UnitedHealth Group CEO Andrew Witty is set to go before two congressional panels Wednesday to answer lawmakers' questions about the cyberattack on Change Healthcare that caused widespread disruption across healthcare.
In written testimony (PDF) for a hearing before the House Energy and Commerce Committee, Witty offers additional detail into how the hackers got into the system and says the decision to make a ransom payment to the cybercriminals came from the top.
"As chief executive officer, the decision to pay a ransom was mine," Witty wrote. "This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone."
Witty will also testify Wednesday before the Senate Finance Committee.
Witty said in the written testimony that while an investigation into the cyberattack continues, experts have uncovered that criminals gained access to Change Healthcare's systems on Feb. 12 through compromised credentials. Using these credentials, they were able to remotely access a Change Citrix portal, which allows for remote connection to desktops.
This particular portal was not protected with two-factor authentication, Witty said.
"Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data," he said. "Ransomware was deployed nine days later."
How Change brought its systems back online
Witty also provided additional details on the company's response and restoration process once the cyberattack was identified. He reiterated that once the breach was identified on Feb. 21, connection to Change's systems was immediately severed, which prevented the hackers from accessing other segments of Optum or UnitedHealthcare.
By the afternoon of Feb. 21, experts at Google, Amazon, Microsoft, Cisco and other tech companies as well as security experts from Mandiant and Palo Alto Networks were traveling to Change's hub in Nashville, Tennessee. They worked in tandem with the Change Healthcare team to rebuild the company's technology infrastructure "from the ground up," Witty said.
"The team replaced thousands of laptops, rotated credentials, rebuilt Change Healthcare’s data center network and core services, and added new server capacity," Witty said. "The team delivered a new technology environment in just weeks—an undertaking that would have taken many months under normal circumstances."
He echoed a company update issued last week that said UnitedHealth put a major focus on quickly restoring critical provider platforms and making funding available. As of March 7, 99% of pre-incident pharmacies are able to process claims, and challenges continue at a small fraction.
Medical claims are also flowing at near-normal levels, he said.
What comes next
Given how widely this cyberattack was felt within the industry, it should come as no surprise that legislators are actively weighing potential policy changes around security. Witty said in his testimony that UnitedHealth supports the rollout of minimum security standards for healthcare that are jointly developed by government and private sector stakeholders.
However, he said that this shift will require additional funding and training for organizations that are not well positioned to make sweeping changes, such as providers working in rural areas.
He added that UnitedHealth also backs more standardized and nationalized reporting of cybersecurity incidents as well as greater notification to law enforcement.
"The Change Healthcare attack demonstrates the growing need to fortify cybersecurity in healthcare," Witty said. "I look forward to working with policymakers and other stakeholders to bring our experience to bear in helping develop strong, practical solutions."
Witty's testimony also again highlights the sheer scale of the data accessed in the cyberattack. An investigation into the data is ongoing, so full numbers are not yet available, but UnitedHealth Group previously disclosed that it appears to impact a "substantial proportion of people in America."
The company has said it will take the lead on notifying people whose information was impacted, but Witty warned that it will likely require "several months of continued analysis" before those notifications can be made.
While the focus of the hearings is on the cyberattack and the resulting fallout, expect legislators to veer into other topics. For example, on Tuesday, a group of progressive senators sent a letter to the Securities and Exchange Commission urging the agency to look into reports of stock sales made by executives shortly before an antitrust probe into the company was revealed, according to Bloomberg.
The Wall Street Journal reported about a week after the cyberattack was revealed that the Department of Justice was quietly conducting an antitrust probe into the company and putting a particular focus on the Optum Health unit, which has gobbled up physicians and practices across the country.
Witty and the executive team were asked about the investigation on the company's earnings call earlier this month, but they declined to discuss it further.