Change Healthcare hack highlights lack of medical industry’s cybersecurity
But with private sector lobbyists opposing new security requirements, Congress and the regulatory wheels have ground slowly, mainly promoting best practices that hospitals can — and do — choose to ignore.
So can relatively unknown electronic clearinghouses like UnitedHealth Group’s Change Healthcare, which was the object of an attack launched last month by a hacker affiliated with ransomware gang ALPHV that severed a key link between medical providers and their patients’ insurance companies in the worst health-care hack ever reported. Change Healthcare said Monday that it had provided advances of $2 billion to pharmacies, hospitals and other providers who were unable to get insurance reimbursements during the failure of its network.
Critics say the Change Healthcare fiasco, which has hurt patient care at almost three-fourths of U.S. hospitals, shows that defensive efforts are horribly inadequate. They say a complete response would include strict security requirements for the most critical pieces of the sprawling system, followed by less stringent but still sufficient rules for big hospital systems. The smallest providers, which may not have any security staff, should get help, as called for in the administration’s proposed budget.
“We need to make sure we know where these vulnerable points are,” Nitin Natarajan, deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, acknowledged in an interview. “We’re looking at what levers exist.”
Some members of Congress say that should have happened already.
“The government needs to prevent this kind of devastating hack from…