Biden administration boosts healthcare cybersecurity following 128% rise in cyberattacks; ropes in Microsoft, Google

The U.S. administration announced on Monday initiatives to enhance cybersecurity measures, aimed at strengthening the protection of Americans’ access to healthcare. The move comes after recent cyberattacks on the nation’s healthcare system, emphasizing the increased vulnerability of hospitals and payment systems. The federal move works to ‘relentlessly’ improve the resilience of the healthcare sector to cyberattacks. Many healthcare companies are private sector owned and operated, so private sector uptake and partnership are key to meaningful improvements in the sector’s ability to withstand attacks.

The move by the Biden administration comes as cyberattacks against the American healthcare system rose 128% from 2022 to 2023. These cyberattacks have significantly disrupted healthcare providers, with one attack on a crucial payment system causing urgent funding issues, and another forcing some hospitals to redirect patient care. The lengthy resolution process for these disruptions often delays access to necessary healthcare services and payment systems. 

In February and March this year, the U.S. experienced one of the most significant healthcare-related cyberattacks to date. During the attack, providers reported that one out of every three healthcare claims in the country were impacted, leading to disruptions in timely payment to healthcare providers.

Healthcare-related cyber disruptions can be particularly disruptive to rural hospitals, which serve over 60 million Americans. Most rural hospitals are critical access hospitals, meaning they are located more than 35 miles from another hospital, which makes diversions of patients and staffing-intensive manual workarounds in response to attacks more difficult. Recognizing the critical role these hospitals play in the communities they serve, the White House worked with and received commitments from U.S. technology providers to provide free and low-cost resources for all 1,800-2,100 rural hospitals across the nation.

As part of this initiative to improve the security and resilience of the U.S. rural hospital system, private sector partners have committed to independent critical access hospitals and rural emergency hospitals, Microsoft is extending its nonprofit program to provide grants and up to a 75 percent discount on security products optimized for smaller organizations. 

For participating larger rural hospitals already using eligible Microsoft solutions, Microsoft is providing its most advanced security suite at no additional cost for one year. Microsoft will also provide free cybersecurity assessments by qualified technology security providers and free training for frontline and IT staff at eligible rural hospitals throughout the country to deepen resiliency to malicious cyberattacks. Additionally, Microsoft will extend security updates for Windows 10 to participating hospitals for one year at no cost.

Additionally, the administration said that Google will provide endpoint security advice to rural hospitals and non-profit organizations at no cost and a pool of funding to support software migration. In addition, Google is committing to launch a pilot program with rural hospitals to develop a packaging of security capabilities that fit these hospitals’ unique needs.

Microsoft said that the new cybersecurity program will support hospitals serving more than 60 million people living in rural America. In 2023, the healthcare sector reported more ransomware attacks than any other critical infrastructure sector, and attacks involving ransomware against the healthcare sector were up nearly 130%. Also, cybersecurity attacks disrupt healthcare operations across the country and pose a direct threat to patient care and essential operations of hospitals. 

In rural communities, these attacks can be devastating, particularly to smaller, independent Critical Access and Rural Emergency hospitals with limited means to prevent and remediate security risks and often the only healthcare option for many miles in the communities they serve. 

The Microsoft announcement was made in close collaboration with the U.S. White House, the American Hospital Association (AHA), and the National Rural Health Association. Microsoft will work with the three institutions on the rollout, adoption, and effectiveness of the program.

“Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans’ access to critical care. Rural hospitals are particularly hard hit as they are often the sole source of care for the communities they serve and lack trained cyber staff and modern cyber defenses,” said Anne Neuberger, deputy national security advisory for cyber and emerging technologies. “President Biden is committed to every American having access to the care they need, and effective cybersecurity is a part of that. So, we’re excited to work with Microsoft to launch cybersecurity programs that will provide training, advice and technology to help America’s rural hospitals be safe online.” 

“Hospitals and health systems have invested significant resources to guard against cyberattacks, but they can’t do it alone. Cybersecurity is a shared responsibility, and these investments from Microsoft help reinforce that,” said Rick Pollack, president and CEO at the AHA. “Rural hospitals are often the primary source of healthcare in their communities, so keeping them open and safe from cyberattacks is critical. We appreciate Microsoft stepping forward to offer its expertise and resources to help secure part of America’s healthcare safety net.”

The AHA will continue discussions with the government and private sector companies on expanding cybersecurity offerings and resources to all hospitals and health systems. This support is critical as all hospitals and health systems continue to contend with the rapidly rising costs of providing care in their communities and preparing for all kinds of emergencies.

“Rural hospitals face a unique challenge in cybersecurity, balancing limited resources with the increasing sophistication of cyberthreats, which puts patient data and critical healthcare infrastructure at risk,” said Alan Morgan, chief executive officer of NRHA. “This important partnership with Microsoft will help ensure that rural hospitals are prepared in the future to meet this rising threat in small rural facilities.”

Apart from the security program for rural hospitals, Microsoft is working with community colleges to deliver the Cybersecurity Skills Initiative and through the TechSpark program to drive technology and cybersecurity job creation in partnership with local organizations. Through the Microsoft Airband initiative, the company collaborates with public, private, and nonprofit organizations to bring high-speed internet access to rural communities across America and build the digital infrastructure required for internet access and adoption.

The Microsoft Cybersecurity Program for Rural Hospitals in the U.S. is immediately available.

Commenting on the federal initiative, Larry Maccherone, DevSecOps Transformation Architect at Contrast Security, wrote in an emailed statement that “the reality is that this move is great but will not prevent the majority of attacks at hospitals which come from third parties. Those third parties are generally much larger companies that need to secure their apps. It’s the difference between taking patients’ temperatures when they come into the hospitals to see if they are sick and vaccinating them against measles. One is necessary but fallible. The other is actual prevention,” he added.

Earlier this month, the Cyberspace Solarium Commission (CSC) 2.0 released a report that highlights a significant rise in cyberattacks targeting the healthcare and public health sector since the start of the COVID-19 pandemic. Ransomware attacks, in particular, pose a major threat by encrypting electronic patient records, databases, and equipment, leading to potential patient harm and even fatalities in preventable situations. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.