The Feb. 21 cyberattack on Change Healthcare is raising questions about how prepared healthcare is when it comes to cybersecurity, Politico reported March 18.
The news outlet spoke to eight U.S. hospital and government officials about the attack, and leaders stated that it has raised critical questions about what role federal agencies and Congress should play in order to prevent another attack like this in the future.
"If nothing else, it makes us say we really, really have to look at all of our points of vulnerability, systemic points of vulnerability, and really work to secure them," a senior official of the HHS, who had to remain anonymous because the incident is ongoing, told Politico.
The attack has raised four questions for government agencies and Congress. The first being: Is the government doing enough to protect organizations like Change?
Many of the leaders interviewed said that there are little-known healthcare firms that would have such an impact like Change, but that the federal government may not have enough information on how to identify which organizations could have this kind of impact if they are targeted. Additionally, leaders said the government doesn't have a plan to protect companies like Change.
"It is highly unlikely that Change is the only single point of failure in the health care sector," Nathan Lesser, chief information security officer at Washington, D.C.-based Children's National Hospital, told the news outlet. "We need to know what the others are so we can protect them."
Another question the Change hack brings up is: Should healthcare organizations be forced to increase their cybersecurity?
President Joe Biden recently proposed a plan for HHS whereby hospitals would face penalties for neglecting to maintain basic cybersecurity requirements by 2029.
"We need mandatory minimum standards for the sector, like come on," Aaron Miri, chief digital and information officer of Jacksonville, Fla.-based Baptist Health, told Politico.
The third question to hack brings up: Is UnitedHealth, Change's parent company, too big to protect?
According to the story, Change handles patient data for a third of Americans.
"As these companies have become so large, it is creating a systemic cybersecurity risk," Oregon's Democratic Sen. Ron Wyden said in a hearing for the Senate Finance Committee.
The fourth question Congress is grappling with is: Should ransom payment be banned?
Ransomware gang ALPHV is claiming responsibility for the Change hack, and rumors have been spread that a $22 million ransom payment was made to the hackers, but that has not been confirmed by UnitedHealth.
This comes as the White House has been contemplating whether to ban ransom payments.