Sen. Warner criticizes HHS and CISA for lack of coordination on cybersecurity, pushes for new cyber exec

In a policy options paper published Thursday, Warner called on both agencies to provide more timely health care sector-specific cybersecurity guidance.
Sen. Mark Warner (Mark Warned/Flickr)

Senator Mark Warner, D-VA, Thursday criticized the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) for lack of coordination on cybersecurity in the past two years, during a period when cyberattacks on the health care sector have skyrocketed.

In a policy options paper published Thursday, Warner called on the agencies to provide more timely health care sector-specific cybersecurity guidance. The lawmaker also advocated for the appointment of a new cybersecurity czar at HHS, who would report directly to the Secretary of Health.

In 2021, cybersecurity attacks on health care providers reached an all-time high, with one study indicating that more than 45 million people were affected by such attacks in 2021 – a 32 percent increase over 2020.

“Staff has heard from industry experts about a lack of coordination between HHS (as the SRMA) and CISA, the U.S. government’s lead on ensuring cybersecurity integrity in commercial and infrastructure networks,” Warner’s policy paper stated. “Stakeholders have shared no matter who is in charge, so to speak, they would welcome increased timely, actionable, health care-specific cybersecurity guidance.”


The white paper also said different agencies within HHS, which includes agencies like the Centers for Medicare and Medicaid Services and the Food and Drug Administration (FDA), have varying degrees of experience and prioritization when it comes to tackling cybersecurity challenges.

The policy paper says that the health care sector is particularly vulnerable to cyberattacks due to its reliance on legacy technologies and software, a wide and highly varied attack surface, a high-pressure environment, funding constraints, and an old model of thinking that doesn’t view cybersecurity as a primary concern. 

Personal health information is also more valuable on the black market than other sensitive data like credit card information, as hackers can sell stolen medical records for anywhere from $10 to $1,000 per record, the paper highlights. The healthcare industry has therefore seen the highest cost per breach of any industry, according to IBM’s annual Cost of a Data Breach report.

In order to reduce cyberattacks on the industry and increase vigilance, Warner’s white paper strongly pushes for HHS to create a new senior leader within the agency who reports directly to the Secretary of Health and Human Services to lead the Department’s work on and “be accountable for cybersecurity,” the paper says.

“The person in this role should be empowered—both operationally and politically—to ensure HHS speaks with one voice regarding cybersecurity in health care, including expectations of external stakeholders and the government’s role. This person should also work to effectively partner with other agencies to further these goals and advocate for HHS having the resources it needs to be successful” the policy paper states.


Sen. Warner’s staff declined to comment when asked for more information about the timing of his strong criticism of HHS and further details on lack of coordination with HHS.

HHS did not respond to request for comment at the time of publication.

Latest Podcasts