"Two-Factor Authentication Was Not Used"
The CEO of UHG created more liability than I can imagine in his congressional testimony
The CEO of healthcare testified in front of Congress today. I'm sorry, that's United healthcare. But he might as well be the CEO of healthcare. Change healthcare was Cyber attacked. And, as I predicted, the entire company had to be scrapped.
In front of Congress, Mr. Witty testify that they rebuilt Change from scratch. To be incredibly clear about this? We are talking about the liquidation in one cyber attack of billions of dollars of value.
That sounds like a lot of money. It's not to UnitedHealth Group.
The reason they had to rebuild change from scratch? Cyber attackers use a Citrix portal with no requirement for two factor authentication to access the entire infrastructure behind healthcare payments, pharmacy switches, radiology imaging systems, benefits verification, and so many more functions.
They had a policy to require two factor authentication. In practice, they didn't require two factor authentication.
They violated their own policies around the protection of health information.
If they didn't have endless money for lawyers, more than the everyone who will sue them…
Sigh. This is why we can’t have nice things.
They had no backups of the software and operating data like pharmacy master file, hospital master file, CPT codes, rate tables, etc? Everyone keeps backups of all that. Dear God in Heaven, they are awash in money and they can’t spend any of it doing the things a minimally competent data center should be doing
Your grasp of the situation is painfully limited.
It's a false equivalent to say that Change is the totality of UHG. You are making assumptions based on visualizing something along the lines of a desktop computer being 'hacked'.
The fact of the matter is that the security issue was probably in place in Change prior to its' acquisition by UHG. Over-hauling legacy systems does not happen overnight.