United Healthcare Ransomware, Secured Infrastrure, Dropbox Sign, AI security center and CYBERSECEVAL 2

29/4-5/5/2024

This week, I delved deep on the congress hearing of $872M damage United Healthcare with a 2000 word review in-depth. Also, several updates from the AI cyber security as an emergent field are mentioned in the top news. Hope this weekly update provides valuable insights of the current state. Emma.

Top news

1. Reimagining secure infrastructure for advanced AI.

   This outlines 6 key security measures for advanced AI infrastructure: OpenAI proposes evolving security infrastructure to protect advanced AI, including trusted computing for AI accelerators, network isolation, enhanced physical security, AI-specific audits, AI for cyber defense, and continuous research for resilience. These measures aim to address the unique challenges of securing powerful AI systems.

2. Hackers of all kinds are attacking routers across the world

   Hackers sometimes encounter routers already compromised by rivals. In these cases, they either share the infrastructure for a fee or find separate ways to exploit the device simultaneously, as seen with Ubiquiti EdgeRouters used by state-sponsored actors and financially motivated groups.

3. A recent security incident involving Dropbox Sign.

   On April 24th, 2023, unauthorized access to Dropbox Sign exposed customer data including emails, names, and phone numbers. Dropbox Sign passwords were reset and API keys rotated. The incident was isolated to Dropbox Sign and did not affect other Dropbox products. Dropbox is notifying impacted users and taking steps to prevent future incidents.

4. UnitedHealth: Hackers Exploited Remote-Access Software for Ransomware Attack.

   Change Healthcare, a subsidiary of UnitedHealth, was hit by a ransomware attack that exploited a vulnerability in Citrix software. The attackers stole 4TB of data and demanded ransom, which UnitedHealth paid.

5. AI security bill aims to prevent safety breaches of AI models.

   A new Senate bill proposes the establishment of an AI Security Center to research and counter AI manipulation techniques. The bill also mandates the creation of a database to track AI security breaches and near-misses, promoting AI safety measures and responsible development practices.

Education: CYBERSECEVAL 2

This week I would like to introduce a benchmark to assess the security risks and capabilities of LLMs called Cybersecval 2 as a part of Lalma 3 release. It evaluates vulnerabilities like prompt injection and code interpreter abuse in models like GPT-4 and LaMDA, revealing that mitigating these risks remains a challenge. The research highlights the safety-utility tradeoff, where making LLMs safer can also hinder their ability to answer legitimate prompts. It proposes using False Refusal Rate (FRR) to quantify this tradeoff. Additionally, the study explores the potential of LLMs in automating cybersecurity tasks like exploiting software vulnerabilities. While models with coding abilities show promise, further development is needed for proficiency in exploit generation.

Review: United Healthcare Ransomware attack. 

This week I dive deep into the congress hearing of United Healthcare with 2000 word.

Cybersecurity main points:

• Lack of Multi-Factor Authentication (MFA): The initial point of entry for the hackers was a Change Healthcare server that lacked MFA, a basic cybersecurity measure. This allowed unauthorized access despite password protection.

• Ransomware Attack: After gaining access, the attackers deployed ransomware, encrypting and locking up crucial systems, including backups. This caused widespread disruption and data exfiltration.

General Damages:

• Disruptions in care: Patients faced delays in receiving prescriptions, procedures, and treatments.

• Financial losses for providers: Hospitals, doctors, and pharmacies experienced significant revenue losses and cash flow problems.

• Increased administrative burden: Providers had to deal with manual claims processing, appeals, and other administrative tasks.

• Potential closure of healthcare facilities: Rural hospitals and independent pharmacies are at risk of closure due to financial strain.

• Identity theft and fraud: Stolen personal health information and personally identifiable information put individuals at risk.

Widespread Impact:

• The attack affected healthcare providers, patients, pharmacies, and health plans across the United States.

• Rural and underserved communities were disproportionately impacted.

• The incident highlighted vulnerabilities in the healthcare sector's cybersecurity infrastructure.

Money Given:

• UnitedHealth Group provided $6.5 billion in accelerated payments and loans to healthcare providers.

• The company offered two years of free credit monitoring and identity theft protection to potentially affected individuals.

Main critics:

• The lack of multi-factor authentication on a Change Healthcare server was a key factor in the attack.

• UnitedHealth Group's response to the attack was criticized for being slow and inadequate.

• The incident raised concerns about the company's size and market power, and its potential to exploit the situation to further consolidate the healthcare industry.

• Lawmakers called for stronger cybersecurity standards and regulations for the healthcare sector.

Appendix: Numbers:

• $1.5 trillion: The amount of medical claims Change Healthcare processes annually.

• $6.5 billion: The amount of accelerated payments and loans UnitedHealth Group provided to healthcare providers.

• 249: The number of ransomware attacks against the healthcare industry in 2023 according to the FBI.

• 21 million: The number of individuals whose records Change Healthcare retained since 2012 according to the Department of Justice.

• $3.7 billion: The amount UnitedHealth Group allegedly cheated taxpayers out of in 2017 through upcoding practices.

• $22 billion: UnitedHealth Group's profits in 2023.

• 11th: UnitedHealth Group's rank among the largest companies in the world by revenue.

• 90,000: The approximate number of physicians UnitedHealth Group controls or employs.

• 17,000: The number of claims Sheridan Memorial Hospital in Wyoming was delayed in filing.

• $20 million: The amount of unpaid services for Sheridan Memorial Hospital due to the attack.

• 50%: The percentage of rural hospitals currently operating in the red.

• $1.5 million: The amount of outstanding payments for a critical access hospital in Colorado.

• $1,000: The cost of some medications that patients had to pay upfront due to the attack.

• $600,000: The average weekly revenue of a health center in Mansfield, Ohio, which dropped to under $200,000 due to the attack.

• $122,000: The weekly cost of overtime for staff at a Nevada health center dealing with billing and eligibility issues.

• 20%: The amount by which Medicare Advantage reimburses less than Medicare, according to some hospitals.

Summary of Senate Finance Committee Hearing on Change Healthcare Cyber Attack

Key Participants:

• Senator Ron Wyden (D-OR): Chairman of the Senate Finance Committee

• Senator Mike Crapo (R-ID): Ranking Member of the Senate Finance Committee

• Andrew Witty: Chief Executive Officer of UnitedHealth Group, parent company of Change Healthcare

Key Issues Discussed:

• Impact on Providers: The attack severely impacted healthcare providers, causing significant financial strain due to delayed payments and administrative burdens.

• Patient Data Breach: Millions of Americans potentially had their personal health information and personally identifiable information compromised. Concerns were raised about the lack of timely notification to affected individuals and the adequacy of credit monitoring as compensation.

• National Security Concerns: The possibility of stolen data on US government employees, including military personnel, raised significant national security concerns.

• United Healthcare's Response: The company's response was criticized for being slow and inadequate, particularly regarding financial assistance to providers and communication with affected individuals.

• Lack of Redundancy: The absence of robust backup systems exacerbated the impact of the attack and prolonged the recovery process.

• United Healthcare's Size and Market Power: Concerns were raised about United Healthcare's dominant position in the healthcare market and its potential to exploit the crisis to further consolidate its power.

• Need for Stronger Cybersecurity Standards: The hearing highlighted the need for stricter cybersecurity standards and enforcement mechanisms in the healthcare sector, including minimum standards and improved communication channels.

Senator Concerns and Commitments from United Healthcare:

• MFA Implementation: Mr. Witty committed to implementing MFA companywide within six months and meeting federal agency standards.

• Military Personnel Data: United Healthcare promised to prioritize identifying and notifying affected military personnel within two weeks.

• Provider Compensation: The company expressed willingness to engage with providers regarding compensation for losses and disruptions.

• Claims Backlog and Deadlines: United Healthcare committed to clearing the claims backlog as quickly as possible and waiving deadlines for timely filings and appeals.

• Loan Repayment: The company assured providers that loan repayments would only be required after they confirm their operations are back to normal, with a 45-day grace period and no interest or fees.

• Exclusivity Clauses: United Healthcare agreed to remove exclusivity clauses from future contracts to allow providers to have backup systems in place.

• Patient Notification: While acknowledging the delay, the company stated they are working with regulators to expedite notification to potentially affected individuals.

Impact of the Cyberattack:

• Change Healthcare, the nation's largest healthcare clearinghouse, processes $1.5 trillion in medical claims annually.

• The attack disrupted services for "a substantial portion of people in America" potentially impacting millions of individuals.

• Hospitals and providers faced severe financial strain due to delayed reimbursements, with some resorting to loans and lines of credit.

• Patient care was disrupted, including delays in receiving prescriptions and accessing necessary medical services.

• The attack exposed sensitive patient data, including personally identifiable information and protected health information.

Hearing Highlights:

1. Failure of Multi-Factor Authentication (MFA):

   • Senator Wyden criticized UnitedHealth Group for not implementing MFA on the server that was breached, calling it a "cybersecurity 101" failure.

   • Mr. Witty admitted the lack of MFA and committed to requiring it company-wide within six months.

2. National Security Concerns:

   • Senator Wyden expressed concern about potential data theft of US government employees, including military personnel.

   • Mr. Witty promised to provide information on the number of affected military personnel within two weeks.

3. Provider Reimbursements and Financial Assistance:

   • Several Senators raised concerns about the slow pace of reimbursements and the inadequacy of UnitedHealth Group's financial assistance programs.

   • Mr. Witty claimed that claims processing was back to normal but acknowledged delays in payments. He assured the committee that interest-free loans would be available to providers until they were fully reimbursed.

4. Patient Data and Breach Notifications:

   • Senators expressed frustration over the lack of notification to individuals whose data may have been compromised.

   • Mr. Witty stated that it would take several more weeks to identify and notify affected individuals, but assured the committee that credit monitoring and identity theft protection services were already available.

5. UnitedHealth Group's Market Dominance and Anti-Competitive Practices:

   • Senator Warren criticized UnitedHealth Group's size and market power, arguing that it allows the company to engage in price gouging and anti-competitive practices.

   • Mr. Witty defended the company's size and denied engaging in anti-competitive behavior.

6. Need for Stronger Cybersecurity Standards and Regulations:

   • Several Senators called for the implementation of minimum cybersecurity standards for the healthcare industry, similar to those in other sectors.

   • Mr. Witty expressed support for minimum standards and collaboration with the government on cybersecurity efforts.

7. Resiliency and Redundancy:

   • Senator Warner emphasized the need for greater resiliency and redundancy in healthcare IT systems to prevent future disruptions.

   • Mr. Witty agreed and stated that UnitedHealth Group would encourage providers to have backup systems in place.

Analysis of Senate Finance Committee Hearing on Change Healthcare Cyber Attack

Hearing Highlights:

• Multi-factor Authentication (MFA) Failure: The initial point of entry for the hackers was a Change Healthcare server lacking MFA, a basic cybersecurity measure. Mr. Witty confirmed that UnitedHealth Group now requires MFA company-wide for external systems.

• National Security Concerns: Concerns were raised about potential data theft of US government employees, including military personnel. Mr. Witty committed to providing the number of affected military personnel and their identities to the committee within two weeks.

• Provider Impact and Financial Assistance: Senators highlighted the severe financial strain on healthcare providers due to delayed payments and operational disruptions. Mr. Witty assured the committee that claims processing is back to normal and that UnitedHealth Group is offering interest-free loans to affected providers.

• Patient Data Breach and Notification: Senators expressed concern about the lack of notification to potentially millions of Americans whose personal health information may have been compromised. Mr. Witty stated that notification is a top priority but will take several more weeks due to data complexity.

• Exclusivity Clauses and Redundancy: Concerns were raised about exclusivity clauses in Change Healthcare contracts that prevent providers from using alternative clearinghouses. Mr. Witty confirmed that these clauses have been waived and will not be enforced in future contracts.

• UnitedHealth Group's Market Dominance: Several senators questioned whether UnitedHealth Group's size and market dominance contributed to the severity of the cyberattack's impact and raised concerns about potential anti-competitive practices.

Impact of the Cyberattack:

• Financial: The attack caused significant financial losses for healthcare providers due to delayed payments and operational disruptions. Estimates suggest billions of dollars in impacted services.

• Patient Data: Millions of Americans may have had their personal health information and personally identifiable information compromised.

• Operational: The attack caused widespread disruption to healthcare operations, including delays in patient care, prescription fulfillment, and claims processing.

Review and Analysis:

The hearing exposed significant shortcomings in Change Healthcare's cybersecurity practices and UnitedHealth Group's response to the attack. The lack of MFA on a critical server and the absence of adequate redundancy plans were major points of criticism. Senators also expressed frustration with the slow pace of patient notification and the potential for UnitedHealth Group to exploit the situation for further market consolidation.

Key Takeaways:

• The healthcare sector remains vulnerable to cyberattacks, and stronger cybersecurity standards and enforcement are needed.

• Large healthcare companies like UnitedHealth Group have a responsibility to protect patient data and ensure the resilience of critical healthcare infrastructure.

• The Change Healthcare cyberattack highlights the potential risks associated with market consolidation in the healthcare industry.

Potential Policy Actions:

• Implementing minimum cybersecurity standards for the healthcare sector, including mandatory MFA and redundancy requirements.

• Strengthening enforcement mechanisms for HIPAA and other relevant regulations.

• Increasing transparency and oversight of data breaches and their impact on patients and providers.

• Examining the potential anti-competitive effects of mergers and acquisitions in the healthcare industry.

Overall, the hearing served as a wake-up call for the healthcare industry and policymakers regarding the urgent need to address cybersecurity vulnerabilities and protect patient data.

United Healthcare's Response to the Change Healthcare Hack and Plans for Improvement

Based on the Senate Finance Committee hearing from May 1st, 2024, here's a summary of United Healthcare's (UHG) actions and plans to address the Change Healthcare cyberattack:

Actions Taken:

• Severed connectivity and secured the perimeter: UHG immediately isolated Change Healthcare's systems to prevent further spread of malware.

• Contacted the FBI: UHG promptly notified the FBI and continues to cooperate with their investigation.

• Paid the ransom: UHG made the difficult decision to pay the ransom to protect patient data.

• Built a new technology environment: Change Healthcare's systems were rebuilt from scratch to ensure security and eliminate vulnerabilities.

• Prioritized essential services: Restoration efforts focused on critical functions like pharmacy services, claims processing, and provider payments.

• Provided financial assistance: UHG offered interest-free loans and accelerated payments to affected providers.

• Offered credit monitoring and identity theft protection: UHG provides these services for two years to anyone potentially impacted.

Plans for Improvement:

• Multi-factor authentication (MFA): UHG committed to implementing MFA company-wide for all external-facing systems.

• Enhanced cybersecurity oversight: UHG engaged Mandiant, a leading cyber security firm, as a board advisor.

• Increased system scanning: UHG implemented additional scanning measures using both internal and external resources.

• Improved communication: UHG acknowledged the need for better communication with providers and patients during such events.

• Collaboration with government and industry: UHG expressed support for developing minimum cyber security standards for the healthcare sector and collaborating to reduce attack frequency.

• Eliminating exclusivity clauses: UHG will remove exclusivity clauses from Change Healthcare contracts to allow providers to utilize backup systems.

Remaining Concerns:

• Transparency and accountability: Senators expressed concerns about UHG's transparency regarding the extent of the breach and the types of data stolen.

• Compensation for providers: Questions remain about the adequacy of UHG's financial assistance and the potential for exploiting vulnerable providers.

• Patient notification: UHG has yet to notify potentially affected individuals, raising concerns about HIPAA compliance and timely protection measures.

• Long-term impact on the healthcare system: The attack exposed vulnerabilities in the healthcare sector's cybersecurity infrastructure, raising concerns about future attacks and the need for systemic improvements.

Potential Congressional Actions:

• Developing minimum cyber security standards: The hearing highlighted the need for clear and enforceable standards for the healthcare industry.

• Improving HIPAA enforcement: Senators discussed the need for stronger enforcement mechanisms to ensure compliance with data protection regulations.

• Promoting system resiliency: The attack underscored the importance of redundancy and backup systems to minimize disruptions during cyberattacks.

• Addressing "too big to fail" concerns: The size and scope of UHG raised concerns about systemic risks and the potential for anti-competitive practices.

The Change Healthcare cyberattack serves as a stark reminder of the vulnerabilities within the healthcare sector and the need for robust cyber security measures. While UHG has taken steps to address the immediate fallout, ongoing concerns and potential Congressional actions highlight the need for continued efforts to protect patient data and ensure the resilience of the healthcare system.

Unique Stories Highlighting the Change Healthcare Hearing:

Several unique and concerning stories emerged from the hearing regarding the Change Healthcare hack and its impact:

1. National Security Concerns:

• Stolen Data on Government Employees: The possibility of stolen data on US government employees, including active-duty military, raises serious national security concerns. This echoes the 2015 OPM hack and its counterintelligence implications. The lack of clarity on the extent of this data breach and the individuals affected is particularly alarming.

2. Provider Struggles and Financial Fallout:

• Delayed Payments and Financial Strain: Providers, especially small and rural hospitals and clinics, faced significant financial strain due to delayed payments and backlogs. Stories of providers resorting to personal savings, retirement funds, and loans to stay afloat highlight the severity of the situation.

• Inadequate Loan Terms and Support: Initial loan terms offered by UnitedHealth Group were criticized as onerous and insufficient. The slow response in providing adequate financial assistance exacerbated the challenges faced by providers.

• Community Health Centers at Risk: Community health centers, crucial for serving vulnerable populations, were hit particularly hard. The example of Tulip Tree Family Healthcare in Indiana, resorting to paper claim submissions and facing potential closure, demonstrates the dire consequences of the hack.

3. Patient Impact and Data Privacy Concerns:

• Uncertainty and Lack of Information: Patients remain in the dark about the extent of the breach and whether their sensitive information was compromised. The lack of timely notification and transparency raises concerns about potential identity theft and misuse of personal health data.

• Access to Care Disruptions: Patients experienced disruptions in care, including delays in receiving prescriptions and extended hospital stays. The story of the woman in Delaware unable to access her insulin prescription for days exemplifies the real-life consequences of the hack.

• Long-Term Implications for Children and Seniors: The breach poses significant long-term risks for children and seniors, who are particularly vulnerable to identity theft and scams. The potential for lifelong damage due to stolen data is a major concern.

4. UnitedHealth Group's Role and Accountability:

• Cybersecurity Failures and Lack of Redundancy: The lack of basic cybersecurity measures, such as multi-factor authentication and adequate redundancy systems, is a major point of criticism. The hearing exposed significant shortcomings in UnitedHealth Group's approach to cybersecurity.

• Monopolistic Practices and Expansion: Concerns were raised about UnitedHealth Group's monopolistic practices and its attempts to exploit the crisis to further expand its market share. The example of acquiring struggling physician practices in Oregon raises questions about the company's motives and its impact on the healthcare system.

• Downplaying Responsibility and Minimizing Impact: UnitedHealth Group's attempts to downplay its responsibility and minimize the impact of the breach were met with skepticism and criticism. The company's focus on credit monitoring as a solution was deemed inadequate and insufficient to address the full scope of the problem.

5. Calls for Action and Policy Changes:

• Bipartisan Efforts for Cybersecurity Standards: The hearing highlighted the need for bipartisan efforts to establish and enforce robust cybersecurity standards for the healthcare industry. This includes minimum standards, transparency, and accountability measures.

• Focus on Resiliency and Redundancy: The importance of building resiliency and redundancy into healthcare systems was emphasized. This involves ensuring backup systems and alternative pathways to prevent future disruptions and protect patient data.

• Federal Data Privacy Legislation: The need for comprehensive federal data privacy legislation was underscored. This would address the current patchwork of state laws and provide consistent protection for sensitive health information.

These unique stories paint a concerning picture of the Change Healthcare hack's impact and raise critical questions about cybersecurity, data privacy, and the role of large corporations in the healthcare system. The hearing serves as a call to action for policymakers, industry leaders, and stakeholders to work together to address these challenges and protect patients and providers.

Unique Stories Highlighting the Change Healthcare Hearing:

Patients:

• Insulin Delay: A patient in Delaware was unable to receive their insulin prescription for several days due to pharmacy delays caused by the hack. This highlights the potential for life-threatening consequences when critical medications are delayed.

• Rural Oklahoma Senior: A woman in her mid-70s faces multiple challenges accessing healthcare in rural Oklahoma, including provider closures, switching insurance networks, and prior authorization issues. This exemplifies the difficulties rural Americans encounter when navigating the healthcare system.

• Financial Concerns: Many patients remain unaware of whether their data was compromised, causing anxiety and uncertainty about potential identity theft and financial repercussions.

Providers:

• Hospital in West Tennessee: A small, independent hospital faces a backlog of Medicare claims equivalent to 30 days of revenue due to the hack. They struggle to get clear answers and support, highlighting the financial strain on small providers.

• Critical Access Hospital in Colorado: A Colorado hospital has $1.5 million in outstanding payments, nearly half of its monthly revenue, putting its operations and ability to pay staff at risk. This demonstrates the severe financial impact on vulnerable hospitals.

• Community Health Center in Indiana: A health center saw their revenue drop significantly due to the hack, forcing them to take out loans and struggle to maintain operations. This exemplifies the challenges faced by community health centers operating on tight margins.

• Physician Practice in Pennsylvania: A physician practice owner considered taking out a home equity loan to keep her practice afloat due to delayed reimbursements. This illustrates the personal financial burdens faced by individual practitioners.

• Tulip Tree Family Healthcare: A small community health center in Indiana faces challenges switching clearinghouses and has resorted to paper claim submissions, incurring significant costs. This demonstrates the impact on smaller providers who lack the resources to adapt quickly.

National Security:

• Potential Exposure of Government Employee Data: Concerns were raised about the possibility of stolen data including information on U.S. government employees and military personnel, raising significant national security implications. The committee requested details on the number of affected personnel and their identities.

Systemic Issues:

• Lack of Multi-Factor Authentication: The initial point of failure was a server without multi-factor authentication, a basic cybersecurity measure. This raises questions about UnitedHealth Group's overall cybersecurity practices and the need for industry-wide standards.

• Exclusivity Clauses: Concerns were raised about exclusivity clauses in Change Healthcare contracts preventing providers from working with competitors, creating single points of failure and limiting options during disruptions.

• Data Breach Notification Delays: UnitedHealth Group has yet to notify individuals potentially impacted by the breach, raising concerns about HIPAA compliance and timely access to credit monitoring and identity theft protection services.

• Financial Burden on Providers: The attack's financial impact on providers raises questions about UnitedHealth Group's responsibility to compensate for losses and provide adequate support during recovery.

These stories provide a glimpse into the widespread consequences of the Change Healthcare hack and highlight the need for robust cybersecurity measures, improved communication, and stronger support for patients and providers within the healthcare system.