An Analysis of Responses to Senator Warner’s Health Sector Cybersecurity Inquiries
Parham Eftekhari, Executive Director of the Institute for Critical Infrastructure Technology (ICIT)
On February 21, 2019, Senator Mark Warner (D-VA), the vice chair of the Senate Intelligence Committee and co-chair of the Senate Cybersecurity Caucus, sent letters to twelve healthcare organizations and four federal agencies soliciting feedback via a series of questions on the security and resiliency of the healthcare sector. In the letter, he stated: “I would like to work with you and other industry stakeholders to develop a short- and long-term strategy for reducing cybersecurity vulnerabilities in the health care sector.”
In the letters, Senator Warner asked leaders to share, among other things:
- How they identify and reduce vulnerabilitiesWhether they maintain an up-to-date inventory of all of the connected systems within their facilities
- If these groups have real-time data for the patching status of these systems
- How many systems rely on end-of-life software and operating systems
- What steps they’ve taken to reduce risks that could be nationally implemented.
- Details on the cybersecurity staffing shortage
- How organizations have increased security awareness and otherwise improved cyber-hygiene.
In response, ICIT has published An Analysis of Responses to Senator Warner’s Health Sector Cybersecurity Inquiries: The Benefits of Proactive Engagement and What We Can Glean from These Questions and Responses, authored by Drew Spaniel, Lead Researcher and Parham Eftekhari, Executive Director. Some of the key takeaways discussed in this paper include:
- Healthcare Entities Need to Collaborate
- Healthcare Stakeholders Need to Be Proactive About Cybersecurity
- Healthcare Networks are Becoming More Complex Because of IT/OT Convergence and Must Be Secured
- Emerging Cybersecurity Legislation Should be Proactive and Actionable
- A National Strategy is Necessary and Federal Guidance Must be Clarified
- Governance Should Incentivize Security Rather than Penalize Infractions
- Safe Harbor May Be Necessary for Certified and HIPAA Compliant Entities
- Certification Programs Would Increase Security Past Minimal Compliance
“Securing the health sector requires meaningful collaboration from care providers, policy makers, and technology manufacturers.” says Mr. Eftekhari. “One of the most important discussions these groups should be having is around how to ensure that new software, medical devices, and equipment is engineered and manufactured with fewer vulnerabilities in the first place. Responsible software development practices will lead to improved resiliency, fewer successful attacks, and a more effective ROI on already skyrocketing cybersecurity spending across healthcare organizations.”
Join Parham Eftekhari as a guest panelist on our upcoming 4th Annual Cybersecurity Panel Discussion.