Can Congress Make Even a Dent in Healthcare Cybersecurity Attacks?

Healthcare cybersecurity finally to get attention after huge ransomware attack

Assuming the U.S. Congress is ever able to shake off political paralysis, count on lawmakers moving more aggressively against healthcare cybersecurity attacks in the coming months.

Just emerging this week are details on the extent of damage from the February 21 ransomware attack on the country’s largest healthcare payment processor, with this week’s testimony of UnitedHealth Group, Inc., CEO Andrew Witty before the House Energy and Commerce Committee.

Health records of one-third of Americans exposed

The attack exposed the health records of as many as 1 in 3 Americans. In his testimony, Witty told the House committee that United decided to pay a hefty ransom for hackers who broke into the health information systems managed by the company’s subsidiary Change Healthcare, a clearinghouse for insurance billing and payments.

To date, though, Witty testified that no evidence suggests hackers were able to access patients’ medical histories and personal data.

Change says it processes 15 billion healthcare transactions annually and is involved in one-third of all American patient records. The attack forced United to take most of its systems offline to prevent a spread, compromising everything from prescription filling to doctor paychecks to patient record sharing.

Change healthcare cybersecurity breach could cost $1.6 billion

The incident stands to cost United $1.6 billion this year, while 4 in 5 physician practices have lost revenue from unpaid claims as a result, an American Medical Association survey found.

CEO Witty attributed the breach to a vulnerability in remote-access software that allowed the notorious ALPHV/Blackcat hacker gang to steal as much as 6 terabytes of data from Change. A set of stolen credentials was to blame, he said, because they weren’t protected by multi-factor authentication.

United has not publicly disclosed how much ransom the hackers received to stop leaking the purloined data. However, a post on a Russian cybercriminal forum from a self-proclaimed member of ALPHV/Blackcat claims the group collected $22 million.

In an encouraging development, one well credentialed security blogger says that in-fighting subsequently has caused the group to implode and cease operations. Meanwhile, a second hacker group, the RansomHub gang, says it was the true culprit but was swindled out of the ransom by ALPHV/Blackcat and is demanding its own payoff.

No matter, Witty said choosing to pay the bill was “one of the hardest decisions I’ve ever had to make.”

What can Congress do to slow healthcare cybersecurity attacks?

Notwithstanding lawmakers’ public handwringing in congressional hearings, lawmakers face the core question: What, if anything, can more laws do to slow a hacking upsurge?

Two-thirds (67%) of healthcare organizations reported ransomware attacks in 2023, up from 60% in 2022, according to cybersecurity company Sophos. In response to the ballooning rate, Congress and federal agencies have made a number of recent attempts to patch the leaky cybersecurity boat.

Last year the Federal Trade Commission proposed amendments to the Health Breach Notification Rule aimed at strengthening breach notification requirements. Additionally, a dozen or so states have enacted or enhanced statutes attempting to better guard personal privacy online.

Despite cybersecurity requirements, hackers hauled in $1.1 billion in 2023

A 2022 omnibus bill passed by Congress authorized the U.S. Food and Drug Administration to establish cybersecurity requirements for manufacturers of internet-connected medical devices. More broadly, this week President Biden signed a new national security memo aimed at boosting cybersecurity infrastructure through improved intelligence collection and sharing.

Yet ransomware hackers still hauled in a record $1.1 billion in 2023. Blocking them becomes more daunting on a planet of nearly 200 nations, where digital criminals can hide beyond the reach of U.S. law.

Meanwhile, United’s legal and political headaches are far from over. In addition to the cybersecurity breach, the company also faces legal issues over allegations of misuse of artificial intelligence technology to deny healthcare coverage and efforts by some congressional representatives to break up the company and its approximately 2,200 subsidiaries.

Disclaimer

The information on this website does not constitute legal advice and is not guaranteed to be correct, complete, or up to date. The information is provided as is without warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. Vanguard Communications authorizes website visitors to view, store, print, reproduce, copy, and distribute any pages for non-commercial purposes. In consideration of this authorization, you agree that a) any copy of these documents shall retain copyright and other proprietary notices herein, and b) this disclaimer is included with any distribution.