Cyberspace Solarium Co-Chairs Pen Letter to Becerra on HPH Cyberthreats

On Aug. 11, U.S. Senator Angus King (I-Maine) and Representative Mike Gallagher (R-Wisc.), co-chairs of the Cyberspace Solarium Commission (CSC), sent a letter to HHS Secretary Xavier Becerra urging improved protection of the public health sector (HPH) from cyberthreats.

“The CSC was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to ‘develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences,’ says the CSC website. “The finished report was presented to the public on March 11, 2020. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 reauthorized the Commission to collect and assess feedback on the analysis and recommendations contained within the final report, review the implementation of the recommendations contained within the final report, and completing the activities originally set forth for the Commission.”

“Ransomware attacks on the HPH sector have skyrocketed in the past two years as opportunistic criminals recognized that hospitals may pay quickly to resolve issues and protect patient safety,” King and Gallagher write. “Meanwhile, the troves of personally identifiable information and personal health information make organizations in the sector valuable targets for both criminal and nation-state hackers.”

Further, “Against this backdrop, we were heartened to see the White House host an executive forum on healthcare cybersecurity and the recognition by your Department and the other participants of the importance of improving the cybersecurity of this vital critical infrastructure sector. We also appreciate the FDA’s prioritization of medical device cybersecurity and the growing ability of the Department’s Critical Infrastructure Protection Division and the Health Sector Cybersecurity Coordination Center (HC3) to explain cyber threats through a sector-focused lens.

“We remain concerned, however, about the lack of robust and timely sharing of actionable threat information with industry partners and the need to dramatically scale up the Department’s capabilities and resources. With cyber threats growing exponentially, we must prioritize addressing the HPH sector’s cybersecurity gaps.”

The lawmakers explain that they understand the partnership between the executive and legislative branches to protect against cyber threats and are requesting an assessment of certain cyber posture aspects, including:

• Current organization structure, roles, and responsibilities that HHS utilizes to support HPH cybersecurity
• Current authorities HHS has to improve cybersecurity and gaps in those authorities in the sector
• Resources that HHS requires to serve as an effective sector risk management agency—including personnel and budget resources
• Interagency coordination structures, successes, and challenges being used to support the efforts by HHS and HPH cybersecurity efforts

The letter concludes by saying that “We and our colleagues can only conduct effective oversight if we understand the challenges that your department and the HPH sector are facing. As such, as part of the briefing, I would welcome an unclassified threat briefing from your office on the cybersecurity risks to this most vital critical infrastructure sector.”