“We look to putting in place minimum cybersecurity standards for hospitals in the near term,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said in an interview at the Bloomberg Tech Summit in San Francisco on Thursday. Neuberger didn’t spell out the timeline in which the administration plans to push out the rule.
The announcement follows a February hack against Change Healthcare, a unit of UnitedHealth Group Inc., that snarled billions of dollars of payments to doctors and hospitals, delayed patient care and saw hackers make off with patient medical data of as many as one in three Americans.
The intrusion at Change — a central node in the health-care system that carried terabytes of data for doctors, pharmacies, insurers and the government — demonstrated the way a single point of failure can compromise a nationwide industry. The breach tilted some clinics into financial peril and potentially reduced UnitedHealth’s profits this year by as much as $1.6 billion.
During the early weeks of the attack, medical billings were 20 percent lower than normal, Neuberger said, adding, “that’s 20 percent fewer procedures.”
In parallel to pushing out rules for hospital cybersecurity, the Biden administration intends to offer free training to 1,400 small, rural hospitals across the country, according to Neuberger. She said the training will become available “in the next few weeks.”
The health-care sector has been a recurrent target of criminal hackers, who have encrypted computer networks and stolen sensitive data in lieu of extortion payments. On Wednesday, Ascension, one of the country’s largest chains of Catholic hospitals, said it was investigating a cybersecurity incident on some of its network systems.
“There has been a disruption of clinical operations, and we continue to assess the impact and duration of the disruption,” Ascension said, in a statement posted on its website Thursday. The nonprofit chain was investigating if any sensitive data was impacted by the incident.
Ascension didn’t immediately respond to a request for comment.
Earlier this month, UnitedHealth Chief Executive Officer Andrew Witty told U.S. lawmakers that intruders got in through a server that didn’t have multifactor authentication — a basic cybersecurity measure — and got access to a hoard of health and personal data.
Witty expressed an openness to mandatory cybersecurity standards during his testimony. But there is likely to be resistance.
The American Hospital Association, which represents health industry interests, has previously vowed to oppose any effort to impose such mandates, arguing that fines or Medicare payment cuts would drain hospitals of the resources they need to fend off cyber attacks. A representative for the association didn’t immediately respond to a request for comment on Neuberger’s remarks.
UnitedHealth is still trying to determine why its computer systems were left vulnerable, Witty told lawmakers. The company has said the full extent of that breach will take months to assess, leaving Americans in the dark about what private medical data may have been exposed, but that it paid a $22 million ransom to protect patient information.
(With assistance from Jamie Tarabay.)
©2024 Bloomberg L.P., Distributed by Tribune Content Agency, LLC.