White House wants to set minimum cyber standards for hospitals, healthcare

Dive Brief:

  • The White House plans to work with the Department of Health and Human Services on a plan to develop minimum standards to protect the healthcare sector from ransomware and other malicious cyber activity, according to Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said Thursday.
  • The administration is working with HHS and the Centers for Medicare and Medicaid to raise minimum cybersecurity standards, said Neuberger, speaking at the Aspen Security Forum. It’s part of an ongoing effort by the White House to improve security across 16 critical infrastructure sectors
  • Neuberger noted a recent wave of attacks is linked to a security flaw that has been on the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog for weeks. Neuberger did not specify which vulnerability she was referencing, but HHS in late November urged hospitals and other healthcare facilities to urgently patch against the CitrixBleed vulnerability.  The vulnerability was already exploited in numerous ransomware attacks since October.

Dive Insight:

HHS last week released a concept paper on how to strengthen the resilience of the U.S. healthcare sector. 

The agency noted a surge in malicious activity against the industry, with a 93% increase in large breaches from 2018-2022 and a 273% surge in large breaches involving ransomware. 

Ardent Health Services, which runs 30 hospitals and 200 other healthcare sites in six states, had to take its network offline and divert emergency care following an attack that impacted Thanksgiving holiday healthcare services. 

HTC Global Services, which provides technology to the healthcare industry and other sectors, confirmed a cyberattack, which security researcher Kevin Beaumont linked to a CitrixBleed exploit. The threat group AlphV/BlackCat claimed responsibility for an attack on the company, posting evidence of stolen data. 

The Biden administration has been working on a global effort to crack down on ransomware payments, too. 

Neuberger cited data showing organizations in the U.S. have paid out more than $2.3 billion over the last two years in ransom payments. 

In addition, the Office of the Director of National Intelligence spoke with ransomware negotiators, who told them that companies that regularly backup data offline were able to recover far more quickly than companies that failed to do regular backups, according to Neuberger.