Biden administration proposes new cybersecurity updates to curb healthcare data leaks

US President Joe Biden's administration has announced updates to existing rules aimed at strengthening cybersecurity for medical records amid a rise in healthcare data breaches, a government official said on Friday. “In the last five years, there's been an alarming growth, 1,002 per cent, in the number of Americans affected by large breaches of healthcare information – over 167 million individuals in 2023 alone – being caused by hacking and ransomware,” said Anne Neuberger, deputy national security adviser for cyber and emerging technology. Ms Neuberger said updates will mainly affect the Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, which bolstered the security and privacy of medical records. The act was passed long before ransomware was prevalent and the concept of health record digitisation was still in its infancy. Ms Neuberger said the update “strengthens cyber security protections for electronic health information and adds new cybersecurity requirements , and adds additional clarity and specificity”. She added: “One of the most concerning and really troubling things we deal with is hacking of hospitals and the hacking of healthcare data. We see hospitals forced to operate manually. We see Americans' sensitive healthcare data, sensitive mental health procedures, sensitive procedures, being leaked on the dark web with the opportunity to blackmail individuals with that.” Earlier this year, UnitedHealth, one of the largest health insurance providers in the US, told shareholders that “unfavourable cyberattack effects” had potentially cost the company hundreds of millions of dollars. According to the World Economic Forum’s 2023 Global Risks Report, widespread cyber crime and cyber insecurity were among the top 10 global risks in the short and long term, when ranked by 1,200 experts across academia, business, government and civil society. Its Global Cybersecurity Outlook for this year warned that the fast-changing technology environment could leave more people than ever vulnerable to cyber crime. Ransomware, in particular , can be problematic for healthcare providers, who have occasionally seen crucial computer systems locked until a ransom is paid. Ms Neuberger said the forthcoming updates to healthcare cybersecurity rules – the first since 2013 – will require companies to encrypt patient data, among other changes. “So if that data is hacked, it can't be leaked on the web and endanger individuals,” she said. During the media briefing, Ms Neuberger also briefly addressed the continuing investigation into what has become known as the Salt Typhoon cyber breach, flagged by officials in early December. The US has accused China of sponsoring the attack that infiltrated US communications companies and potentially left American consumers vulnerable. Initially, officials said eight US companies had been affected, but that number has since risen to nine. Ms Neuberger said US companies need to enact critical infrastructure changes and update basic cybersecurity practices. “What we've learnt from the investigation is that there's several categories of things that are needed in this space: better management of configuration, better vulnerability management of networks, better work across the telecom sector to share information when incidents occur,” she said. Voluntary commitments by companies were inadequate, she said, and explained that the administration would be seeking bipartisan support from the Federal Communications Commission (FCC) to ensure compliance from telecoms companies. Some of the changes, she said, would follow in the footsteps of regulations enacted by the UK and Australia. “When I talked with our UK colleagues and I asked … 'Do you believe your regulations would have prevented the Salt Typhoon attack?' their comment to me was: 'We would have found it faster. We would have contained it faster.' It wouldn't have spread as widely and have had the impact and been as undiscovered for as long had those regulations been in place.”

Biden administration proposes new cybersecurity updates to curb healthcare data leaks

Companies will be required to encrypt patient data, US official says, following Salt Typhoon cyber breach