Four big questions for DC following massive health care hack

John Sakellariadis

March 18, 2024 at 10:00 AM·8 min read

The crippling hack U.S. officials long feared looked nothing like they expected.

The Feb. 21 cybercriminal attack on medical billing processor Change Healthcare didn’t flatten power grids or poison water supplies. But by forcing the $13 billion company offline, it severed one of the few links connecting health care providers to insurance firms — and triggered a cash crunch at hospitals, health clinics and pharmacies nationwide.

U.S. officials, lawmakers and health executives are focused right now on ensuring that health care providers are not forced to close, miss payroll or deny patients access to medical care. UnitedHealth Group, which owns Change, has said its key claims and payments services won’t be fully restored until March 22.

Longer term, eight officials with the government or U.S. hospitals interviewed by POLITICO say the hack underscores major vulnerabilities in the country’s health care system — raising critical questions about whether federal agencies and Congress need to do more to prevent another, potentially more serious, attack in the future.

"If nothing else, it makes us say we really, really have to look at all of our points of vulnerability, systemic points of vulnerability, and really work to secure them," said a senior official at the Health and Human Services Department. The individual, like other current officials in this story, was granted anonymity due to the ongoing nature of the incident.

Here are four big questions percolating through government agencies and Congress in the aftermath of a hack that the American Hospital Association has christened “the most significant cyberattack on the U.S. health care system in American history.”

Is the government doing enough to protect critical companies like Change?

Health care sector security experts and government officials say there are other little-known health care firms whose disruption would cascade through the sector like the outage at Change has.

But it’s far from clear that anyone in D.C. knows who they all are — let alone has a plan to protect them.

“It is highly unlikely that Change is the only single point of failure in the health care sector,” said Nathan Lesser, the chief information security officer at Children’s National Hospital in D.C. “We need to know what the others are so we can protect them.”

In 2022, industry groups helped sink legislation that would have empowered the government to identify a shortlist of the most critical firms to the U.S. economy and force them to meet baseline digital security standards, such as patching known software bugs in internet-connected devices and using two-factor authentication.

CISA later opted to build its own such list without Congress, though it’s unclear how thorough the effort was.

The agency’s director, Jen Easterly, revealed at a public event Wednesday that CISA had not previously identified Change for its shortlist of key firms — and strongly implied that it should have. The list did include UnitedHealth.

Easterly said the agency would “double down” and work to “better highlight those companies that are much more critical than we actually were expecting” using new authorities CISA expects from a forthcoming White House national security memorandum.

U.S. officials outside CISA also acknowledged that the government has more work to do to identify firms, like Change, that broad swaths of the economy depend on.

“I don't think people understood prior to this incident just how integrated Change was into all facets of the U.S. health care system,” one senior U.S. cybersecurity official said.The White House now believes it affected “the vast majority” of the nation’s 6,000 hospitals and 80,000 pharmacies, they added.

Should health care companies be forced to up their cybersecurity?

For years, some of the same health trade groups now calling for federal financial support have helped scupper calls for stricter health sector cyber standards.

But the incident at Change could give a major boost to acolytes of — well — change.

“We need mandatory minimum standards for the sector, like come on,” said Aaron Miri, the chief digital and information officer of Baptist Health, a nonprofit Florida hospital system.

Three government officials interviewed for this story emphasized steps agencies can take today, like working with smaller hospitals to ensure they back up important data or gameplan how they would respond to a hack.

“How do we make sure that they know they're not alone in this fight?" a senior CISA official said.

But the appetite for more aggressive action is growing. President Joe Biden’s newly released budget blueprint for fiscal year 2025 pitched a plan for HHS to fine hospitals that fail to upkeep minimum cybersecurity standards by 2029 — a rule that could be written to incentivize those practices if hospitals are slow to follow through.

“We have to ask” longer-term questions in the aftermath of this hack, the HHS official said, in an interview before the budget went public. “Are we really holding the sector to a high enough cyber standard? Are we driving accountability in the ways that we want to drive accountability?”

A growing cohort of lawmakers on Capitol Hill appear to be asking just that.

“The Change/UnitedHealth hack is that latest reminder that our approach to securing critical infrastructure needs to evolve,” Rep. Eric Swalwell of California, the top Democrat on the Homeland Security Committee’s cyber subcommittee, said in a statement conveying his willingness to consider new regulation.

Others, including Sens. Mark Warner (D-Va.) and Ron Wyden (D-Ore.), are already there.

"Private-sector opposition to effective cybersecurity rules is the number one reason our critical infrastructure, particularly the health care sector, is so woefully unprepared for even unsophisticated cyberattacks," Wyden argued in a statement to POLITICO.

“What keeps me up at night is the possibility of a similar widespread attack directly affecting patient care and safety,” Warner said in a statement last week.

Is UnitedHealth too big to protect?

The domino-style fallout of the hack is also sparking fresh questions about whether corporate consolidation amplifies the chances that a single breach ripples across the country.

"As these companies have become so large, it is creating a systemic cybersecurity risk," Wyden said Thursday in a hearing of the Senate Finance Committee.

“We're just seeing up close and personal the impact on the nation's health care system, and it does relate to the dominance of UnitedHealth,” said Mary Mayhew, the president and CEO of the Florida Hospital Association.

Change, which has said it handles patient data for a third of Americans, already may have been too big to fail before its 2022 sale to the U.S. insurance giant — an acquisition that is already the subject of an antitrust investigation by the Department of Justice.

But UnitedHealth has repeatedly sought to assure customers that the breach affected only Change’s network. And health sector security experts argue that it would have been far harder to do if the companies’ technology systems were more integrated than they are today, just 16 months into the acquisition.

“We absolutely dodged a bullet there,” said Lesser, the CISO at Children’s National Hospital in D.C.

Another reason for the concerns around consolidation is that many U.S. health care providers opted to disconnect their networks from all UnitedHealth systems — not just Change — when the payments subsidiary first reported its breach in February.

That decision was costly, if understandable, the senior U.S. cybersecurity official said. “We kind of exacerbated some of the impacts there out of a lack of knowledge.”

Joshua Corman, a former CISA employee who specialized in health care and systemic risk at the agency, said the enormous fallout from the hack underscores why big isn’t always better in cybersecurity.

"Market consolidation drives risk concentration and is anti-resilient past a certain point," he said.

Asked about those concerns, Tyler Mason, a spokesperson for UnitedHealth, pointed to a recent statement from the company’s CEO, Andrew Witty, that only obliquely addresses the issue.

“All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and working tirelessly to ensure providers can care for their patients and run their practices, and patients can get their medication,” Witty said Thursday.

Is it time to ban ransom payments?

ALPHV, the prolific cybercriminal gang that hacked Change, says it stole an enormous trove of sensitive health data from the company.

Asked about rumors UnitedHealth made a $22 million payment to keep the gang from releasing that information, Mason, the UnitedHealth spokesperson, said the insurance giant is focused on investigating and remediating the hack.

But the attack is helping revive another controversial idea that the White House has contemplated for years: banning extortion payments to cybercriminals.

Late last winter, National Security Council staff held a series of one-on-one conversations with external cybersecurity experts to ask about the viability of tapping an anti-money laundering provision tied to Russia from the fiscal year 2021 defense law — Section 9714 — to enact a partial ransom payment ban, according to four people who participated in those discussions.

Those individuals, all granted anonymity due to the sensitivity of the discussions, said the Biden administration appeared to back off the idea — which would have included a waiver exemption process for victims in key sectors, like health care — due to concern it would drive payments underground or prevent U.S. companies from recovering critical data.

But a person close to Anne Neuberger, the National Security Council’s top cyber official, said Neuberger is “still pushing hard for a ransom ban behind closed doors.”

Asked for comment about the status of that policy today, Neuberger sidestepped and said the administration “strongly discourages” companies from paying ransoms.

“Ransomware is driven by criminals who are trying to make money, and each payment only encourages the next attack,” she said in a statement.

Mayhew, the Florida Hospital Association executive, said the hack at Change underscores how vulnerable all U.S. companies — not just health care firms — are to such attacks today.

"Right now, we are all at the mercy of these sophisticated cybercriminals,” she said.

Yahoo TV
Kevin Costner shares his side of 'Yellowstone' drama: Where he stands on the future of the series
Part one of "Yellowstone" Season 5 ended in January 2023. Since then, its star Kevin Costner walked away from his starring role — and there's been a very public back-and-forth over why that happened.
Yahoo Finance
FDIC's Gruenberg rebuffs bipartisan calls for his resignation as new banking rules loom
FDIC Chair Martin Gruenberg rebuffed calls to resign during a heated House hearing Wednesday, as he pledged to fix a toxic workplace culture while his agency prepares an overhaul of how banks are regulated.
Yahoo Finance
Car insurance costs are surging — but it's not because of price gouging
Auto insurer costs have exceeded revenue from premiums for three years straight. Blame fancy cars and reckless drivers.
Engadget
The Shark AI robot vacuum and mop drops to a record low of $230 at Amazon
The Shark AI robot vacuum and mop has dropped to a record low of $230 at Amazon. This is a version of our favorite robovac, but doesn’t include the base.
TechCrunch
Matt Garman taking over as CEO with AWS at crossroads
It’s tough to say that a $100 billion business finds itself at a critical juncture, but that's the case with Amazon Web Services, the cloud arm of Amazon, and the clear market leader in the cloud infrastructure market. On Tuesday, the company announced that CEO Adam Selipsky was stepping down to spend more time with his family and recharge a bit, according to his statement. During Selipsky’s tenure, growth for the cloud division has slowed pretty dramatically falling from 33% in Q2 2022 to 12% in Q2 and Q3 2023 before ticking up to 13% and 17% in its two most recent reports -- although to be fair, growth has slowed across the industry, as the space has settled into a more mature state.
Engadget
A group of TikTok creators are also suing the US government to stop a ban of the app
Eight TikTok creators have sued the US government in an effort to block a law that could lead to a ban of the app.
Yahoo Sports
New Statcast hitting metrics explained, Phillies first to 30 wins, Angels are scuffling
Jake Mintz & Jordan Shusterman break down all the new Statcast hitting metrics released by MLB, the Phillies success that’s led to them to being the first team to 30 wins this season, the Angels continuing to be a disappointment and other news from around the league.
Autoblog
Lawmakers call out eight automakers for sharing connected vehicle data
Eight automakers admitted to sharing location and other data with law enforcement without a warrant or owner consent.
TechCrunch
Google TV to launch AI-generated movie descriptions
As anticipated, numerous AI-related announcements were made at this year's Google I/O 2024 conference, including the unveiling of a new feature for Google TV. Gemini, the company's family of generative AI models, will enhance the smart TV operating system so it can generate descriptions for movies and TV shows. When a description is missing on the home screen, the AI will fill it in automatically to ensure that viewers never have to wonder what a title is about, Google explains.
Yahoo Personal Finance
How a no-closing-cost refinance works — and how to get one
A no-closing-cost refinance helps you avoid the up-front cost of refinancing your mortgage, but it isn’t entirely free. Learn how a no-closing-cost refi works.
Yahoo News
Trump hush money trial: What we've learned from the Stormy Daniels and Michael Cohen testimony so far
Here are some of the key highlights, revelations and dramatic moments from the combined 16 and a half hours that the prosecution’s star witnesses spent on the witness stand.
Yahoo News
Timeline: Key legal and electoral dates for Donald Trump
In order to make sense of Trump's often-overlapping election and court dates, we’ve put together a comprehensive timeline that is constantly being updated.
Yahoo Sports
Former Augusta National Golf Club employee pleads guilty to stealing millions in Masters memorabilia
Richard Globensky will be sentenced in October and faces a maximum of 10 years in prison.
Yahoo Sports
PGA Championship: Brooks Koepka, big-game hunter, is in his element
Brooks Koepka heads to the PGA Championship seeking his sixth career major victory.
Yahoo Personal Finance
AmeriSave Mortgage review 2024
AmeriSave Mortgage offers a 1% mortgage rate discount for your first year. It’s also a strong FHA lender. Find out whether AmeriSave is the right fit for you.
TechCrunch
Google adds live threat detection and screen-sharing protection to Android
On the second day of the Google I/O 2024 conference, Google said on Wednesday that it is adding new security and privacy protections to Android, including on-device live threat detection to catch malicious apps, new safeguards for screen sharing, and better security against cell site simulators. The company said it is increasing the on-device capability of its Google Play Protect system to detect fraudulent apps trying to breach sensitive permissions. Google said if the system is certain about malicious behavior, it disables the app automatically.
Yahoo Personal Finance
Budgeting basics: What are monthly expenses?
What counts as a monthly expense? Check out this list of common monthly expenses to include in your budget, along with helpful tips on how to cut monthly expenses for savings and other financial goals.
Yahoo Finance
Stock market today: Stocks eye record highs as cooler inflation revives Fed rate cut hopes
Stocks edged higher on Wednesday as investors digested fresh readings on inflation and consumer spending.
Yahoo Finance
Used car prices fall again in April, down nearly 17% from pandemic highs
Vehicle prices continued their downward trend in April as costs continue to moderate from pandemic-era highs.
Yahoo Life
Climbing stairs has lots of health benefits. Here are 3 ways to make the most of it.
What experts say about stair climbing as a measure of your health — and ways to make it more effective for you.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Four big questions for DC following massive health care hack

Recommended Stories

Kevin Costner shares his side of 'Yellowstone' drama: Where he stands on the future of the series

FDIC's Gruenberg rebuffs bipartisan calls for his resignation as new banking rules loom

Car insurance costs are surging — but it's not because of price gouging

The Shark AI robot vacuum and mop drops to a record low of $230 at Amazon

Matt Garman taking over as CEO with AWS at crossroads

A group of TikTok creators are also suing the US government to stop a ban of the app

New Statcast hitting metrics explained, Phillies first to 30 wins, Angels are scuffling

Lawmakers call out eight automakers for sharing connected vehicle data

Google TV to launch AI-generated movie descriptions

How a no-closing-cost refinance works — and how to get one

Trump hush money trial: What we've learned from the Stormy Daniels and Michael Cohen testimony so far

Timeline: Key legal and electoral dates for Donald Trump

Former Augusta National Golf Club employee pleads guilty to stealing millions in Masters memorabilia

PGA Championship: Brooks Koepka, big-game hunter, is in his element

AmeriSave Mortgage review 2024

Google adds live threat detection and screen-sharing protection to Android

Budgeting basics: What are monthly expenses?

Stock market today: Stocks eye record highs as cooler inflation revives Fed rate cut hopes

Used car prices fall again in April, down nearly 17% from pandemic highs

Climbing stairs has lots of health benefits. Here are 3 ways to make the most of it.