top of page
  • ICIT Research

An Analysis of Responses to Senator Warner’s Health Sector Cybersecurity Inquiries

Updated: Feb 12

On February 21, 2019, Senator Mark Warner (D-VA), the vice chair of the Senate Intelligence Committee and co-chair of the Senate Cybersecurity Caucus, sent letters to twelve healthcare organizations and four federal agencies soliciting feedback via a series of questions on the security and resiliency of the healthcare sector. In the letter, he stated: “I would like to work with you and other industry stakeholders to develop a short- and long-term strategy for reducing cybersecurity vulnerabilities in the health care sector.”


In the letters, Senator Warner asked leaders to share, among other things:

  • How they identify and reduce vulnerabilities

  • Whether they maintain an up-to-date inventory of all of the connected systems within their facilities

  • If these groups have real-time data for the patching status of these systems

  • How many systems rely on end-of-life software and operating systems

  • What steps they’ve taken to reduce risks that could be nationally implemented.

  • Details on the cybersecurity staffing shortage

  • How organizations have increased security awareness and otherwise improved cyber-hygiene.

Several of the responses from the organizations emailed were made public in late March. In this publication, entitled “An Analysis of Responses to Senator Warner’s Health Sector Cybersecurity Inquiries: The Benefits of Proactive Engagement and What We Can Glean from These Questions and Responses,” ICIT offers an analysis highlighting common themes and takeaways from the responses to-date. Some of the key takeaways discussed in this paper include:

  • Healthcare Entities Need to Collaborate

  • Healthcare Stakeholders Need to Be Proactive About Cybersecurity

  • Healthcare Networks are Becoming More Complex Because of IT/OT Convergence and Must Be Secured

  • Emerging Cybersecurity Legislation Should be Proactive and Actionable

  • A National Strategy is Necessary and Federal Guidance Must be Clarified

  • Governance Should Incentivize Security Rather than Pena