capabilities, federal leadership, incentives and requirements, and recovery from cyberattacks.
Warner, who served as governor of Virginia from 2002 to 2006, previously spent years working in business and technology, cofounding the company that became Nextel, which eventually merged with cell phone company Sprint. Warner is chairman of the United States Senate Select Committee on Intelligence.
Warner also cofounded the Senate Cybersecurity Caucus with former Republican Sen. Cory Gardner of Colorado, and they wrote the Internet of Things (IoT) Cybersecurity Improvement Act. That law requires minimum cybersecurity standards for IoT devices bought with federal funds. It was signed by then-President Donald Trump in 2020. In 2022, President Joe Biden signed legislation establishing reporting rules for companies responsible for critical infrastructure. The Cybersecurity and Infrastructure Security Agency oversees the reporting program.
Warner sat down with Medical Economics® to discuss some early findings and the future of government policies in health care cybersecurity. The interview has been edited for length and clarity.
Medical Economics (ME): For physicians not familiar with it, how would you introduce your policy paper that came out in November?
Sen. Mark R. Warner: I want to tell your readers that I hope I bring some bona fides to the table. I had a career in technology before I was governor or senator. As chairman of the Select Committee on Intelligence, I started the cybersecurity caucus and have put some points on the board in terms of laws that have been passed.
I want your readers to know the way that cybersecurity, health care and ransomware — it’s the fastest growing area of cyberattacks, and the most lucrative area — overlap. Patient information is more valuable on the black market than even an individual’s financial information. This is a growing area of concern, and many people are paying when they are targets of ransomware attacks. Nobody publicizes it because there are literally lives at stake.
The third thing I want readers to know is that the way the federal government addresses cyber and health care is kind of a jumble of regulations and oversight. We’ve counted 16 different federal entities that have some jurisdiction over health care and cyber. The fact that there is nobody in charge of this combination between health care and cyber is a problem.
And then the last point, probably the most important, is emergency doctors, family doctors, general practitioners are all busy — they may not have seen this, and that is kind of the root of what I’m trying to get at. Cybersecurity is, I think, viewed by the health care system, and particularly by doctor groups, as an afterthought or something that is bolted on to a practice, rather than built in from day one. The big sea change I’d like to see is, as we think about health care delivery systems, as we think about health care devices, as we think about individual doctors’ practices, that we figure out a way to make everything that’s new in health care have a cyber component built in at the front end, rather than coming in after the fact or retroactively trying to correct it.
There will be challenges, particularly if you think about smaller hospital systems or individual doctor practices. If you have legacy machines and tools in your doctor’s office — for example, an MRI machine in a rural hospital that has another 10 years of life to it. There have not been any software upgrades to make sure that device is up to current cyber standards. That’s a real problem and one for which there’s no simple solution. I do acknowledge that there are going to be legacy systems and devices that may have one set of solutions versus everything new. But what I want to communicate to the medical community is we can’t continue to have cyber always being an afterthought.
ME: For the policies under consideration, do you support having a single senior leader at U.S. Department of Health and Human Services (HHS) or another agency to oversee cybersecurity?
Warner: I do believe there needs to be, at some point, a single leadership. I worry where that exactly fits. We’re still sorting through whether somebody who’s in charge is kind of a czar or a coordinator. That’s one of the issues we’re still working through because the overlap is so high. To actually put somebody in charge, say at the White House, as opposed to coordinating, would probably require major legislative surgery. I’m not sure that’s the right solution so I’m still trying to work through that. But I do think the notion that someone at a single cabinet level position may not fit the bill.
(Warner’s paper lists cybersecurity and health care jurisdictions under HHS and the Departments of Homeland Security, Justice and Commerce, with potential overlap with the Departments of Education and Treasury and various agencies within those departments.)
ME: The paper came out approximately four months ago. What’s next for these initiatives?
Warner: This is still an iterative process. Legislation is just the first step in a process. I mean, one of the things that I’ve seen — which doesn’t surprise me but I think is interesting — is the whole question about cybersecurity standards. I’m very conscious of legacy systems, particularly when we’re thinking about doctor practices versus major health care systems, versus new add-ons; there is a difference in cost and burden.
Some of the questions that we posed are, “Do you have minimum standards with a mandate?” “Are they all voluntary?” The trade associations that represent all parts of health care, as you would expect, say it has to be voluntary. Yet when we talk to individual health care systems, practitioners, hospitals themselves, many of them are willing to say, “We don’t want them to be too burdensome but, frankly, if we don’t have some level of mandatory, then in terms of minimum standards, voluntary just won’t work.”
This is not a perfect analogy, but my background was in the wireless industry in the early 1980s. When the wireless standards came out, there was a national standard. Rather than having a whole bunch of cell phone systems that operated on their own and didn’t interconnect, we had a single, seamless system. The opposite of that took place (in health care). When we started the (Affordable Care Act) and everybody was promising all of the benefits of electronic medical records (EMRs), our failure to have a single standard and full interoperability meant that we’ve now spent tens and tens of billions of dollars and the potential promise of EMRs to patients and savings to doctor practices have never been realized because we didn’t have some level of mandatory interconnection or national standards. So, again, not completely analogous, but that experience of being a telecom guy and then seeing EHRs, I thought it was interesting that although the trade associations are just kind of saying reflexively, “Oh, we just need to be voluntary, we don’t want any more burden.” And many of the practitioners are saying, “Well, we don’t want to invite too much.” And, frankly, everybody wants reimbursement to be part of this. But I do think there’s an understanding that if we don’t have some level of mandate or mandatory standards you can end up with a total mishmash.
ME: For each policy suggestion, there were a number of questions that you posed. Were you surprised at that number of unanswered questions? Because it feels as though there are more questions than answers.
Warner: Lots of questions. What we wanted to try to do was make clear to the community that I have some thoughts, I have some experience. But I didn’t want to come in and think that I have a single solution. I want to make sure I can solicit as much as much information as possible, and I’m not a health care practitioner, I want to learn.