NICK EICHER, HOST: It’s Tuesday the 19th of March, 2024. This is WORLD Radio and we thank you for listening. Good morning, I’m Nick Eicher.
MARY REICHARD, HOST: And I’m Mary Reichard. First up on The World and Everything in It: cyberattacks.
Last month, cyber thieves broke into the systems of Change Healthcare, the nation’s largest medical payment system. Thieves stole massive amounts of data and demanded ransom payments in crypto currencies.
Change Healthcare and its parent company UnitedHealth Group have not confirmed they paid the ransom, but they did pull the plug on their own servers to prevent more loss.
EICHER: That worked, but it also meant pharmacies, hospitals, and other medical entities across the country couldn’t process insurance claims, and not just for a few hours. It went on for weeks, putting patients and providers at risk.
UnitedHealth says it brought claims-processing for pharmacies back online earlier this month. And this week plans to reconnect its medical claims-processing.
But what needs to happen to deter attacks like this?
REICHARD: Joining us now to talk about it is retired Rear Admiral Mark Montgomery. He leads the Center on Cyber and Technology Innovation for the Foundation for Defense of Democracies. Admiral, good morning!
MARK MONTGOMERY: Good morning, and thank you for having me today.
REICHARD: What do we know about “BlackCat,” the group that’s claimed responsibility for attacking Change Healthcare’s systems?
MONTGOMERY: Sure, so Black Cat is a ransomware-as-a-service provider. Like many they originate with a Russian background. It does have a lineage back to DarkSide, which was the ransomware-as-a-service provider that conducted the Colonial Pipeline attacks. So these guys have been on our radar scope for three or four years now. And obviously, this is a pretty, this is their largest, most successful ransomware event in terms of impact as, under the name Black Cat.
REICHARD: Well, why go after a healthcare company, though?
MONTGOMERY: Well, it's interesting, you know, what's happened is, you know, if you've gone back 30 years ago, malicious cyber activity is being conducted against banks, because that's where the money was. But what's happened since is that the monetization of data has meant that ransomware strikes where business operations or field operations can be most rapidly impacted. Well, the healthcare industry brings that together all in one, right? There, you can go after their business operation, stop them from being able to do billing, you can go off to the field operations, where you stop MRI results from being shared or going to the surgical floor, things like that. Or you can go after all that personal data. And it's the most sensitive data. And by the way, medical data is worth much more for sale on the dark web than say, credit card data. So really, the healthcare industry is ground zero for ransomware and the cybersecurity attacks on our national critical infrastructure today.
REICHARD: Two questions: what options do companies have when ransomware attacks happen? And then secondly, what's your assessment of how Change Healthcare responded to it?
MONTGOMERY: Well, listen, I mean, your first option is one you take before the ransomware event, and that's where you spend enough money on cybersecurity. Someone like Change who is really a systemically important entity, in other words, one of those top four or 500 companies in the country, that, you know, needs to be maintaining a higher level of cybersecurity, obviously didn't pass that big test in this event. And look, I'll be honest, if you'd asked me to list the systemically important entities two months ago, Change Healthcare wouldn't have made my list. Now, once it happens, it's the individual companies that are impacted by this. You know, some of these pharmacies and smaller offices and health care facilities and retirement homes, having to lay people off or suspend operations. This is a significant health care event for the United States, because this one systemically important entity couldn’t protect itself.
REICHARD: So Admiral, are these attacks private sector problems, to be fixed with private sector solutions, or is there a role for the federal government. …What do you think needs to happen?
MONTGOMERY: That's a great question about whose responsibility is this, because I've said a lot about the private sector. But let's be clear, the government has a role to play in this. HHS, Health and Human Services, the federal agency, is called a Sector Risk Management Agency. They're supposed to be providing really good support to the healthcare industry in terms of, you know, what type, what things to look for best practices, but beyond that time sensitive information about what's going on. And HHS is like many of our sector risk management agencies in that it is underperforming. You know, there's a lot that can be done, and we can invest a lot more in them. The President just announced the FY25 budget. Now, he announced a big great, you know, increase in Health and Human Services. But when I look, dug into the details, it's like future money in 2027, and you know, it's four or five years away. What really has to happen now is the Congress needs to grab the federal budgets, and then the HHS one, increase their investment, and their performance as a Sector Risk Management Agency, so they can do a better job supporting the private sector, so when the private sector spends the right amount of money, they're doing it in the right place.
REICHARD: Do you think Plan B ought to be paper systems like we used to have?
MONTGOMERY: So actually, I think Plan B is having resilience. Paper would be an option. I think the option I'd pick beforehand, there's an expensive one called redundancy, where I build separate server networks and things that run and mirror the primary network every 6, 12, 24 hours, whatever it is, and you bring it back online if you lose the primary to ransomware. But an even better thing would be if we developed better software for recovery, where there's a software system constantly running inside and says, here's what “right” looked like just before the attack, so you can get yourself back in a good position.
REICHARD: Final question here. And this is kind of an open floor question. Is there some aspect of this story you think warrants more attention than it's getting?
MONTGOMERY: You know, it's the real impact on rural health care, right? We think a lot about healthcare service, you think about big hospitals downtown and I get it. But rural health care, almost by definition is 60 to 100 miles between hospitals, so that when a hospital's significantly impacted by a cyber incident, and it can no longer provide services, now an ambulance has to go maybe 100 miles or 70 miles. That, that is a life threatening condition for the person in that ambulance. That's number one, you know, that really worries me, is the impact that these kinds of events are having. We've (sic) gone from 7,000 hospitals and clinics in America down to 6,000 over the last six or seven years. Many of these rural ones are running on very tight margins, this cybersecurity is just enough to tip many of them over into the red in a way that they shut down. We cannot allow that to happen in our very fragile, rural healthcare ecosystem.
REICHARD: Rear Admiral Mark Montgomery leads the Center on Cyber and Technology Innovation for the Foundation for Defense of Democracies. Thanks so much. Appreciate your time.
MONTGOMERY: Thank you for having me.
WORLD Radio transcripts are created on a rush deadline. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of WORLD Radio programming is the audio record.
Please wait while we load the latest comments...
Comments
Please register, subscribe, or log in to comment on this article.