Cybersecurity is Patient Safety: Policy Options in the Health Care Sector

Mary Madison, RN, RAC-CT, CDP
Clinical Consultant – Briggs Healthcare

45 MILLION people were affected by attacks on the health care sector in 2021.

An Increasingly Dangerous Threat

Over the past decade, the American public has witnessed increasingly brazen and disruptive attacks on its health care sector that jeopardize sensitive personal information, delay treatment, and ultimately lead to increased suffering and death.  In 2021, cybersecurity attacks on health care providers reached an all-time high, with one study indicating that more than 45 million people were affected by such attacks in 2021 – a 32 percent increase over 2020.

The health care sector is vulnerable to cyberattacks for a number of reasons, including its reliance on legacy technology, a wide and highly varied attack surface (that only grows more complex from the ever-increasing number of connected devices), a high-pressure environment where even the slightest delay can have life-or-death consequences, funding constraints, and an outdated mode of thinking that views cybersecurity as a secondary or tertiary concern.

These challenges are compounded when coupled with the incredibly alluring target that the health care sector presents to cybercriminals. Personal health information is more valuable on the black market than even credit card information, as hackers can sell stolen medical records for anywhere from $10 to $1,000 per record. These attacks are also costly, with the health care industry seeing the highest cost per breach of any industry, according to IBM’s annual Cost of a Data Breach report.

Although these cybersecurity vulnerabilities certainly leave health care organizations exposed to patient data theft, they often have far-reaching, and more serious, impacts beyond privacy concerns. Cyberattacks can be detrimental to patient safety, as they can lock physicians out of treatment tools, shut down hospital equipment used for care, and create backlogs that delay appointments and treatment. When it comes to cyberattacks affecting patient care, the question is no longer a matter of if or when, but how often and how catastrophic the consequences.”

The above statements are from the introduction to this paper posted on Thursday, November 3, 2022 by Senator Warner’s office.  Warner is the chairman of the Senate Intelligence Committee.

“In recent months, Senator Warner and his staff (in this paper referred to as “staff”) have engaged with numerous security researchers, business leaders, advocacy groups, and trade associations to gather input on the cybersecurity challenges facing the health care sector and potential solutions to these issues with the ultimate goal of protecting patient safety.

Following these conversations, it has become readily apparent that the way that cybersecurity is treated by those in health care sector needs to change. Cybersecurity can no longer be viewed as a secondary concern; it must become incorporated into every organization’s – from equipment manufacturers to health care providers – core business models. This paper will consider various challenges and proposals aimed at changing the way that the health care sector addresses the cybersecurity challenges it faces.

Changing the health care sector’s posture toward cybersecurity will require significant effort and resources from both the public and private sector. The first chapter of this paper covers challenges that the federal government needs to address to improve our national risk posture when it comes to cybersecurity in the health care sector. The second chapter looks at ways that the federal government can help the private sector meet this threat as well as potential requirements that could be mandated by the federal government. Finally, the third chapter considers policies that could help health care providers respond to attacks after they have occurred.

Senator Warner is releasing this policy options document with the intent of soliciting feedback from stakeholders on the potential options described within. Any individuals, researchers, businesses, organizations, or advocacy groups that are interested in submitting comments – specific to the content and questions outlined in this document or additional ideas or language for inclusion in eventual legislation – should send a letter or an email to

All submissions should:

• Be in the form of a PDF attachment. The attachment should be saved using the name of the organization and/or individual submitting the comment.

• Be as specific and detailed in their recommendations as possible.

• Include the contact name, organization, phone number, and email address in the body of the email. Please be advised that Senator Warner’s office requests individuals refrain from including any personally identifiable information, such as private home addresses or social security numbers, in their submission.

• Be submitted prior to December 1, 2022.”

This is a must-read for all healthcare providers. I encourage you to provide feedback on the options presented in the paper.

[Note: I provided the bolding and italics for this blog.]