Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., are calling for an urgent meeting with the Department of Health and Human Services to operationalize collaboration throughout the healthcare sector to defend against the ongoing threat of ransomware attacks.
Congress “can only conduct effective oversight if we understand the challenges that [HHS] and the healthcare sector are facing,” the lawmakers wrote. As part of the briefing, the lawmakers “welcome an unclassified threat briefing from [HHS] on the cybersecurity risks to this most vital critical infrastructure sector.”
King and Gallagher were former chairs of the Cyberspace Solarium Commission, and authors of the Sector Risk Management Agency (SRMA) legislation. These efforts recognized the importance of collaboration between the executive and legislative branches to effectively organize and support public-private partnerships to defend against cyber threats.
The Presidential Policy Directive 21 established the policies for building federal partnerships with the private sector and “advances a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure.” The healthcare sector was deemed critical infrastructure, with acknowledgement of its unique operating models and risk profiles.
The SRMA is designed to leverage each sector’s knowledge and expertise to accomplish those policy goals. The lawmakers’ briefing request aims to understand HHS’ progress on the SRMA, in addition to the patient safety impact of ransomware against healthcare.
The lawmakers are concerned “about the lack of robust and timely sharing of actionable threat information with industry partners.” There’s a need to “dramatically scale up” HHS’ capabilities and resources.
“With cyber threats growing exponentially, we must prioritize addressing the health and public health sector’s cybersecurity gaps,” the lawmakers wrote to HHS Secretary Xavier Becarra.
Recent federal efforts have both spotlighted the challenges facing healthcare and areas for improvement. Earlier this summer, the White House meeting with healthcare leaders, including HHS, stressed the need to improve healthcare cybersecurity. The FDA’s efforts to prioritize medical device security have also revived efforts to tackle healthcare’s systemic cyber issues.
Collaborative efforts and adherence to the SRMA will be crucial to furthering those goals. As such, the lawmakers are requesting a briefing from HHS on its ongoing efforts to adhere to the SRMA and collaboration within the sector to address ongoing threats.
The requested meeting would cover the means HHS uses to support healthcare cybersecurity, as well as how the assigned roles for “serving as the SRMA for the entire” sector, including coordinating with healthcare departments.
In particular, how the Administration for Strategic Preparedness and Response coordinates with the Chief Information Officer for the HHS Cybersecurity Coordination Center.
The lawmakers are also hoping to understand HHS’ authority for improving cybersecurity across the healthcare sector and current gaps in giving HHS the authority needed to improve the current state, along with the resources needed for HHS to “serve as an effective sector risk management agency.”
Further, HHS should share its current interagency coordination structures and successes, in addition to the challenges the agency is facing with ongoing cybersecurity efforts.
As the U.K. National Health Service is yet again working to recover from a cyber incident, the need to prioritize healthcare cybersecurity is paramount. Ransomware attacks against the healthcare sector pose patient safety risks, as well as operational disruptions and hefty financial impacts. Federal efforts are crucial for providing healthcare with much-needed resources.
