Stronger safeguards needed after health care cyberattack
Unfortunately, hackers didn’t need sophisticated skills to pull off one of the nation’s most alarming and consequential health care ransomware attacks.
Instead, the cybercriminals who crippled a UnitedHealth Group subsidiary earlier this year took advantage of a basic and obvious security oversight, a revelation made public Wednesday at two congressional hearings.
The subsidiary is called Change Healthcare. It acts as the Visa/Mastercard payment system for wide swaths of health care and is entrusted with patient data. Disturbingly, it did not have multi-factor authentication (MFA) in place across all of its systems.
MFA requires users, such as employees, to have two or more credentials to log in. If one credential is stolen or compromised, it provides a second layer of security to prevent bad actors from accessing networks, databases or hardware. It’s a standard at many companies protecting far less vital data.
Not having it, especially in health care, is a basic error, the equivalent of not having a deadbolt on the back door in a highcrime neighborhood. With ransomware attacks hard to trace and likely to continue, the nation’s lawmakers urgently need to put in place stronger information security requirements to prevent other hackers from bringing much of health care to a standstill, as the Change Health attack did.
The work to do that commendably got underway last week in Congress. Two hearings, one in the Senate and one in the House, put a timely and necessary spotlight on the ransomware attack. Andrew Witty, CEO of Minnesota-based UnitedHealth Group, testified solo throughout Wednesday.
As these events go, the hearings were unusually productive, with informed questions asked and political grandstanding at a minimum. Clarity came on some key issues, such as: How did this happen? The unsatisfying answer: UnitedHealth had completed its acquisition of
Change Health in October 2022. With the company came outdated security systems, though it seems like United should have had time to ensure comprehensive MFA was in place.
Other troubling questions, such as how many patients have had their health care data compromised, are alarmingly still unknown. UnitedHealth said “a substantial proportion” of Americans may have had their personal data compromised, the Star Tribune reported.
Answers are urgently needed from UnitedHealth, with lawmakers rightly pointing out that potentially compromised patient records may belong to those serving in the military. There are national security implications if their medical data are sold on the dark web, for example, and gets into the wrong hands.
These concerns are legitimate. They not only underscore the need for stronger information security requirements, but should spur Congress to move swiftly on this important reform.
Clearly, the two hearings on Wednesday are just the start of the lawmakers’ work. The vulnerability exposed by an attack on just one company raises broader questions about health care consolidation and UnitedHealth’s size.
The company is the “nation’s largest private health insurer and largest employer of physicians” and is rapidly expanding into other areas, such as outpatient surgery centers and home health services, according to the Washington Post.
“For decades, UnitedHealth’s staggering growth attracted relatively little Washington scrutiny, particularly compared with drugmakers repeatedly summoned to Congress to testify on price increases. Federal antitrust officials also traditionally focused on blocking companies from gobbling up direct competitors, known as horizontal integration, while being more permissive of the strategy practiced by UnitedHealth, which involves buying a stake in different sectors of the same industry, known as vertical integration,” the Post reported recently.
For too long, rapid health care industry consolidation has been written off by many as just “the way it is.” It’s time to look more deeply into this.
Stronger security requirements should be a priority.
Consumers who are worried about their personal data after the cyberattack can learn more at changecybersupport.com or by calling 1-866-2625342.