It is well to be noted that the February 2024 cybercriminal attack on Change Healthcare, the medical billing processor, did not flatten power grids or poison water supplies, however by forcing the $13 billion company to go offline, it critically severed one of the very few links that connect healthcare providers to insurance firms and thereby triggered a cash crunch within hospitals, health clinics, and pharmacies across the US.
Apparently, U.S. officials, lawmakers, and health executives are focused as of now on making sure that healthcare providers are in no way forced to close, miss a payroll, or even, for that matter, deny patients access when it comes to medical care. UnitedHealth Group, which happens to be the owner of Change, has remarked that the claims and payments services will not be completely restored until March 22.
Apparently, government officials go on to say that the hack goes on to highlight major vulnerabilities in the healthcare system of the US, thereby raising critical questions on whether federal agencies as well as Congress are required to do more so as to prevent another, potentially more serious, attack that might occur in the future.
One of the senior officials from the Health and Human Services Department suggests that, if nothing else, it makes one say that one has to really, really look at all of the points of vulnerability, systemic points when it comes to vulnerability, as well as work really close so as to secure them.
These are four big questions that happen to percolate through government agencies as well as Congress in the aftermath of the hack that the American Hospital Association has gone on to name the most prominent cyberattack on the U.S. healthcare system in American history.
Is the government doing enough so as to protect critical companies such as Change?
Apparently, healthcare sector security experts, along with government officials, go on to say that there are other lesser-known healthcare firms whose disruption would go on to cascade throughout the sector, just like the outage at Change has.
But it is indeed far from clear that anyone in Washington, D.C., knows who they happen to be, Â let alone if they happen to have a plan to safeguard them.
The fact is that it is highly unlikely that Change is going to be the only single point of failure within the healthcare sector, remarked the chief information security officer at Children’s National Hospital, Nathan Lesser. He added that they need to know as to what the others are so that they can go ahead and protect them.
It is worth noting that in 2022, industry groups enabled the sink legislation that could have empowered the government so as to identify a shortlist of the most critical firms to the U.S. economy as well as force them to be at least on the baseline digital security standards, like patching known software bugs within the internet-connected devices as well as using two-factor authentication.
The fact is that the CISA later opted to come up with its own list such as this without Congress; however, it is indeed unclear how deep the effort was.
Jen Easterly, who happens to be the agency’s director,  went on to reveal at a public event on March 13, 2024, that CISA had not yet identified Change for the shortlist of key firms and majorly implied that it should have. Apparently, the list happens to include  UnitedHealth.
Easterly went ahead and said that the agency would go ahead and double down as well as work so as to better highlight such companies that happen to be much more crucial than one actually were anticipating using the new authorities CISA expects from an upcoming White House national security memorandum.
U.S. officials outside the scope of the CISA also acknowledged that the government has more work to do in identifying firms like Change that broad swaths of the economy depend on.
One of the US cybersecurity officials says that he doesn’t think people went ahead and understood prior to this occurrence as to just how integrated Change happened to be into all facets of the U.S. health care system.
The White House now goes on to believe that it did affect the majority of the nation’s 6,000 hospitals as well as 80,000 pharmacies.
Should healthcare companies be pushed to up their cybersecurity ante?
It is well to be noted that for years, some of the similar health trade groups that are now calling for federal financial support have gone on to help the scupper calls when it comes to stricter health sector cyber benchmarks.
As per the chief digital and information officer, Aaron Miri, from Baptist Health, which is a nonprofit Florida hospital system, one needs compulsory minimum standards when it comes to this sector.
Apparently, three government officials went ahead and emphasized the measures agencies can take up today, such as working with smaller hospitals so as to ensure they back up significant data or plan how they would go ahead and get back to a particular hack. A senior CISA official says that how does one make sure that they go on to know that they are not alone in this fight?
However, the appetite when it comes to more aggressive action seems to be growing. The newly released budget blueprint for fiscal year 2025 by President Joe Biden happened to pitch a plan for HHS to fine hospitals that go on to fail to upkeep basic cybersecurity standards by 2029. This is a rule that could be written so as to incentivize those practices if hospitals happen to be slow to follow through.
As per an HHS official, one has to ask certain longer-term questions when it comes to the aftermath of this hack. The fact is, is one really holding the sector to a high enough cyber benchmark, and is there accountability in ways that one wants to drive accountability?
The fact is that a growing group of lawmakers on Capitol Hill seems to be asking just that.
According to Rep. Eric Swalwell from California, the Change and UnitedHealth hack is an updated reminder that the approach to securing crucial infrastructure has to evolve.
Others, such as Senators Mark Warner as well as Ron Wyden, happen to be already there.
According to Wyden, private-sector opposition so as to making effective cybersecurity rules is the first reason the critical infrastructure, especially the health care sector, happens to be so woefully unprepared in terms of such unsophisticated cyberattacks.
Warner added that what keeps him up at night is the probability of a similar widespread attack that goes on to directly affect patient care as well as safety.