Sen. Mark Warner (D-Va.) is aiming to introduce health care cybersecurity legislation during the first quarter of 2023 that could set minimum standards for health care organizations to protect patient data.
The Senate Cybersecurity Caucus co-founder issued a report on the state of health care cybersecurity in November, arguing that poor cybersecurity in the sector imperils patients’ lives.
Warner told POLITICO he believes standards could be enforceable by, for example, tying Medicare or Medicaid payment to cybersecurity levels.
Warner also said that the federal government and HHS need stronger leadership on the issue. Currently, authority is spread across a number of officials, and Warner’s report called for HHS to have a “senior leader” to “speak with one voice” on cybersecurity.
“Nobody’s in charge,” Warner said in an interview. “We may even need to elevate this above HHS to some White House level so you can really have some juice with other secretaries.”
HHS didn’t respond to a request for comment.
Warner is seeking partners in the effort. He noted that Sen. Bill Cassidy (R-La.), the ranking member of the Senate HELP Committee, and Sen. Jacky Rosen (D-Nev.), who sits on both the Homeland Security and Governmental Affairs Committee and the HELP panel, have worked on cybersecurity. Cassidy and Rosen co-sponsored legislation last Congress to mandate that HHS and DHS’ Cybersecurity and Infrastructure Security Agency work more closely to prevent cyberattacks.
Warner is also trying to determine whether the legislation should come in one large package or in smaller bills dealing with discrete issues.
Why it matters: Hackers have slammed the health care sector in recent years, compromising the data of nearly 50 million people in the U.S. in 2021, according to a POLITICO analysis of the latest HHS data.
Industry groups are concerned about potential penalties if they’re breached. Some have argued that would further punish the victims.
The American Hospital Association, the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security have pushed for measures like “safe harbors” and incentives over penalties in some situations.
But Warner’s not averse to regulation. He co-authored legislation that became law last spring that required critical infrastructure companies to report cybersecurity incidents to the government. His legislation mandating minimum security levels for some government devices also became law in 2020.