The ransomware attack on a UnitedHealth Group-owned tech provider is quickly becoming the healthcare industry’s version of Colonial Pipeline, prompting congressional testimony, lawmaker scrutiny and potential legislation. 

Nearly two months since the incident first came to light, healthcare providers are still combing through a backlog of claims and attempting to reconcile billions of dollars’ worth of payments and bills. Doctor’s offices and hospitals affected by the incident levied harsh criticism at UnitedHealth Group’s response — prompting further action from Congress. 

This week alone, there are two congressional hearings on the attack — one in the Senate, followed by one in the House — as well as calls from multiple senators for investigations into how the government responded to the incident and efforts by industry groups to stop potential cybersecurity legislation for the healthcare sector. 

Compromised credentials

Ahead of his congressional testimony on Wednesday, UnitedHealth Group CEO Andrew Witty released a 10-page written statement explaining that on February 12, criminals used compromised credentials to breach  a Citrix portal, an application used by Change Healthcare to enable remote access to desktops. 

“The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” Witty said, adding more about the decision to pay a $22 million ransom

“As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

Witty also provided more details on the response, noting that on the afternoon of February 21, experts from Google, Microsoft, Cisco, Amazon, Mandiant, Palo Alto Networks and others were called in to the company’s Nashville-based operations center for assistance. 

Thousands of laptops were replaced, credentials were changed and Change Healthcare’s data center network and core services were rebuilt, according to Witty. 

Witty acknowledged that some systems — including those for medical claims and payments — are still being restored.

Witty will testify Wednesday  in front of the House Energy and Commerce Committee after the company faced backlash from lawmakers for failing to make anyone available for a hearing last week.

Senators question CISA response

Witty’s testimony comes as other arms of Congress dig into the incident. Senators Elizabeth Warren (D-MA), Bill Cassidy (R-LA), and Richard Blumenthal (D-CT) wrote to the Cybersecurity and Infrastructure Security Agency (CISA) on Monday demanding information about how the agency responded to the Change Healthcare takedown. 

The senators said the incident is “driving physicians to bankruptcy, interrupting essential care services like pain management for cancer patients, and leaking sensitive patient data— causing massive disruptions to the nation’s health care system.”

They called for a “full accounting” of the incident and want to know about how CISA dealt with the Change Healthcare breach as well as the wider ransomware ecosystem. The letter includes questions about whether CISA has contingency plans for similar incidents, how the agency deals with ransomware incidents more generally and more. 

The letter demands answers from the agency by May 13. Warren, Cassidy and Blumenthal joined a growing list of lawmakers interested in ransomware attacks on the healthcare industry. 

The widely felt effects on healthcare organizations have spurred momentum for cybersecurity legislation governing the healthcare industry — a fraught issue that continues to face backlash from stakeholders often pointing the finger at each other. 

In his submitted testimony, Witty said he supported “mandatory minimum security standards – developed collaboratively by the government and private sector – for the healthcare industry.” But he added that it had to come with funding and training for hospitals in rural areas as well as a larger national push for tougher cybersecurity infrastructure “including greater notification to law enforcement and standardized and nationalized cybersecurity event reporting.”

The American Hospital Association (AHA) — which represents thousands of hospitals as well as millions of doctors and nurses — has released several statements pledging to fight any attempts to impose mandatory standards on hospitals. 

The AHA argued in a letter last week as well as one released on Monday that regulations would effectively punish the victims of faulty technology and “unfairly penalize hospitals and not improve cybersecurity of the entire health care sector.”

“To make meaningful progress in the war on cybercrime, Congress and the Administration must focus on the entire health care sector and not just hospitals,” the AHA said, pointing the finger at tech providers like Change Healthcare.

“Instead, Congress and other policymakers should focus their efforts on ensuring all health care stakeholders adopt appropriate cyber hygiene practices with a particular priority on third-party technologies. Congress should call on federal agencies to protect hospitals and health systems — and the patients they care for — by deploying a strong and sustained offensive cyber strategy to combat this ongoing and unresolved national security threat.”