Senator Warner Suggests HIPAA Policy Changes To Improve Healthcare Cybersecurity

A white paper has been released by Senator Mark Warner, the Chairman of the Senate Committee on Intelligence, to emphasize the challenges posed to the health sector and to make several recommendations for potential policy changes that may help to improve healthcare cybersecurity. 

According to the ‘Cybersecurity is Patient Safety’ white paper, more than 45 million people were affected by cybersecurity attacks in 2021, resulting in a 32 percent increase from the previous year. Sen. Warner contends that a partnership between the public and private sectors, with the federal government serving as the overall leader, is the only method for improving healthcare cybersecurity effectively. Even if more regulation may be required, stakeholders in the healthcare sector agree that the best course of action is to provide incentives for cybersecurity development rather than requiring cybersecurity improvements and threatening financial penalties for noncompliance.

The white paper makes many policy reform recommendations to strengthen cybersecurity in the healthcare sector. The first is to improve federal leadership. According to the white paper, In order to guarantee that HHS speaks with one voice about cybersecurity in health care, including expectations of external stakeholders and the government’s role, a senior leader should be appointed. Currently, the HHS is the Sector Risk Management Agency for the health sector. However, several agencies within the HHS have a variety of different cybersecurity policies and jurisdictions. The second is to improve security incident preparedness and response. The white paper suggests that more work is required to encourage healthcare organizations to prepare for attacks. It is argued that the HHS The HHS could order healthcare facilities to treat cyberattacks in the same way as natural disasters. This could include requiring hospital staff to receive training on how to use analog equipment and legacy systems as well as establishing a disaster relief program for those who have been the victims of cyberattacks.

The third suggestion is to modernize HIPAA. As the Health Information Portability and Accountability Act was introduced in 1996, it has received a number of updates to conform with the ever-changing digital healthcare landscape. The white paper recommends that Congress orders the HHS to update HIPAA to broaden the definition of covered entities and to specify the permitted uses and disclosures of entities not currently classified as HIPAA-regulated entities. The fourth suggestion is to improve medical device security. The white paper suggests incentives should be offered to healthcare organizations to invest in systems for tracking medical equipment and that restrictions on the sale of medical devices with software that has reached end-of-life should be implemented. Other suggestions include addressing the current cybersecurity talent shortage and reducing the cost of cyber insurance.

“Unfortunately, the health care sector is uniquely vulnerable to cyberattacks and the transition to better cybersecurity has been painfully slow and inadequate. The federal government and the health sector must find a balanced approach to meet the dire threats, together as partners with shared responsibilities”, says Sen. Warner. “Senator Warner believes that cybersecurity is patient safety and must no longer be a secondary concern; it must become incorporated into every organization’s business model”.