US secures Microsoft, Google commitments for free rural hospital cyber services

Microsoft and Google will commit free and low-cost cybersecurity resources to some 2,100 rural hospitals across the U.S. as part of a White House-led initiative to bolster the healthcare sector’s cybersecurity posture.

The commitments announced by deputy national security advisor for cyber and emerging technology Anne Neuberger follow a slew of recent cyberattacks on the healthcare sector that have crippled prescription routing supply chains, snarled claims processing and forced ambulances to divert away from certain hospitals.

Microsoft will offer grants and discounts of up to 75% on security products tailored for smaller care centers, as well as larger rural hospitals already using the company’s services. It will also provide its most advanced security suite for free for one year, offer gratis cybersecurity assessments for qualified providers and provide training for hospital staff.

In parallel, Google will offer free endpoint security consulting and stand up a funding pool to assist hospitals with software migration. It will also launch a pilot program to help the hospitals develop customized security packages that address their unique infrastructure needs.

The National Security Council reached out to multiple firms to gauge interest in providing the services. Microsoft and Google “were the two that raised their hands” but the White House is hoping more will get involved, said Neuberger in a Sunday call with reporters to preview the announcement. 

Hospitals receiving the services span the country, from Maine to Texas and the Midwest. Rural hospitals, defined as being more than 35 miles from another hospital, have become a top issue for NSC because patients have to travel further to access care if they are impacted by a cyber intrusion.

“What we’re trying to do is help the most vulnerable hospitals and, frankly, the hospitals that typically have the least resources,” Neuberger said. The Biden administration is preparing to roll out minimum cybersecurity standards for hospitals but the U.S. faces a likely challenge of pushing unwanted regulations on the private sector.

“Part of the challenge for us we find is that we see people often want it both ways,” she said. “They don’t want regulation. They don’t want the government saying they need to do some key things to stay safe. But as attacks rise — without those key steps — companies are more vulnerable than they need to be.”

A February cyberattack on UnitedHealth’s Change Healthcare unit caused massive cascading impact in what was arguably the largest cyberattack on the U.S. healthcare industry to date. Some 36% of respondents to a recent American Medical Association survey experienced claim payment suspensions, while 32% said they were unable to submit claims altogether. It highlighted how a “single point of failure” can enable one cyberattack alone to cause hampering effects on a number of people.

A separate hack into Ascension’s healthcare network last month has crippled multiple hospitals’ operations over the past several weeks, forcing ambulances to divert as staff take systems offline.

Healthcare infrastructure is a treasure trove for hackers because it often contains digital repositories of sensitive patient information that, if pilfered, can be sold to other criminal cyber operatives for use in extortion or fraud schemes. 

Hackers frequently target hospitals by quietly injecting malware into their networks that holds sensitive data or essential systems hostage in exchange for a ransom payment, known as ransomware. Paying cyber ransoms is a difficult decision and hotly debated topic, as victims have to deliberate in a matter of days or hours over whether cybercriminals will keep their promise to return stolen data once payments are made out.

A February intelligence community analysis says cyberattacks against the healthcare sector skyrocketed 128% in 2023, with 258 known victims that year versus 113 in 2022.