Recent cyberattacks targeting the nation's healthcare system have demonstrated the vulnerability of our hospitals and payment systems. Providers across the health system had to scramble for funding after one attack on a key payment system. And some hospitals had to redirect care after another. These disruptions can take too long to resolve before full access to needed health care services or payment systems is restored. Cyberattacks against the American healthcare system rose 128% from 2022 to 2023.
In February and March of 2024 alone, the United States experienced one of the most significant healthcare-related cyberattacks to date. During the attack, providers reported that one out of every three health care claims in the United States were impacted, leading to disruptions in timely payment to healthcare providers.
Recognizing that effective cybersecurity is critical to Americans accessing the care they need, the Biden-Harris Administration is working relentlessly to improve the resilience of the healthcare sector to cyberattacks. Many healthcare companies are private sector owned and operated, so private sector uptake and partnership is key to meaningful improvements in the sector's ability to withstand attacks.
- In January of 2024, the Department of Health and Human Services launched a healthcare cybersecurity gateway website to simplify access to the Department's healthcare-specific cybersecurity information and resources and published voluntary Healthcare and Public Health Cybersecurity Performance Goals designed to help healthcare institutions plan and prioritize high-impact cybersecurity practices.
- In May of 2024, the White House convened Chief Information Security Officers and other high-level executives from across the healthcare sector - spanning care delivery organizations, medical technology companies, and industry associations - to advance cybersecurity solutions across the industry. Participants shared their organization's views on cybersecurity challenges and the need to work together with government to better share threat intelligence and adopt secure-by-design solutions for the technologies underpinning the healthcare system.
- In May of 2024, the Advanced Research Projects Agency for Health (ARPA-H) announced the launch of the Universal Patching and Remediation for Autonomous Defense (UPGRADE) program, a cybersecurity effort that will invest more than $50 million to create tools for information technology (IT) teams to better defend the hospital environments they are tasked with securing.
Healthcare-related cyber disruptions can be particularly disruptive to rural hospitals, which serve over 60 million Americans. Most rural hospitals are critical access hospitals, meaning they are located more than 35 miles from another hospital, which makes diversions of patients and staffing-intensive manual workarounds in response to attacks more difficult. Recognizing the critical role these hospitals play in the communities they serve, the White House worked with and received commitments from leading U.S. technology providers to provide free and low-cost resources for all 1,800-2,100 rural hospitals across the nation.
As part of this initiative to improve security and resilience of our rural hospital system, our private sector partners have committed to the following:
- For independent Critical Access Hospitals and Rural Emergency Hospitals, Microsoft is extending its nonprofit program to provide grants and up to a 75% discount on security products optimized for smaller organizations. For participating larger rural hospitals already using eligible Microsoft solutions, Microsoft is providing its most advanced security suite at no additional cost for one year. Microsoft will also provide free cybersecurity assessments by qualified technology security providers and free training for frontline and IT staff at eligible rural hospitals throughout the country to deepen our resiliency to malicious cyberattacks. Additionally, Microsoft will extend security updates for Window 10 to participating hospitals for one year at no cost.
- Google will provide endpoint security advice to rural hospitals and non-profit organizations at no cost and a pool of funding to support software migration. In addition, Google is committing to launch a pilot program with rural hospitals to develop a packaging of security capabilities that fit these hospitals' unique needs.