United Healthcare Hacked -- damage severe. Months to repair

https://www.reuters.com/technology/cybersecurity/unitedhealth-hack-could-take-months-full-recovery-2024-03-08/

May have paid $22MM ransom.

CEOs set priorities and allocate resources. This is a management failure.

Who provides cyber security to United Health Care?

In my experience United Healthcare is mediocre when it comes to computers. Definitely not industry leaders. Inadequate cyber security comes as no surprise.

I’d suggest we write United Healthcare board members. CEO at minimum should have his bonus cut or eliminated. Frankly I think he should be fired.

2 Likes

Maybe. I don’t know enough about it. Perhaps UHC devoted more resources than any other company to cyber security but got licked anyway. In that case I’d say the CTO should go before the CEO. It will likely take some time to sort out but I’d at least want to ai the blunderbuss at the right target.

1 Like

It’s a generally accepted principle in Corporate America that, depending on where the “security” function exists within the company, the CTO or the CSO gets fired after the dust settles from any significant data breach. I’ve sat in interviews with candidates where it’s literally the first thing mentioned. You understand, in your role, if we get hacked, you get canned, right?

WTH

4 Likes

They should have bought Crwd for their security needs. Knowing UNH and how long they have been in the market I assume they probably had PANW.

Andy

2 Likes

“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network[s], on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers,” the spokesperson said.

Andy

2 Likes

That’s actually a reasonable job goal. Security would seem to be the most important aspect of IT these days, particularly for a public facing, high money, almost all electronic payment business.

Sure there are other goals, like keeping things running, being up to date on useful softwares, etc. but when a single point of failure can bring your entire enterprise to a halt, I’d say “We get hacked, you’re fired” is a pretty clear definition of priorities.

Maybe for the CEO too, but I would hardly expect him/her to know the nuts and bolts of that part of the operation. He should be evaluating his/her subordinates, obviously, but an IT breech happens in a flash, often without warning of any kind.

Exactly. We have been through the days (I hope) when CEO were totally afraid of technology. They typed their emails in all caps or dictated to their secretary who sent their email. They didn’t know beans about technology.

Those born after 1980 or so grow up with computers and learn them almost like most of us learned to ride a bike. Those people should be midcareer and headed for the c-suite.

Yes, they need to encourage their tech people to keep up with cyber security. Failure can be a disaster. It cannot be ignored any more. Everyone should be aware at all levels but especially the IT folks.

I am coming to the conclusion that any system can be hacked and so institutions have to assume that they will be. It is just a matter of time. The solution is to go old school with a paper back up. When the worse case happens and everything online is lost, the critical data still exists in real life file cabinets.

Yeah, I know there is an expense, but it’s got to be cheaper than constantly trying to stay ahead of the hackers and still eventually having to pay the ransom. Plus there is the deterrent effect. If hackers know a company has all its critical records on hard copy, they probably won’t bother to try to hack it for ransom.

And think of all the white collar jobs created by bringing back file cabinets and Xeroxing.

These companies are going up against state-supported agents with the best equipment working full time to break into their systems. Failure is almost an inevitability. Part of the business plan has to be the ability to come back quickly from a complete loss of online data.

Maybe the best is a really good backup system.

In the good old days, wasn’t it Iron Mountain that came around to pick up your backup magnetic tape and carry it off site for safe storage.

Cloud should make that much easier provided it is well protected from hackers. Off site storage has to be close to ideal.

Or are there better ways these days?

1 Like

United Health Care is not alone.

https://www.cnn.com/2024/03/08/tech/microsoft-russia-hack/index.html

I’m not convinced there is a fool-proof electronic backup system. Can ransomware infect your backup? - Cyber Resilience Blog

But I am pretty sure that ransomware cannot infect a file cabinet.

2 Likes

The problem is that the vast majority of doctors cannot operate their practice today without the computerization in place. They cannot trigger referrals, they cannot bring up test results, they cannot send prescriptions through to pharmacies and they probably can’t even schedule your next appointment.

Think about the last time you went to a doctor’s office. When the nurse walked you to the exam room, while you were sitting down, the nurse was IMMEDIATELY logging in to a terminal, bringing up your records, confirming the reason for your visit and reviewing a list of tasks the system requires to be performed at that step. After taking your vitals, those are immediately typed in then the nurse might begin re-asking all the questions that were asked when you scheduled the appointment, typing the entire time as you are talking. Finally, the nurse logs out, gets up, tells you the doctor will be in in a few minutes, then leaves.

When the doctor finally comes in, same thing. Barely before completing any chit chat, they sit at the same terminal, log in, bring up your records and scroll through screens and click buttons to confirm the reason for your visit and what tasks will be performed first. If your doctor is above average on beside manner, they might manage to make eye contact with you as they continue typing in to satisfy the system’s inputs.

Unless you pay $10,000 cash to a doctor for “concierge” service, most doctors in most practices are burdened with “care delivery” software that collects data on EVERYTHING the doctor does and requires ANY information you provide to be entered via very particular codes in order for the software to optimize costs and control what the doctor does. If the doctor knows the patient well and knows what is required, they still have to “pencil whip” the computer entries. And they can’t just work with the patient and pencil whip them up front or at the end of the visit because the system has benchmarks for how much time each tasks should require and the sequence in which they should be performed. Input that fails to follow expected paths at suspected intervals is flagged and can affect reimbursement to the doctor.

At this point, it’s possible the only job micromanaged MORE from a data mining, “productivity optimization” perspective than a call center agent is that of a practicing physician. Ask your doctor what they think about the system they are forced to use on your next visit. Chances are they DESPISE it.

And if they ever change affiliations with local hospital / healthcare chains, they will likely have to migrate to a new system and learn its quirks and faults from scratch. Or their current employer may forklift one bad system for another.
Which means your patient data is getting propagated and re-schema’ed into new databases any time that happens. Which means there is HIPPA data being moved by the gigabyte every day, increasing the probablity a database dump might be left on a server somewhere that is NOT protected like a production server, making it child’s play for hackers to capture confidential data even without actually cracking the production system.

WTH

6 Likes

I am not suggesting that paper copies replace electronic data. I’m suggesting paper backups of the most essential data. This way when the day eventually comes when a hacker threatens to erase the hard drives, the company has a fall back.

Keeping bad actors from stealing data is a separate issue. The OP was about paying a ransom to get back access to data essential for the business. If one has that data backed up in a real file cabinet, one doesn’t need to do that.

A business like VISA or Mastercard or Vanguard - or a hospital system consisting of many inter-related practices* - or even a business like Starbucks can make hundreds of millions , perhaps billions of transactions in a single day: not just the customer-facing ones that are obvious, but also the pay sheets or part-timers, inventory management**, vendor supplies, etc. There is simply no way to do that “on paper”.

(*I go to Univ. Tennessee Hospital & affiliates. They have doctors practices, physical therapy practices, urgent care, urology, women’s health, and other disparate locations all within 10 miles of my house, not to mention the largest hospital in the area. They trade patient information, X-rays and other films, histories, etc. daily.
** My Home Depot web site tells me to the minute what inventory is available at my local store, or any of the other 5 stores within driving distance. Think about trying to back that up “with paper.” )

As opposed to the disaster story told in the “backup - infected” link above, I would think that “air gapped” and “check backup before reinstalling” would be pretty good places to start, and keeping multiple and deep copies of “history” would go a long way towards eliminating this threat. (Obviously I am a neophyte in this area, but it beggars belief that there’s no way to get past these bad actors, else the world will come to a complete stop.)

6 Likes

Have you considered how long it would take to rebuild the system from paper? Not to mention how much storage space would be required for all that paper?

1 Like

I have to assume there was no secured server backup. That is the central problem.

The information could have been backed off on servers not connected to the internet much of the time. Or at least much better secured.

2 Likes

I’m sure we can all come up with examples where it is not practical. But I’m also sure there are many situations where it would work. Schools existed long before the computer age and were pretty successful. Going electronic allow students to get their transcripts faster, but I wonder if it is worth the loss in security.

Institutions have an ethical obligation to keep the confidential information of their users secure. The statistics indicate that a large number cannot provide that security if that information is stored electronically. Therefore, confidential information should not be stored electronically.

The biggest corporations and research universities might have the resources to stay ahead of the hackers but most mid-level colleges, companies, hospitals, and health clinics probably do not. It appears from where I am sitting that most institutions cannot guarantee the security of their data bases.

Hospitals are getting hit with ransomware attacks everyday. That’s just a fact. The price of the added efficiency with electronic data are hacks and ransomware attacks and the resultant loss of confidentiality. Cyberattacks on hospitals are likely to increase, putting lives at risk, experts warn | AP News

It is becoming increasingly clear that hospitals cannot guarantee the security of their data bases. This means that if hospitals are going to store confidential information electronically, their patients should assume there is a good chance that information will not stay confidential. And if hospitals are going to store all their records electronically, then they should expect to periodically have to start from scratch.

What are the alternatives? Periodically pay ransoms? Try to stay ahead of hackers who are probably better financed than your company?

Better security. There are a number of products in the market these days. Yes, some of them have been hacked, but rarely and the vast bulk of the victims have poor security to start with. They are obviously much easier to penetrate.

Medicare announces emergency funds for doctors affected by Change Healthcare hack

I went to the Safeway pharmacy on Thursday to get my 10-year pneumococcal vaccine and they said they couldn’t process any Medicare Part B vaccines and to maybe come back on Monday.

intercst

1 Like

The problem is that it appears the weakest link in the cybersecurity of institutions are humans.

Institutions can educate their employees as much as they can, but humans are always going to make mistakes. And in health care and universities there are a lot of employees and students on the computer network, many of whom are not all that computer savvy. The chances are pretty high that any institution of size is going to get hacked.

In 2020, one survey had 1 in 3 health organizations globally getting hit by ransomware, and I don’t think that number is declining.

With that in mind the Cybersecurity and Infrastructure Security Agency (CISA) “advised a 3-2-1 backup approach. That’s saving three copies of all critical data in at least two different formats and storing one copy offline, out of reach of malicious code.https://www.aamc.org/news/growing-threat-ransomware-attacks-hospitals

Of course, the ultimate offline copy that is absolutely out of reach of malicious code are those in file cabinets.

1 Like