White House cyber official urges UnitedHealth to provide third-party certification of network safety

Senior White House officials are urging UnitedHealth Group to provide its customers with detailed third-party cybersecurity assessments of its systems as it recovers from a cyberattack. 

The ransomware attack against UnitedHealth subsidiary Change Healthcare has caused one of the biggest healthcare crises in years.

The attack cut off a pivotal link between medical providers and insurance companies, leaving pharmacists scrambling for weeks to facilitate the distribution of much-needed drugs and medical facilities struggling to get reimbursement for care. Change Healthcare says it processes 15 billion transactions annually. 

On Monday, senior Biden administration officials — including U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra and White House Deputy National Security Advisor Anne Neuberger — held a second meeting with company executives, insurance companies and healthcare providers to discuss the situation. 

According to a readout of the meeting, Neuberger “noted the interconnectedness of the domestic health care ecosystem and the urgency of strengthening cybersecurity resiliency across the sector.”

Neuberger urged insurers to implement HHS’ voluntary HPH Cyber Performance Goals (CPGs) but also said UnitedHealth needed to provide customers with “third party certification of the cybersecurity of Change Healthcare’s system before reconnecting.” The company needs to “communicate to providers about efforts to safely secure claims systems and the timeframe for those third-party assessments,” she added. 

UnitedHealth released its own statement on Monday explaining that in the coming days it will begin releasing medical claims preparation software to thousands of customers as an important step in the resumption of services.

“The company expects to have third-party attestations available prior to services becoming operational. Following this initial phase, remaining services restoration will continue through ongoing phases of activation until all customers have been connected,” the company said. 

The company restored its electronic payments platform on March 15 and says it was able to restore 99% of Change Healthcare pharmacy network services on March 7.

One expert told Recorded Future News last week that the incident is costing some organizations upwards of $100 million a day — with hospitals across the U.S. reporting issues.

UnitedHealth has yet to address claims that it paid a $22 million ransom to the AlphV ransomware gang — which allegedly launched the attack on Change Healthcare and kicked off the fiasco. 

Becerra warned during the meeting that even though the situation was improving, healthcare providers serving vulnerable populations, rural hospitals and smaller institutions are still struggling to reconnect and deliver services. 

Last week, HHS said it planned to open an investigation into the cyberattack, specifically in the context of potential medical data privacy violations, and the incident has reignited efforts to implement more stringent cybersecurity protections around platforms integral to the healthcare industry.

But multiple outlets have reported that in spite of the current situation, many healthcare institutions are still deeply opposed to any regulation around mandatory cybersecurity standards, with some arguing that they would effectively penalize victims.  

In December, HHS floated proposals that would see new cybersecurity requirements for hospitals pushed through Medicare and Medicaid programs, ostensibly tying federal payments to baseline standards. HHS is also looking into potential updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in the spring of 2024 that would also include new cybersecurity requirements.