MARK R. WARNER, — United States Senate cr February 25, 2019 The Honorable Walter Copan The National Institute of Standards and Technology 100 Bureau Drive Gaithersburg, MD 20899 Dear Director Copan: [As you are likely aware, in recent years the security of our nation’s health care industry has been tested, with a range of incidents ranging from cyber-attacks to cyber-enabled crime directed at and/or impacting the sector. These incidents have impacted some of our largest hospital systems, insurance companies, laboratories, and millions of patients served by them. Despite past breaches, private and public sector security experts have observed that our nation’s vast health care economy is still fraught with cyber security vulnerabilities. ‘The health care industry has been identified as a lucrative target due to the valuable personally identifiable information criminals can monetize and lucrative opportunities to secure payment from victims of ransomware. A successful breach of a patient’s health record often yields information such as social security numbers, home addresses, health histories and other sensitive records that can be sold or used for identify theft. Additionally, hackers know they can obtain large payments from ransomware attacks on health care entities that have valuable patient records and sensitive operations impacting patient safety. The Government Accountability Office estimates that over 113 million patient health care records were stolen in 2015. A separate 2015 study by Accenture estimated cyberattacks would cost our health care system $305 billion over a five year period. A 2017 report by Trend Micro scanned Shodan, a search engine for internet- connected devices, and found over 100,000 healthcare devices and systems exposed directly to the public intemet, including EHR systems, medical devices, and network equipment. ‘The increased use of technology in health care certainly has the potential to improve the quality of patient care, expand access to care (including by extending the range of services through telehealth), and reduce wasteful spending. However, the increased use of technology has also left the health care industry more vulnerable to attack, as the industry has embraced innovation that imbues ever-more products, processes, and services with internet connectivity and sofiware-based functionality — with security and resiliency often an afterthought. As we * Mayra Rosario Fuentes, “Cybercrime and Other Threats Faced by the Healtheare Industry,” Trend Micro (2017), available at; htips,/dacuments,trendmicro.com/assets/wp!wp-cybercrime-and-other-threais-faced-by-the-healthcare- industry.pdfwelcome the benefits of health care technology we must also ensure we are effectively protecting patient information and the essential operations of our health care entities. T would like to work with your agency and other industry stakeholders to develop a short and Jong term strategy reducing cybersecurity vulnerabilities in the health care sector. In the coming ‘weeks I plan to seek broad input from leading public and private health care entities. It is my hope that with thoughtful and carefully considered feedback we can develop a national strategy that improves the safety, resilience, and security of our health eave industry. In that effort | would like to know: 1. To date, what proactive steps has your agency taken to identify and teduce cyber security vulnerabilities in the health care sector? 2. How has your agency worked to establish an effective national strategy to reduce cybersecurity vulnerabilities in the health care sector? 3. Has your agency engaged private sector health care stakeholders to solicit input on successful strategies to reduce cybersecurity vulnerabilities in the health care sector? If 80, What has been the result of these efforts? 4. Has your agency worked collaboratively with other federal agencies and stakeholders to establish a federal strategy to reduce cybersecurity vulnerabilities in the health care sector? If'so, who has led these efforts and what has been the result? 5, Are there specifie federal laws and/or regulations that you would recommend Congress consider changing in order to improve your efforts to combat cyberattacks on health care entities? 6. Are there additional recommendations you would make in establishing a national strategy to improve cybersecurity in the health care sector? ‘Thank you for your consideration of this letter. Should you have any additional questions or comments please do not hesitate to reach out to my office. Please send your responses to cyber@wamer.senate.gov by Friday, March 22, 2019. I look forward to receiving your response and to working in a collaborative way to address this critical issue. Sincerely, Wok © Mune, MARK R. WARNER United States Senator ce: The Honorable Scott Gottlieb, Commissioner, Food and Drug Administration The Honorable Alex Azar, Secretary, Department of Health and Human Services ‘The Honorable Seema Verma, Administrator, Centers for Medicare and Medicaid Services