As White House preps new cyber rules for healthcare, Neuberger says backlash is unwarranted

SAN FRANCISCO — White House official Anne Neuberger said cybersecurity regulations for the healthcare industry are coming, and she questioned the emerging industry backlash to them, citing several recent high-profile incidents where basic measures would have prevented extraordinary harm. 

Speaking at the RSA Conference on Thursday, Neuberger said government officials have been asking hospitals and healthcare organizations to take basic steps to protect themselves and patient data for more than a decade.  

Efforts to get the healthcare industry to adopt multi-factor authentication, offline backups and encrypted data have fallen on deaf ears, she explained, prompting the U.S. government to take further action. 

“People now often say, ‘Well, they're revictimizing the victim,’” by lining up additional regulatory requirements for the industry, said Neuberger, who is the deputy national security adviser for cyber. “And I think we need to look at it as, by the time a Change Healthcare attack happens, when for a decade, we've been calling and saying ‘companies, encrypt your data, use MFA.’ Are they still a victim? Or is there a question of, is this negligence?” 

It’s fair to say “that there’s an expectation of good housekeeping if you're operating a hospital, if you're operating a pipeline.” she said.

She went on to criticize UnitedHealth Group for not having patient data encrypted in Change Healthcare unit, a subsidiary, before it was hacked earlier this year. Neuberger argued that if the data had been properly protected, the ransomware gang that breached company networks would not have been able to do much with it. 

UnitedHealth CEO Andrew Witty told Congress last week that likely a third of all Americans may have had their information stolen during the ransomware attack on its subsidiary Change Healthcare. 

Neuberger told the audience that the federal government is currently working with the hospital sector to put in place minimum requirements “to help hospitals ensure that they are doing what they need to to keep patients safe.”

“We'll be rolling out a free cybersecurity program to the country’s 1,400 rural [healthcare] networks in the next couple of months. We'll also be rolling out these new cybersecurity rules for hospitals,” she told Recorded Future News after the onstage conversation. 

Anne Neuberger, right, speaks at the 2024 RSA Conference in San Francisco. Image: Jonathan Greig / Recorded Future News

Since the Change Healthcare attack, which paralyzed the healthcare industry for weeks, multiple members of Congress have expressed interest in some form of legislation creating a cybersecurity baseline for what hospitals and healthcare firms should have in place. 

Witty admitted that the ransomware hackers gained entry to company  systems through a Citrix portal that did not have multi-factor authentication. 

But despite growing interest from Congress and the White House in some form of regulation, one of the largest industry groups has come out against potential rules. The American Hospital Association (AHA) — which represents thousands of hospitals as well as millions of doctors and nurses — said the focus of the federal government should be on offensive cyber operations to take down criminal gangs that continue to harm hospitals instead of regulations that “unfairly penalize hospitals and [do] not improve cybersecurity of the entire health care sector.”

White House ransomware work

Neuberger told the crowd that ransomware continues to be one of the most important issues she devotes time to.

She has a chart in her office tracking each ransomware gang disruption — from LockBit to BlackCat — and illustrating how quickly the groups reform. 

As they try to increase the tempo of ransomware gang takedowns, Neuberger said more and more federal agencies are getting involved, from law enforcement to sector risk management agencies, U.S. Cyber Command and more. 

Even little known government arms, like the Export–Import Bank of the United States, have become key players in the fight — offering critical funding for technology enhancements to Costa Rica’s government following the ransomware attack it faced in 2022. 

The ransomware effort, Neuberger explained, has coalesced around three basic actions: efforts to “turn off the spigot of money and finances” through sanctions, more frequent ransomware infrastructure takedowns and minimum standards to make critical services “harder targets to hit.”

‘Sobering lessons’

Looking ahead, Neuberger compared the current conversation about AI to the issues the United States is facing with cybersecurity and Chinese infiltration of critical infrastructure. 

Security has to be embedded in every conversation about AI going forward, she said, because the lack of foresight is part of what has contributed to the current cybersecurity issues the country is facing. 

“When I think about the biggest challenge we have today — China's pre-positioning

in critical infrastructure — the fact that all of these critical services got connected to the internet without security at the beginning and now we're trying at the end to layer it on top, it's more costly and less effective,” she said.

“There's a powerful lesson learned for AI in terms of how we bake in, as we begin using AI in critical parts of our economy, how we protect models that companies are training. How do we prevent them from being hacked? And so there's really powerful lessons from cybersecurity that applies.”

She later added that if technology is introduced “without the right security and safety built in, then we bring in what could be too high a level of risk.”

No area represents that risk more than the current election season, where AI has turbocharged disinformation and prompted concern about the flood of deepfakes and generated videos of candidates. Neuberger said efforts to create an AI watermark clearly delineating between real and fake content was a positive step in the right direction.