In our January 2024 article, “Ransomware in Healthcare,” Applied Policy highlighted the escalating threat of ransomware attacks on healthcare organizations, noting the rise of ransomware-as-a-service (RaaS) models that have made such attacks more accessible to cybercriminals. The persistence and severity of this issue were underscored when Change Healthcare, a unit of UnitedHealth Group Incorporated, experienced a crippling cyberattack in February.

The Change breach disrupted insurance claims and payment processes nationwide and exposed the sensitive health information of a third of Americans. As its members worked to provide access to services, the American Hospital Association described the Change attack as “the most significant and consequential incident of its kind against the U.S. health care system in history.”

Testimony at a House Energy and Commerce Committee hearing in May revealed that the attack exploited a critical system’s lack of multifactor authentication (MFA). The hearing emphasized the need for stronger cybersecurity measures, with Committee Chair Representative Cathy McMorris Rodgers (R-WA) noting that even a $22 million ransom payment could not guarantee the protection of sensitive data from further leaks.

A report from the U.S. Government Accountability Office (GAO) released last month further highlights systemic issues in addressing ransomware risks within the healthcare sector. In “Healthcare Cybersecurity: HHS Continues to Have Challenges as Lead Agency,” the GAO asserts that the Department of Health and Human Services (HHS) has struggled to monitor healthcare organizations’ adoption of recommended cybersecurity practices. Despite initiatives to strengthen the sector’s defenses, HHS has yet to fully assess the effectiveness of these measures, leaving critical gaps in the sector’s preparedness against ransomware threats.

The Congressional hearing and the GAO report paint a sobering picture of healthcare cybersecurity as the year ends. While awareness of ransomware risks has grown, significant vulnerabilities persist.

Cybersecurity is a bipartisan concern. But Democrats and Republicans differ in their approaches to addressing it. Some observers expect a shift in cybersecurity policy under a Trump administration  supported by a Republican-led Congress.

The Biden administration tried to enhance cybersecurity regulations across various sectors, including healthcare. These initiatives aimed to establish stringent standards to protect critical infrastructure and sensitive data. However, the Trump administration is expected to pivot towards deregulation, emphasizing business interests and reducing regulatory burdens. This approach may involve rolling back comprehensive cyber regulations affecting infrastructure, artificial intelligence, and anti-misinformation efforts, potentially impacting the healthcare sector’s cybersecurity landscape.

Additionally, Senator Rand Paul (R-Ky.), poised to chair the Senate Homeland Security and Governmental Affairs Committee, has expressed intentions to eliminate or significantly reduce the powers of the Cybersecurity and Infrastructure Security Agency (CISA). Paul’s concerns stem from CISA’s efforts to counter disinformation, which he believes infringe on free speech. This move could affect the agency’s role in safeguarding healthcare infrastructure against cyber threats.

These developments suggest a potential shift towards a more laissez-faire approach to cybersecurity in the healthcare sector, prioritizing reduced regulatory oversight. Healthcare organizations should stay informed about these policy changes and proactively strengthen their cybersecurity frameworks to mitigate risks in this evolving landscape.