MARK R. WARNER Daur
BANKING, HOUSING, AND
URBAN AFFAIRS
Wnited States Senate uncer
etry 25.209 ce Ad
The Honorable Seema Verma
Centers for Medicare and Medicaid Services
200 Independence Ave SW
Washington, DC 20201
Dear Administrator Verma:
As you are likely aware, in recent years the security of our nation’s health care industry
has been tested, with a range of incidents ranging from cyber-attacks to cyber-enabled crime
directed at and/or impacting the sector. These incidents have impacted some of our largest
hospital systems, insurance companies, laboratories, and millions of patients served by them.
Despite past breaches, private and public sector security experts have observed that our nation’s
vast health care economy fraught with cyber security vulnerabilities.
‘The health care industry has been identified as a lucrative target due to the valuable
personally identifiable information criminals can monetize and lucrative opportunities to secure
payment from victims of ransomware. A successful breach of a patient’s health record often
yields information such as social security numbers, home addresses, health histories and other
sensitive records that can be sold or used for identify theft. Additionally, hackers know they can
obtain large payments from ransomware attacks on health care entities that have valuable patient
records and sensitive operations impacting patient safety. The Government Accountability Office
estimates that over 113 million patient health care records were stolen in 2015. A separate 2015
study by Accenture estimated eyberattacks would cost our health care system $305 billion over a
five year period. A 2017 report by Trend Micro scanned Shodan, a search engine for internet-
connected devices, and found over 100,000 healthcare devices and systems exposed directly to
the public intemet, including EHR systems, medical devices, and network equipment.!
‘The increased use of technology in health care certainly has the potential to improve the
quality of patient care, expand access to care (including by extending the range of services
through telehealth), and reduce wasteful spending. However, the increased use of technology has
also left the health care industry more vulnerable to attack, as the industry has embraced
innovation that imbues ever-more produets, processes, and services with intemet connectivity
and software-based functionality — with security and resiliency often an afterthought. As we
* Mayra Rosario Fuentes, “Cybercrime and Other Threats Faced by the Healtheare Industry,” Trend Micro (2017),
available a: bttps://documents.trendmicro.com/assets/ wp/wp-eybererime-and-other-threats-faced-by-the-healthcare-
industry.pdfwelcome the benefits of health care technology we must also ensure we are effectively protecting
patient information and the essential operations of our health care entities.
I would like to work with your agency and other industry stakeholders to develop a short and
Jong term strategy reducing cybersecurity vulnerabilities in the health care sector. In the coming
weeks I plan to seek broad input from leading public and private health care entities. It is my
hope that with thoughtful and carefully considered feedback we can develop a national strategy
that improves the safety, resilience, and security of our health care industry. In that effort I would
like to know:
1. To date, what proactive steps has your agency taken to identify and reduce eyber security
vulnerabilities in the health care sector?
2, How has your agency worked to establish an effective national strategy to reduce
cybersecurity vulnerabilities in the health care sector?
3. Has your agency engaged private sector health care stakeholders to solicit input on
successful strategies to reduce cybersecurity vulnerabilities in the health care sector? If
0, what has been the result of these efforts?
4, Has your ageney worked collaboratively with other federal agencies and stakeholders to
establish a federal strategy to reduce cybersecurity vulnerabilities in the health care
sector? If so, who has led these efforts and what has been the result?
5. Are there specific federal laws and/or regulations that you would recommend Congress
consider changing in order to improve your efforts to combat cyberattacks on health care
entities?
6. Are there additional recommendations you would make in establishing a national strategy
to improve cybersecurity in the health care sector?
‘Thank you for your consideration of this letter. Should you have any additional questions or
comments please do not hesitate to reach out to my office. Please send your responses to
cyber@wamer.senate.gov by Friday, March 22, 2019. I look forward to receiving your response
and to working in a collaborative way to address this critical issue.
Sincerely,
Mb. Mone
MARK R. WARNER.
United States Senator
cc: The Honorable Scott Gottlieb, Commissioner, Food and Drug Administration
The Honorable Alex Azar, Secretary, Department of Health and Human Services
‘The Honorable Walter Copan, Director, National Institute of Standards and Technology