New HHS initiative to help with healthcare cybersecurity

When the recent cyberattack against Change Healthcare, a subsidiary of UnitedHealth, was discovered a few months ago, it set in motion a number of responses.

Most recently, Senator Gary Peters (D-Mich.), who chairs the Senate’s Homeland Security and Governmental Affairs Committee, sent a letter to the Department of Health and Human Services (HHS) asking what steps it was taking to ensure this kind of catastrophe never happens again.

Creating a one-stop shop

In response to the letter, the HHS Administration for Strategic Preparedness and Response (ASPR) announced an initiative to better organize its many far-flung cybersecurity programs and resources to make them easier for healthcare organizations to find and implement. The goal is to create a unified portal or one-stop shop.

In addition, the ASPR said it will work to create and promulgate new cybersecurity strategies, best practices, and resources specifically for the healthcare sector.

While this is obviously welcome news, and while it will likely make it easier for healthcare organizations to get the information and guidance they need to modernize cybersecurity, the question of whether they will actually make use of this new resource center remains unanswered.

First, the bad news

On May 1, UnitedHealth CEO Andrew Witty was testifying before the Senate Finance Committee about the devastating cyberattack against UnitedHealth’s Change Healthcare.

During the hearing, Witty testified that the specific server that the BlackCat ransomware group had used to penetrate the network was lacking multifactor authentication (MFA). He said that his team is still working to figure out why this very basic security measure was missing.

So, let’s just think about what this means. Anyone paying attention to cybersecurity knows that the explosion of increasingly sophisticated phishing attacks in recent years means that you should assume that simple credentials — usernames and passwords — have been stolen, bundled, and sold on the dark web. So, anything protected with just basic credentials should be considered extremely vulnerable.

MFA is the very least one should do to control access effectively. And especially for a company holding such vast stores of PPI as Change Healthcare, not even MFA is good enough today. They should really have been among the very first to transition to Zero Trust access controls and a complete Zero Trust architecture.

What accounts for such a massive failure of basic security? At the very least, a certain level of carelessness, a failure to prioritize security, must be partly to blame. And indeed, the healthcare industry as a whole has been slower than others to adopt modern security measures — something that cybercrooks know well and take full advantage of.

So, I have to ask: How much good can a healthcare cybersecurity resources one-stop shop hosted by HHS improve things? What really matters is that healthcare organizations have to feel motivated to seek out those resources and put them to use — i.e., to invest money in modernizing security and implementing best practices.

A little good news

As we discussed in this recent blog post, the Identity Theft Resource Center’s 2024 Q1 Breach Report contained a potentially hopeful finding regarding cybersecurity and the healthcare industry.

“For the first time in years, the healthcare industry did not record the highest number of compromises, yielding the top spot to financial services. Both industries saw significant increases over Q1 2023. But healthcare’s jump from 81 to 124 compromises is much less than the overall increase of nearly 90%. Whereas financial services compromises soared from 70 to 224, a massive increase.”

So maybe, after years of being hammered with cyberattacks, having clinics and whole hospitals shut down by ransomware, and being reminded again and again that they were the No. 1 target for cybercrime gangs, the healthcare industry is at long last getting serious about addressing the problem.

At least, we should all hope so.