.st0{fill:#FFFFFF;}

Podcast

Time for mandatory MFA? – Ep 458 

 May 17, 2024

By  Donna Grindle

Share0
Tweet0
Share0

After the big cyberattack on Change Healthcare, there’s a hot debate about making Multi-Factor Authentication (MFA) a must-have for all public access points. With Congress getting involved and experts pushing for tougher security, it’s clear that better safeguards are needed to keep our healthcare data safe. This shift towards mandatory security measures shows just how serious cyber threats have become.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Time for mandatory MFA? – Ep 458

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Briefs

[06:20]

Staffing Company to Pay $2.7M for Alleged Failure to Provide Adequate Cybersecurity for COVID-19 Contact Tracing Data | United States Department of Justice

Insight Global LLC, headquartered in Atlanta has agreed to pay $2.7 million to resolve allegations that it violated the False Claims Act by failing to implement adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing.

…the Pensylvania Department of Health hired Insight Global to provide staffing for COVID-19 contact tracing and paid Insight Global with CDC funds. Insight Global understood that personal health information of contact tracing subjects needed to be kept confidential and secure, but it failed to do so. For example, certain personal health information and/or personally identifiable information of contact tracing subjects was transmitted in the body of unencrypted emails, staff used shared passwords to access such information, and such information was stored and transmitted using Google files that were not password protected and were potentially accessible to the public via internet links.
…from November 2020 through January 2021, Insight Global managers received complaints from Insight Global staff that such information was unsecure and potentially accessible to the public, but Insight Global failed to start remediating the issue until April 2021. At that point, Insight Global addressed the issue, including by securing such information, investigating the cause and scope of the incident, strengthening internal controls and procedures, adding more data-security resources and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected. Insight Global also cooperated with the United States’ investigation.
…lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds and to receive a share of any recovery. The settlement in this case provides for the whistleblower, Terralyn Williams Seilkop, a former Insight Global staff member who worked on the contact tracing at issue, to receive a $499,500 share of the settlement amount.

Time for mandatory MFA?

[13:34]

Opening statements

Wyden Hearing Statement on Change Healthcare Cyberattack and UnitedHealth Group’s Response

I believe the bigger the company, the bigger the responsibility to protect its systems from hackers. UHG was a big target long before it was hacked. The FBI says that the health care industry is the number one target of ransomware. It’s obvious why.
Accountability for Change Healthcare’s failure starts at the top. Before this hearing, I asked U-H-G which members of its board have cybersecurity expertise. UHG pointed to NCAA President Charlie Baker, who signed some technology-related legislation into law years ago when he was governor of Massachusetts. Mr. Baker is certainly an expert on basketball, but UHG needs an actual cybersecurity expert on its board.
Finally, the Change hack is a dire warning about the consequences of “too big to fail” mega-corporations gobbling up larger and larger shares of the health care system. It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices, which likely prolonged the fallout from this hack. For example, Change Healthcare’s exclusive contracts prevented more than one third of providers from switching clearinghouses, even though Change’s systems were down for weeks.
[24:36]

Testimony of Andrew Witty Chief Executive Officer, UnitedHealth Group Before the Senate Finance Committee “Hacking America W

Cyberattacks continue to increase in frequency and significance, with one analysis calculating that in 2023, cybercriminals collected an all-time high of over $1 billion in ransom. Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year. These criminals continue to adapt and develop more sophisticated and malicious methodologies, and they have increasingly targeted critical infrastructure, including schools, government agencies and the health care sector.
Cyber experts continue to investigate the incident. While we will learn more and our understanding may change, here’s what I can share today. On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.

We support mandatory minimum security standards – developed collaboratively by the government and private sector – for the health care industry. Importantly, these efforts must include funding and training for institutions that need help in making that transition, such as hospitals in rural communities.
[34:36]

Of note: US hospital network Steward files for bankruptcy, aims for new loan | Reuters

Steward has nearly 30,000 employees, including 4,500 primary and specialty care physicians, at 400 facility locations. Steward Health Care provides care to more than two million patients annually.

Steward filed for bankruptcy with between $1 billion and $10 billion in liabilities, according to its Chapter 11 petition filed in Houston, Texas bankruptcy court.

According to some of the articles they are in negotiations with Optum, a UHG subsidiary, to purchase their primary care physicians clinics.

Steward Health Care files for Chapter 11 bankruptcy | Healthcare Dive

UnitedHealth Group CEO takes bipartisan heat in Senate hearing over cyberattack | The Hill

Senate Finance Chair Ron Wyden (D-Ore.) made it clear straight out of the gate that he blamed Witty’s leadership for the cyberattack, which caused widespread disruptions to the health care sector.

Sen. Elizabeth Warren (D-Mass.) noted how UHG has “bought up every link in the health care chain,” owning “the country’s largest insurer, the country’s largest claims processor, the country’s third-largest pharmacy benefit manager.”

“You’re now in a position to jack up prices, squeeze competitors, hide revenues and pressure doctors to put profits ahead of patients. UnitedHealth is a monopoly on steroids,” said Warren.

Sen. James Lankford (R-Okla.) directly asked Witty when patients and providers would be “made whole” of the payments and services they have struggled to access since the attack.

“I would hope that that’s in the next month or six weeks,” Witty responded.

[38:34]

Change Healthcare cyberattack: 5 technical takeaways from UnitedHealth CEO’s testimony | Cybersecurity Dive

1. Legacy tech at Change amplified attack’s impact

Before the attack, UnitedHealth, which acquired Change for $13 billion in late 2022, was in the process of upgrading and modernizing an extensive amount of Change’s technology.

2. Stolen credentials unlocked access

The company has relatively high confidence the credentials were stolen and sold on the dark web before the attack occurred.

3. Incident response cavalry called in

At least seven incident response firms and third-party cybersecurity experts to help it respond to and recover from the attack. Some of those engagements, all of which began after the attack, will now remain in place.

Witty specifically called out the support it received from Mandiant, Palo Alto Networks and Bishop Fox, but in written testimony added that Google, Microsoft, Cisco and Amazon were also on site assisting with recovery, advisory and testing efforts.

UnitedHealth asked Mandiant to join its board as a permanent advisor to strengthen the company’s cybersecurity oversight and strategy.

4. Response and recovery snags

Change’s legacy technology also meant the prime and backup IT environments were not isolated and both systems were directly impacted by the attack. IT elements in the cloud were brought back online quickly, but systems in older data centers were weighed down by multiple layers of old technology, Witty said.

5. Multifactor authentication wasn’t turned on

The company’s policy is to have MFA turned on for all external-facing systems, but for reasons that remain under investigation, a Change Healthcare Citrix portal used for desktop remote access did not have MFA turned on.

“We’re trying to dig through exactly why that server had not been protected by MFA. I’m as frustrated as anybody about that fact and we are working to try and understand exactly why it was not covered at the time,” Witty said.

“I can confirm to you that as of today, across the whole of UHG, all of our external-facing systems have got multifactor authentication enabled,” he said.

Go to top

As we navigate the digital age, it’s becoming clear that stronger defenses like mandatory MFA aren’t just nice to have; they’re essential. With cyber threats on the rise and healthcare data constantly at risk, stepping up security measures isn’t just a precaution—it’s a necessity. By implementing mandatory MFA, we can ensure a higher standard of protection, making it much tougher for cybercriminals to cause havoc. It’s about time we take these steps to safeguard our data and regain confidence in our digital security systems.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: