Winter in Unalaska by Sam Zmolek
Your voice in the Aleutians.
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Experts examine how hackers took down a top digital health care payment system

LEILA FADEL, HOST:

Pharmacies across the country have a backlog of insurance claims waiting to be paid. That's after hackers took down one of the top digital payment systems for the health care industry in late February. Cybersecurity experts hope to seize the moment to push for better cybersecurity standards across critical infrastructure. NPR's Jenna McLaughlin reports.

JENNA MCLAUGHLIN, BYLINE: Criminal hackers broke into systems at Change Healthcare earlier this winter. Different parts of the industry started to fall like dominoes. Patients couldn't get prescriptions. Providers couldn't get paid. As things get back online, the backlog of claims is staggering. The health care industry has been a top target for ransomware gangs for years, but the sheer impact of this breach even took experts by surprise. I spoke to Josh Corman, a leader in health care and cybersecurity.

JOSH CORMAN: So we knew and focused a lot of debate and argument on how to make health care stronger.

MCLAUGHLIN: He's talking about when he led the government's efforts to tackle cybersecurity threats posed by the COVID-19 pandemic.

CORMAN: But in the process of that debate, very little attention was focused on these systemically important critical infrastructure segments like payment platforms or middleware.

MCLAUGHLIN: Corman and experts like him have been shouting at the rooftops to improve protections for health care for years, but they hope this cascading outage could be a watershed moment to push for long stalled legislation that would help the government identify and assist the most vulnerable, vital entities, the kinds of companies that, if they were to go down, would cause nationwide chaos. The director of the Department of Homeland Security cyber agency wants Congress to go even further.

JEN EASTERLY: Voluntary commitments are just not going to suffice in ensuring that Americans are safe and secure, which is why I do think it's important for Congress to consider minimum cybersecurity standards.

MCLAUGHLIN: That's Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency. Easterly says CISA has been working on studying the health care industry and creating its own list of important and vulnerable companies. The industry is massive and complex, and CISA has limited resources and authority. Companies never want more regulation, more scrutiny. But they need a push, says Easterly.

EASTERLY: I think patients should have an expectation that they can have access to health care and public health facilities when they need it.

MCLAUGHLIN: Without better cybersecurity, patients can't fully rely on their doctors anymore.

Jenna McLaughlin, NPR News.

(SOUNDBITE OF GOBI'S "EXIT.WAV") Transcript provided by NPR, Copyright NPR.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Jenna McLaughlin
Jenna McLaughlin is NPR's cybersecurity correspondent, focusing on the intersection of national security and technology.