UnitedHealth Group did not have basic cybersecurity requirements in place that would have protected it against the recent attack on its Change Healthcare subsidiary, according to White House Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger.
In fact, Neuberger said officials have recognized that U.S. critical infrastructure systems may lack basic cybersecurity protection measures after the Colonial Pipeline ransomware attack in 2021.
“Out of Change Healthcare, the pretty basic practices were not in place,” Neuberger said on May 9 at the RSA Conference in San Francisco. “We’ve seen millions of Americans’ medical records stolen [that are] not encrypted. Clearly, if a hack happens, if the data is encrypted, even if it’s stolen, it can’t be used to blackmail individuals.”
“The first thing we’ve been working on is putting in place sector by sector – using cobbled together authorities, emergency authorities, and others – minimum cybersecurity requirements,” she said.
UnitedHealth’s Change Healthcare unit was attacked in February by Russia-based ransomware group ALPHV BlackCat, which paralyzed billing services for providers nationwide.
Neuberger noted that the U.S. has been “pretty late” in establishing mandated cybersecurity requirements for critical sectors, following action by “almost every country around the world” to do so.
She said as an example to basic security practices, “If you park your car and leave your keys in the seat with the door unlocked, are you being negligent?”
“That’s been sector by sector, there’s different approaches. And then equipping each of those sectors – helping the Department of Energy hire the right people, engage with those sectors,” Neuberger said. “We’ll be doing that shortly.”
“We’re working with the hospital sector, putting in place minimum requirements to help hospitals ensure that they’re doing what they need to keep patient data safe,” she said.
