A ransomware attack on a technology provider owned by UnitedHealth Group is fast becoming the healthcare industry's version of a colonial pipeline, prompting Congressional testimony, scrutiny by lawmakers and possible legislation.
Nearly two months after the incident first came to light, health care providers are still sifting through a backlog of claims and trying to reconcile billions of dollars' worth of payments and bills. Clinics and hospitals affected by the incident harshly criticized UnitedHealth Group's response and urged further action from Congress.
This week alone, two Congressional hearings on the attack were held, one in the Senate and one in the House of Representatives. Several senators have also called for an investigation into how the government responded to the incident and efforts by industry groups to stop the possibility. Cybersecurity laws in the medical field.
Compromised credentials
UnitedHealth Group CEO Andrew Witty released a 10-page written statement ahead of Wednesday's Congressional testimony, saying that criminals used compromised credentials on Feb. 12 to access the Citrix portal (Change Healthcare from desktop). The attacker explained that the computer was compromised (an application used to enable remote access).
“The portal did not have multi-factor authentication. Once the attackers gained access, they used more sophisticated methods to move laterally within the system and steal data. The ransomware was deployed nine days later. ” said Whitty, adding further on the decision to pay the $22 million ransom.
“As CEO, I made the decision whether to pay the ransom or not. This was one of the most difficult decisions I have ever had to make. I don’t want that.”
Whitty also provided more details about the response, saying on the afternoon of Feb. 21 that experts from Google, Microsoft, Cisco, Amazon, Mandiant, Palo Alto Networks and others were seeking assistance from the Nashville-based company's operations. He pointed out that he had been called to the center.
Witty said thousands of laptops were replaced, credentials changed and Change Healthcare's data center network and core services were rebuilt.
Whitty acknowledged that some systems, including medical billing and payment systems, are still being restored.
Mr. Whitty is scheduled to testify before the House Energy and Commerce Committee on Wednesday after the company faced backlash from lawmakers last week for not making anyone available for a hearing.
Senators question CISA's response
Mr Whitty's testimony came as other parts of Congress investigated the incident. Sen. Elizabeth Warren (D-MA), Sen. Bill Cassidy (R-LA), and Sen. Richard Blumenthal (D-Connecticut) wrote to the Cybersecurity and Infrastructure Security Agency (CISA) on Monday. , requesting information on how the agency responded to Change Healthcare's removal.
The senators said the incident “forced doctors into bankruptcy, disrupted critical medical services such as pain management for cancer patients, compromised sensitive patient data, and caused massive disruption to the nation's health care system.” ”
They are seeking a “full accounting” of the incident and want to know how CISA responded to the Change Healthcare breach and the broader ransomware ecosystem. The letter includes questions about whether CISA has a contingency plan for similar incidents and how CISA would respond to ransomware incidents.
The letter asks the agency to respond by May 13. Warren, Cassidy and Blumenthal join a growing list of lawmakers concerned about ransomware attacks on the healthcare industry.
Momentum is building for cybersecurity legislation to govern the healthcare industry, as the impact on healthcare organizations is widely felt. This thorny issue continues to face backlash, often with blame among stakeholders.
In his testimony, Whitty said he supports “mandatory minimum security standards developed jointly by government and the private sector for the healthcare industry.” But he said that would include funding and training for local hospitals, as well as strengthening the national cybersecurity infrastructure, “including enhanced notification to law enforcement and standardized and nationalized reporting of cybersecurity events.” He added that further progress is needed.
The American Hospital Association (AHA), which represents thousands of hospitals and millions of doctors and nurses, issued multiple statements pledging to fight any attempts to impose mandatory standards on hospitals.
In a letter last week and a letter released Monday, the AHA said the regulation effectively punishes victims of flawed technology and “unfairly punishes hospitals, which would improve cybersecurity across the health care sector.” It's not a thing,” he claimed.
“To make meaningful progress in the fight against cybercrime, Congress and the administration must focus on the entire healthcare sector, not just hospitals,” the AHA said, slamming technology providers like Change Healthcare.
“Instead, Congress and other policymakers should focus on ensuring that all health care providers adopt good cyber hygiene practices, with a special preference for third-party technology. Empowering institutions to protect hospitals and health systems, and the patients they care for, by deploying a strong and persistent offensive cyber strategy to counter this ongoing and unresolved national security threat. You should ask.”
