PYMNTS MonitorEdge May 2024

Biden Administration to Propose Cybersecurity Standards for Hospitals, Other Entities

In response to a recent cyberattack that exposed the data of 100 million Americans, the Biden administration reportedly intends to require hospitals to meet minimum cybersecurity standards.

Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said Thursday (May 9) at the Bloomberg Tech Summit that the administration plans to issue a notice of proposed rulemaking in the coming weeks, Bloomberg reported Thursday.

This rulemaking will establish minimum cybersecurity requirements not only for hospitals but also for other entities that receive funding from Medicare and Medicaid, the report said, citing an unnamed source.

The White House aims to address the vulnerabilities in the healthcare sector and protect sensitive patient information from cyberthreats, according to the report.

The announcement comes after a cyberattack targeted Change Healthcare, a unit of UnitedHealth Group, disrupting billions of dollars in payments and compromising the medical data of millions of Americans, the report said. The incident highlighted the potential consequences of a single point of failure within the healthcare system and underscored the urgent need for improved cybersecurity measures.

While the Biden administration is determined to enhance cybersecurity in the healthcare industry, there is likely to be resistance. The American Hospital Association (AHA) has previously opposed mandatory cybersecurity standards, arguing that fines or payment cuts would strain hospitals’ resources, per the report. The AHA emphasizes the importance of a sectorwide approach to cyber resiliency.

In addition to implementing cybersecurity standards, the Biden administration plans to offer free training to 1,400 small, rural hospitals across the country, according to the report. This training aims to equip healthcare professionals with the knowledge and skills to prevent and respond to cyberthreats effectively.

UnitedHealth Group CEO Andrew Witty said May 1 that the company is still investigating a security failure behind the cyberattack that impacted the firm.

Testifying before the Senate Finance Committee, Witty said the company had not yet determined why its computer systems were left open to a ransomware gang.

UnitedHealth Group’s defenses were breached when intruders accessed a server that wasn’t secured by multifactor authentication.

“We’re trying to dig through exactly why that server had not been protected,” Witty said at the time.