MARK R. WARNER BANKING, HOUSING, AND Wnited States Senate ne asia Eee ane RULES AND ADMINISTRATION February 21, 2019 Sean T. Connaughton Chief Executive Officer Virginia Hospital and Healthcare Association 4200 Innslake Drive Glen Allen, VA 23060 Dear Mr. Connaughton, As you are likely aware, in recent years the security of our nation’s health care industry has been tested, with a range of incidents ranging from cyber-attacks to cyber-enabled crime directed at and/or impacting the sector. These incidents have impacted some of our largest hospital systems, insurance companies, laboratories, and the millions of patients who are served by them. Despite past breaches, private and public sector security experts have observed that our nation’s vast health care economy is still fraught with eyber security vulnerabilities, The health care industry has been identified as a lucrative target due to the valuable personally identifiable information criminals can monetize, and the lucrative opportunities to secure payment from victims of ransomware. A successful breach of a patient's health record often yields information such as social security numbers, home addresses, health histories and other sensitive records that can be sold or used for identify theft. Additionally, hackers know they can obtain large payments from ransomware attacks on health care entities that have valuable patient records and sensitive operations impacting patient safety. The Government Accountability Office estimates that over 113 million patient health care records were stolen in 2015. A separate 2015 study by Accenture estimated cyberattacks would cost our health care system $305 billion over a five-year period. A 2017 report by Trend Micro scanned Shodan, a search engine for internet-connected devices, and found over 100,000 healthcare devices and systems exposed directly to the public intemet, including EHR systems, medical devices, and network equipment! The increased use of technology in health care certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending. However, the increased use of technology has also left the health care industry more vulnerable to attack, as the industry has embraced innovation that imbues ever-more products, processes, and services with intemet connectivity and software-based functionality ~ with security and resiliency often an afterthought. As we " Mayra Rosario Fuentes, “Cybercrime and Other Threats Faced by the Healtheare Industry,” Trend Micro (2017), available at: hips som ybererime:s -throals-faced-by-the-healthcare- industry pd?welcome the benefits of health care technology we must also ensure we are effectively protecting patient information and the essential operations of our health care entities. I would like to work with you and other industry stakeholders to develop a short and long term strategy for reducing cybersecurity vulnerabilities in the health care sector. In the coming ‘weeks I plan to seek broad input from leading public and private health care entities. 1 am reaching out to you to start that dialogue and to gather facts and relevant information that may assistant policymakers in advancing information security in the health care sector. It is my hope that with thoughtful and carefully considered feedback we can develop a national strategy that improves the safety, resilience, and security of our health care industry. In that effort I would like to know: . What proactive steps has your organization taken to identify and reduce its cyber security vulnerabilities? Does your organization have an up-to-date inventory of all connected systems in your facilities? Does your organization have real-time information on that patch status of all connected systems in your facilities? How many of your systems rely on beyond end-of-life software and operating systems? ‘Are there specific steps your organization has taken to reduce its cybersecurity vulnerabilities that you recommend be implemented industry wide? One of the imperatives from the Health Care Industry Cybersecurity Task Force Report” is for the sector to “develop the heath care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.” To that end, what workforce and personnel challenges does your organization face in terms of security awareness and technical capacity? What steps have you taken to develop the security awareness of your workforce and/or add or grow technical expertise within your organization? Has the federal government established an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector? If not, what are your recommendations for improvement? Are there specific federal laws and/or regulations that you would recommend Congress consider changing in order to improve efforts to combat cyberattacks on health care entities? Are there additional recommendations you would make in establishing an industry wide strategy to improve cybersecurity in the health cate sector? lealth Care Industry Cybersecurity Task Force.” U.S. Department of Health and Human Services (2017), available at: ups: phe, go./Preparedness/planning/CvberTF/Documents/tepor2017,‘Thank you for your consideration of this letter. We look forward to your written responses to these questions. Given the sensitive nature of these issues, we will treat your responses fully confidentially. Please send your responses to oyben(@ warmer senate.yov by Friday, March 22, 2019. I look forward to receiving your response and to working in a collaborative way to address this critical issue. Sincerely, Mod. © Mune, MARK R. WARNER United States Senator