Healthcare organizations may be required to bolster their cybersecurity to better prevent sensitive information from being leaked by cyberattacks like the ones that hit Ascension and UnitedHealth (UNH.N.), a senior White House official said Friday.
TakeAway Points:
- The proposed measures are required given the vast number of Americans whose data has been impacted by significant breaches of healthcare information, the U.S. deputy national security advisor for cyber and emerging technology told reporters.
- The recommendations include mandating compliance audits to make sure networks adhere to cybersecurity regulations and encrypting data so it cannot be accessed, even if it is leaked.
- In a series of attacks that began in mid-December, hackers have infiltrated the Chrome browser extensions of many companies, according to one of the victims and specialists who have studied the campaign.
New cybersecurity rules
Anne Neuberger, the U.S. deputy national security advisor for cyber and emerging technology, told reporters that proposed requirements are necessary in light of the massive number of Americans whose data has been affected by large breaches of healthcare information. The proposals include encrypting data so it cannot be accessed, even if leaked, and requiring compliance checks to ensure networks meet cybersecurity rules.
The full proposed rule was posted to the Federal Register on Friday, and Department of Health and Human Services posted a more condensed breakdown on its website.
The healthcare information of more than 167 million people was affected in 2023 as a result of cybersecurity incidents, she said.
The proposed rule from the Office for Civil Rights (OCR) within HHS would update standards under the Health Insurance Portability and Accountability Act (HIPAA) and would cost an estimated $9 billion in the first year and $6 billion in years two through five, Neuberger said.
“We’ve made some significant proposals that we think will improve cybersecurity and ultimately everyone’s health information, if any of these proposals are ultimately finalized,” an OCR spokesperson told Reuters late Friday. The next step in the process is a 60-day public comment period before any final decisions will be made.
Large healthcare breaches caused by hacking and ransomware have increased by 89% and 102%, respectively, since 2019, she said.
“In this job, one of the most concerning and really troubling things we deal with is hacking of hospitals, hacking of healthcare data,” Neuberger said.
Hospitals have been forced to operate manually and Americans’ sensitive healthcare data, mental health information and other information are “being leaked on the dark web with the opportunity to blackmail individuals,” Neuberger said.
Hackers take over Chrome extensions for a variety of businesses
Hackers have compromised several different companies’ Chrome browser extensions in a series of intrusions dating back to mid-December, according to one of the victims and experts who have examined the campaign.
Among the victims was the California-based Cyberhaven, a data protection company that confirmed the breach in a statement on Friday.
“Cyberhaven can confirm that a malicious cyberattack occurred on Christmas Eve, affecting our Chrome extension,” the statement said. It cited public comments from cybersecurity experts. These comments, said Cyberhaven, suggested that the attack was “part of a wider campaign to target Chrome extension developers across a wide range of companies.”
“We are actively cooperating with federal law enforcement,” added Cyberhaven.
The geographical extent of the hacks was not immediately clear.
Browser extensions are typically used by internet users to customize their Web-browsing experiences, for example by automatically applying coupons to shopping websites. In Cyberhaven’s case, the Chrome extension was used to help the company monitor and secure client data flowing across Web-based applications.
Jaime Blasco, cofounder of Austin, Texas-based Nudge Security, said he had spotted several other Chrome extensions that had been subverted in the same way as Cyberhaven’s. At least one appeared to have been hit in mid-December.
Blasco said the other affected extensions included ones related to artificial intelligence and virtual private networks. He said that suggested an opportunistic effort to vacuum up sensitive data using as many compromised extensions as possible.
“I’m almost certain this is not targeted to Cyberhaven,” Blasco said. “If I had to guess, this was just random.”
The U.S. cyber watchdog CISA referred questions to the companies involved. A message seeking comment from Alphabet, which makes the Chrome browser, was not immediately returned.