The $22 Million Question: UHG CEO Reveals Hard Truths in His Testimony

Written By L Trotter II

In a recent whirlwind of events, UnitedHealth Group CEO Andrew Witty testified before both the Senate and House Committees, addressing the colossal ransomware attack on Change Healthcare. It has been said to be the largest breach in healthcare!

Witty described the decision to pay the $22 million ransom as "the hardest decision" he's ever made. I would say it wasn't much of a choice. If you can't failover your systems nor retrieve the stolen patient data, then their is only one decision.

"The threat actors used compromised credentials to remotely access a Change Healthcare Citrix portal that was not protected with multi-factor authentication (MFA)." - Witty

The breach, started with hackers stealing an individuals username and password. Hackers then used the password to log into a internet facing Citrix server that lacked multifactor authentication (MFA.) Any servers that provide access to your internal company systems, especially those exposed to on the internet should always have MFA enabled (a non-negotiable.) This is like walking into a highly secured bank with a key card and no ID. Mistakes like this start to paint the picture about how seriously they take cybersecurity.

"Change Healthcare was in the process of updating Change Healthcare's IT systems when the attack occurred, Witty said during the hearing Wednesday"

The UHG CEO also said they were in the process of updating the infrastructure when the breach occurred. What a coincidence but due to catastrophe I'm going to assume they were in the early stages of updates (i.e., the idea was being thrown around at a bar.) On a better note, UHG has committed to address the breach's immediate impact and also provide financial support like interest-free loans and pledges to cover operational shortfalls. Even so, many clinics have suffered financially.

Witty's acknowledgment of these issues and his commitment to better cybersecurity measures, including moving Change Healthcare’s IT systems to the cloud, 'in his mind' is a step in the right direction. I don't know what the cloud has to do with any of this or how it would reduce the chances of this happening again. The compromised server was 'in the cloud.' This statement makes UHG seem like they may be lacking IT expertise. Perhaps the CISO should've testified. Perhaps this is why CISOs should be on boards. This is one of the many cases the proves the knowledge gap between cybersecurity teams and senior executives.

This incident does not call for setting minimum cybersecurity standards across the healthcare sector. This calls for enforcing stricter HIPAA laws. The importance of a cybersecurity strategy cannot be overstated. To all the digital health leaders reading this, we need to ensure that compliance is not just a checkbox but a part of the business strategy!

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com
Previous

HHS Reboots HIPAA Audit Program
Next

ARPA-H's Digital Health Cybersecurity Misconception