ROB SCHMITZ, HOST:
Leaders of Microsoft are playing offense and defense on their security practices.
STEVE INSKEEP, HOST:
Yeah. They're on the defensive because of some security lapses. Yesterday, lawmakers asked executive Brad Smith how Russian and Chinese hackers gained access to federal emails through Microsoft vulnerabilities. At the same time, this week, Microsoft and Google say they're working with the White House on offense - they want to fight back against ransomware attacks at hospitals.
SCHMITZ: To talk more about this, we turned to NPR's cybersecurity correspondent, Jenna McLaughlin. Good morning.
JENNA MCLAUGHLIN, BYLINE: Good morning.
SCHMITZ: So Jenna, Microsoft is under fire for security challenges, but it does have a lot of financial resources. How is this cybersecurity crisis at hospitals different?
MCLAUGHLIN: Yeah. So Microsoft does have its own problems, but separate from those email insecurities and those potential national security concerns associated with those breaches, we've got this other problem. Cybercriminals are hoping to make money, and they're targeting the American health care system. It's really a crisis, and it's only getting worse.
SCHMITZ: So, Jenna, what kind of damage are we talking about here, and how bad has it become?
MCLAUGHLIN: It's really bad, Rob. The White House says the total number of attacks between 2022 and 2023 rose a whopping 128%. So these cybercriminals don't just break into email. At hospitals, they shut everything down, from imagery machines to communications, and they're demanding ransoms to unlock everything, because they know that health care has to get back online as fast as possible to prevent emergencies - even deaths. And it's happening everywhere.
London's hospitals are under siege as we speak, and recently, the scale of attacks has really gone up. That includes the network of 140 private Christian hospitals owned by the health care company Ascension, which is still struggling to get back online. And there was a massive attack against Change Healthcare, a company that processes payments between providers and insurance companies. That one was so bad that it's forcing clinics and pharmacies to close down because they couldn't get paid for months.
SCHMITZ: Wow. So what's being done about all this?
MCLAUGHLIN: So like you mentioned up top, the White House has announced this program with Microsoft and Google. They're going to be funneling cash and resources specifically towards rural health care facilities, because often when those places are hit by a ransomware attack, they don't have the resources to respond, and there's not a network of nearby hospitals to act as a backup. If one hospital network is down, sometimes the closest alternative is dozens of miles away. Plus, the Department of Health and Human Services is putting up $50 million of its own dollars towards a research project to help develop tools to secure the health care ecosystem. What I've been hearing a lot, though, is that this approach right now might be too little, too late.
SCHMITZ: So can you unpack that a little more for us? What else do experts say needs to happen here?
MCLAUGHLIN: So the experts I talked to say the White House program for rural hospitals misses some key problems. That includes vulnerabilities in third-party software, and actually hiring people to monitor these systems on the ground. There's also definitely an interest within cybersecurity circles that there be mandatory minimum cybersecurity standards across the health care industry. Senator Ron Wyden of Oregon wrote a letter urging HHS to do that, in light of all the major breaches. Of course, the industry's wary of moves towards regulation. It can be overly onerous and not necessarily solve the problem. But it's clear to most people I talked to that something major needs to change.
SCHMITZ: That was NPR's Jenna McLaughlin. Jenna, thank you.
MCLAUGHLIN: Thank you. Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
