Biden gov’t to introduce healthcare cybersecurity mandates
WASHINGTON, UNITED STATES — Amid the spate of cyberattacks on the healthcare industry, the Biden administration is set to introduce mandatory cybersecurity standards for hospitals and healthcare entities receiving Medicare or Medicaid funding.
This move comes in the wake of a massive cyberattack on Change Healthcare, a unit of UnitedHealth Group, which disrupted billions in payments and exposed the medical data of up to 100 million Americans.
Deputy National Security Advisor Anne Neuberger announced the plans at the Bloomberg Tech Summit on Thursday.
“We look to putting in place minimum cybersecurity standards for hospitals in the near term,” she stated, without specifying a timeline.
The unprecedented Change Healthcare breach highlighted the vulnerability of the healthcare system to a single point of failure.
During the early weeks, medical billings were 20% lower than normal, indicating delayed patient care. “That’s 20% fewer procedures,” Neuberger claimed.
Free cybersecurity education for rural hospital staff
To assist smaller facilities, the White House intends to offer free cybersecurity training to 1,400 rural hospitals in the coming weeks.
The American Hospital Association (AHA) has previously opposed mandatory standards, arguing that fines or payment cuts could strain resources needed to combat attacks.
“The primary source of cyber risk exposure facing the health-care sector originates from vulnerabilities in third-party technology and service providers, not a hospitals primary systems,” the association told Bloomberg.
“The AHA supports a sector-wide approach to cyber resiliency. We will continue to work with policymakers on an approach that doesn’t result in unfunded mandates and a focus on the entire critical critical infrastructure of the health-care sector.”
UnitedHealth reported that the ransomware strike cost $872 million in the first quarter of 2024. According to a CNBC report, UnitedHealth did not specify the ransom amount, but earlier this year, Reuters reported that the cybercriminal group claiming responsibility received $22 million in bitcoins.
The frequency of ransomware attacks against healthcare providers has surged in recent years, with the number doubling from 2016 to 2021, according to a 2022 study published in JAMA Health Forum.
