The Biden administration intends to require hospitals to meet minimum cybersecurity standards after a single hack exposed the data of 100 million Americans.
“We look to putting in place minimum cybersecurity standards for hospitals in the near term,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, said in an interview at the Bloomberg Tech Summit in San Francisco on Thursday. Neuberger didn’t spell out the timeline in which the administration plans to push out the rule.
The proposal may extend beyond hospitals too. The administration intends to issue a notice of proposed rulemaking in coming weeks to bring in minimum cybersecurity requirements for entities that receive money from Medicare and Medicaid, according to a US official, who asked not to be named to discuss sensitive plans. That would be followed by a period of public comment, the official said.
The announcement follows a February hack against Change Healthcare, a unit of UnitedHealth Group Inc., that snarled billions of dollars of payments to doctors and hospitals, delayed patient care and saw hackers make off with patient medical data of as many as one in three Americans.
The intrusion at Change — a central node in the health-care system that carried terabytes of data for doctors, pharmacies, insurers and the government — demonstrated the way a single point of failure can compromise a nationwide industry. The breach tilted some clinics into financial peril and potentially reduced UnitedHealth’s profits this year by as much as $1.6 billion.
During the early weeks of the attack, medical billings were 20% lower than normal, Neuberger said, adding, “that’s 20% fewer procedures.”
In parallel to pushing out rules for hospital cybersecurity, the Biden administration intends to offer free training to 1,400 small, rural hospitals across the country, according to Neuberger. She said the training will become available “in the next few weeks.”
The health-care sector has been a recurrent target of criminal hackers, who have encrypted computer networks and stolen sensitive data in lieu of extortion payments. On Wednesday, Ascension, one of the country’s largest chains of Catholic hospitals, said it was investigating a cybersecurity incident on some of its network systems.
“There has been a disruption of clinical operations, and we continue to assess the impact and duration of the disruption,” Ascension said, in a statement posted on its website Thursday. The nonprofit chain was investigating if any sensitive data was impacted by the incident.
Ascension didn’t immediately respond to a request for comment.
Earlier this month, UnitedHealth Chief Executive Officer Andrew Witty told US lawmakers that intruders got in through a server that didn’t have multifactor authentication — a basic cybersecurity measure — and got access to a hoard of health and personal data.
Witty expressed an openness to mandatory cybersecurity standards during his testimony. But there is likely to be resistance.
The American Hospital Association, which represents health industry interests, has previously vowed to oppose any effort to impose such mandates, arguing that fines or Medicare payment cuts would drain hospitals of the resources they need to fend off cyberattacks.
“The primary source of cyber risk exposure facing the health-care sector originates from vulnerabilities in third-party technology and service providers, not a hospitals primary systems,” the association said, in response to queries from Bloomberg News about Neuberger’s remarks. “The AHA supports a sector-wide approach to cyber resiliency. We will continue to work with policymakers on an approach that doesn’t result in unfunded mandates and a focus on the entire critical infrastructure of the health-care sector.”
UnitedHealth is still trying to determine why its computer systems were left vulnerable, Witty told lawmakers. The company has said the full extent of that breach will take months to assess, leaving Americans in the dark about what private medical data may have been exposed, but that it paid a $22 million ransom to protect patient information.