Cybercrime hits home in healthcare attack

On February 20th of this year doctors working within the United Healthcare system were informed by United Healthcare that they would be unable to process claims delivered to United Healthcare.

United Healthcare had been hit with a ransomware attack; it is not known whether this ransomware attack started with United Healthcare and flowed out from their systems, or originated at the clearinghouse level and was affecting United Healthcare once claims arrived at this clearinghouse. Either scenario led to the same issue; claims could not then and as of the date of this writing still cannot be processed.

The real-world effect of this ransomware attack is chilling. To state in writing that “claims cannot be processed at this time” sounds relatively benign. What it means in practical application is far less banal:

·???????? Medical providers cannot receive reimbursements.

·???????? Critical prescriptions cannot get filled.

·???????? Patients cannot receive lifesaving treatments.

·???????? No one can be reimbursed via Medicare or Medicaid.

?

As it happens, United Healthcare was prepared to pay the ransomware in the amount of $30 million. The federal government stepped in and ordered them not to make this payment due to privacy concerns, patient confidentiality and HIPAA. For United Healthcare to make a $30 million payment is certainly no fun but seems akin to a rounding error in their yearly financials. For all the providers whose practices rely on reimbursement as the singular cash flow into their business, they have now waited over two weeks for money that is still nowhere in sight.

When a prescription, provider visit, or indeed anything that falls into this “submit for reimbursement” is generated and delivered to a company such as United Healthcare, it is processed through a clearinghouse. The clearinghouse has more clients than just a single health insurer like United Healthcare; they might process claims from dozens of different health care providers. These same clearinghouses are also responsible for prescriptions and medication management.

?There are only three major medical billing and prescription clearing houses in the United States.

If you visit your medical provider today your medical provider’s electronic filing system submits the insurance request to cover the lion’s share of the cost of your visit. Let’s say you are insured through Blue Cross Blue Shield. This insurance company uses a different clearinghouse for physical visits and so your visit is reimbursed. Imagine that during your visit your doctor prescribes you some medication. That prescription cannot be filled because Blue Cross Blue Shield uses the same clearinghouse as does United Healthcare for that prescription, and so you find yourself unable to obtain the medication you need due to a ransomware attack on a healthcare provider you don’t use.

Three major clearing houses in the United States, all three shared by hundreds of different insurance companies, creates an unbelievably attractive point of vulnerability for ransomware attack and criminal behavior. It is easy to imagine that United Healthcare has an excellent cybersecurity staff, and that staff uses the most advanced penetration testing techniques to keep its own cyber house well protected.

It is equally easy to imagine that no one at United Healthcare bothered to look downstream at all of the other points of vulnerability along the cyber trail and to insist on the highest level of protection and penetration testing for each associated vendor. It hardly matters whether a major health care provider and insurance company such as United Healthcare has a 100% cyber safety record if the vendors they use and to which they are attached are lax in their security efforts.

The more connected our world becomes the less “butterfly effect” such actions create. It’s no longer a chaos theory question to ask what affects will occur outside itself if a tiny little ransomware attack freezes a system in a small and generally ignored part of a longer cyber trail.

Unless your company doesn’t use technology (which does not obviate the need for protection given the reliance on technology outside of your company) every company at every level should use penetration testing and should have systems and safeguards in place to protect against cybercrime. This is no longer a “like to” thing to do, but rather a dead set requirement. Failure to do so might only affect your company and your business, or it might affect millions of people. Each day that goes by where the millions of folks relying on United Healthcare for prescriptions and medical treatment, the small providers relying on United Healthcare to reimburse claims, each one of those days increases the chance that a business closes or a life is lost due to cybercrime.

If you haven’t already done so, get on your favorite search engine and Google “penetration testing”. Find a provider and get engaged. This cyber fight has come to our doorsteps.