The Washington PostDemocracy Dies in Darkness

Opinion The risk of relying on UnitedHealth’s technology

March 8, 2024 at 4:41 p.m. EST
Pages from the United Healthcare website are displayed on a computer screen in New York on Feb. 29. (Patrick Sison/AP)

Regarding the March 4 front-page article “Cyberattack spreads pain across U.S. health system”:

Change Healthcare is a publicly traded company. It filed notice of the cyberattack with the Securities and Exchange Commission on Feb. 21. Its ongoing outage demonstrates that health-care technology companies are now necessary to everything we do to care for patients in the United States. Shouldn’t these companies have some level of accountability commensurate with their role, some responsibility beyond an SEC filing?

Sign up for the Prompt 2024 newsletter for opinions on the biggest questions in politics

We need to create a legal framework that recognizes the public-safety interest in the ongoing reliability, security and stability of the operations of health-care technology companies. If Change Healthcare were Change Airlines, and regulated accordingly, there would be a National Transportation Safety Board inquiry into the events leading up to the attack and shutdown of the company’s systems.

There should be a National Cyber Disaster Response Team to oversee and assist with restoration of services after attacks like these, much as first responders can be mobilized in response to natural disasters. There should be a defined and preexisting framework for responding to critical outages in health-care technology services, including financial and regulatory relief for providers and requirements that insurers pay claims for prescriptions and medical treatments given in good faith.

The health-care technology industry is likely to resist the prospect of additional regulation. However, that industry received enormous benefit when the government handed it a captive market in 2009. The Health Information Technology for Economic and Clinical Health Act was intended to increase the number of jobs in software and technology, while improving quality, safety and efficiency in health care. The law offered financial incentives to physicians and hospitals if they used electronic health records systems, followed by penalties for failure to use these systems. We expect a high level of responsibility from health care, but HITECH required health care to rely on companies without that same level of public responsibility. It is time to change that.

Cathleen Gould, Oak Park, Ill.

The devastation to health-care providers large and small and their patients caused by the cyberattack on a UnitedHealth Group subsidiary should give us all pause.

Cyber events, including ransomware attacks by terrorist threat actors, are a continual danger to the health-care ecosystem. The best information technology systems in the land cannot stop such intrusions entirely because human error, perhaps in the form of a conscientious employee clicking on a link in the course of reading an email message, is inevitable in any business setting.

This does not mean an organization can’t be ready for such an attack. Maximize redundancy. Build multiple off-site continuous data backups. Have emergency resources at the ready, such as funds to advance to customers or clients. And most important of all: Build a crisis communications plan that specifically prepares for the highest-magnitude cyber event.

The rest of us must also consider the downside of allowing any one health enterprise to get so large that the collapse of its technology can bring harm to so many providers and patients.

David A. Ball, Newton, Mass.