Change Healthcare Cyberattack Result of “Egregious Negligence”
May 23, 2024
The Register has published an interview with a cybersecurity executive who calls the recent Change Healthcare cyberattack a case of “egregious negligence.”
Change Healthcare, a subsidiary of healthcare behemoth UnitedHealth, handles operations including payment, claims, and many aspects of patient communications for the parent. The ransomware attack garnered massive amounts of protected health data and resulted in prescription and billing services at hospitals and pharmacies system-wide coming to a halt. UnitedHealth paid a $22 million ransom, and it is reported that there were additional demands.
In the Register interview, senior vice president at cybersecurity company Contrast Security, Tom Kellermann, says he was “blown away” by the essential facts of this case: that the healthcare company wasn’t using multi-factor authentication; that its networks weren’t “segmented;” and that the company hadn’t been diligent about watching for threats, even though it is common knowledge that the healthcare sector is being aggressively targeted by extortionists.
Kellermann maintains that paying the ransom was a big mistake, and he makes a case that paying ransom should be banned outright. Once information is stolen, he notes, it may be leaked and become the basis for more extortion.
The article links to a ten-minute video of the interview that includes additional details about the recent hack, and some sharply worded cybersecurity recommendations for all companies in the healthcare sector.
“They take such good care of the hospitals, keeping them clean and preventing secondary infections and keeping them secure. They should be doing the same thing in the cyber context, and they’re not,” Kellermann says.
His recommendations include what for most companies would be a major change in governance structure. Not only should there be a chief security officer, but that officer should report directly to the CEO and oversee a budget that is separate from the organization’s technology budget.
With that structure, says Kellermann, the security officer is not beholden to the chief technology officer and is empowered to “actually spend money on things that will defend and preserve the safety and the digital cleanliness of these organizations.”
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.