A Department of Health and Human Services official said Thursday that HHS is devoting a lot of attention to the security of third-party service providers after the 2024 Change Healthcare cyberattack.
That attack, which is widely regarded as the biggest ever in the sector — including by HHS’s Charlee Hess, who spoke Thursday at CyberTalks presented by CyberScoop — began with hackers exploiting the lack of multifactor authentication set up on a remote access portal at Change Healthcare.
“It wasn’t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,” said Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. “We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don’t even know they’re there. Where are those entities or systems that will have an outsized impact on our sector?”
That realization arose from meetings between HHS and industry, she said. The focus on third-party service provider risk came next.
“We are going through and working through a methodology to identify that, and we’ve been working with industry on doing that, really finding where those places are,” Hess said.
The Change Healthcare breach, which exposed the data of 190 million people, has triggered other government responses, too, including on Capitol Hill.
It also prompted UnitedHealth Group, the parent company of Change Healthcare to “start over” on its use of computer systems. But industry has also bristled at the notion of mandatory cybersecurity requirements on hospitals — in part because, they note, the Change Healthcare attack wasn’t their fault.
