Senate Intelligence Committee Chairman Mark Warner, D-Va., is calling on the Department of Health and Human Services (HHS) to improve its collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) to better protect the health care sector from cyberattacks – and designate a senior leader to lead the agency’s cyber efforts.
In a new policy options paper, Sen. Warner explained how the health care sector is one of the most difficult sectors to protect with its reliance on legacy technology, highly varied attack surface, and a high-pressure environment where slight delays can be the difference between life or death.
HHS is the designated Sector Risk Management Agency (SRMA) for the health care sector, but the senator said his staff has learned of a lack of communication with the nation’s cyber defense agency.
“Staff has heard from industry experts about a lack of coordination between HHS (as the SRMA) and CISA, the U.S. government’s lead on ensuring cybersecurity integrity in commercial and infrastructure networks,” the paper says. “Stakeholders have shared no matter who is in charge, so to speak, they would welcome increased timely, actionable, health care-specific cybersecurity guidance.”
The paper also notes that some stakeholders said the agencies within HHS often have different cybersecurity postures and policies, “leading to varied levels of experience regarding cybersecurity as well as varied prioritization.”
With a lack of coordination and defined roles, Sen. Warner argued that HHS should have a senior leader who reports directly to the secretary of HHS to lead the agency’s cybersecurity efforts and ensure accountability.
“The person in this role should be empowered – both operationally and politically – to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role,” the paper states. “This person should also work to effectively partner with other agencies to further these goals and advocate for HHS having the resources it needs to be successful.”
Sen. Warner is seeking feedback on this recommendation, along with others in his policy paper, by Dec. 1. Anyone who is interested in submitting comments to the paper can send a letter or an email to cyber@warner.senate.gov.