To be clear: they haven't "lost" any money here. They probably genuinely owe providers $2B. They just don't know exactly how much until the billing systems are back online, at which point they'll reconcile.
Trust me it isn’t 6%. United is one of the largest healthcare companies by market cap. They have aggressively acquired physicians under Optum, and use an accounting trick called intercompany eliminations to shuffle profits and skirt the law on the medical loss ratio. https://www.axios.com/2021/07/16/unitedhealth-optum-provider...
The US has a population of 300 million people. This works out to just $300 per person per quarter (or $1,200 annually). Given almost 20% of the population is over 65 (old people really put up the healthcare cost numbers) and the sophistication of our healthcare system (we have the tech to keep you alive or prolong your life despite pretty hairy stuff happening to you), it is not a very surprising number. The real question is how to afford it all.
Consider that you also pay for Medicare and Medicaid, which combined costs as much per capita (not per user) as the UK NHS. US healthcare is extraordinarily expensive.
The health insurance industry makes more money than the oil industry. It isn't a coincidence that most of our taxes go to healthcare and the top grossing industries are all built around it.
Oil business earns far more profit at far higher profit margins. Exxon alone earns more profit than all managed care organizations (health insurance companies) some years.
Revenue that is 95% paid to vendors and employees is not an interesting statistic, on a company level.
From the press release, this paragraph is making me hit the exploding head emoji many times:
"To assist care providers whose finances have been disrupted by the cyberattack, the company has advanced more than $2 billion thus far through multiple initiatives. The company recognizes the high level of fragmentation of the U.S. health system can result in uneven experiences, therefore it continues to enhance and expand funding support to make it easier for care providers to access funding help at no cost. To further assist care providers, the company also suspended prior authorizations for most outpatient services and utilization review of inpatient admissions for Medicare Advantage plans."
They provide DDoS protection to DDoS providers that would otherwise have taken each other down, so those providers can find clients for their services which further necessitates Cloudflare’s main product.
DDoS providers have websites marketing their services which Cloudflare allows (for free!) in the name of not policing speech. Before Cloudflare, they didn't exist because competitors would always take each other down. Anyone who wanted to hire them had to go trawling the darkweb/freenet/random hacker forums.
Maybe when supply outstrips demand? It looks like there is more than enough business for the foreseeable future that there is no need to restore to protection rackets.
AOL was the Google of its day. It was the internet for most people. Even the strongest giants can fall. It gives me hope for a future where someone asks "Wow Google is still a thing?"
It wasn't, though. It was the largest, but never majority (except that I think it peaked with an absolute majority of CDs pressed by AOL CDs, which was an achievement, I guess.)
This (IT Integrity Charge) will become a line item on your medical bill. All the other providers will follow, prices go up, insurance companies make more money, and "shareholders" see high returns!
> The Biden administration announced Wednesday that it has launched an investigation into the company due to the “unprecedented magnitude of the cyberattack.”
Let the coverup begin, well actually they probably started wiping days after the attack.
It's to a degree orthogonal to devs your hire as well resourced APT will be able to penetrate any org regardless of quality of developers an org hires.
Any org? Would, for example, openai be included in your definition of "any org"?
Look, "in principle" stuff is not how the real world works. AFAIK, hacks happen mostly because of carelessness. No one cares because no one cares if they care (and the compensations etc reflect that). I know enough such cases in fintech (forget about other verticals), which are mostly stupid like wrong RBAC, open firewall, AWS keys taken by roommate etc and not public of course.
Foreign governments are almost certainly trying to insert intelligence agents as employees in OpenAI, and other high profile technology companies. We already know that Saudi intelligence infiltrated Twitter. There are likely many other such agents in other companies.
There are certain security measures which can minimize insider threats. But ultimately it's just hard to guard against agents who are willing to commit felonies in order to carry out their missions. Even defense industry companies which have tight security over classified information have been repeatedly penetrated.
Yes. Any org. A few million dollars guarantees you unrestricted access to any network-connected system.
The upper bound of security is unable to make attacks with a 10 M$ return unprofitable. Raising the lower bar just raises the barrier to entry for new participants, it does not stop existing ones.
Most attacks do use basic techniques since a 10 M$ payout on 10 K$ cost is still better than 10 M$ payout on 1 M$ cost. No point wasting the good stuff when the basic and cheap stuff works just as well. But if you get rid of all the cheap ways in they will still attack using the more expensive stuff since the payout is still wildly profitable.
I’d like to see evidence if this. Because it seems unrealistic, even a well protected org? Ok, say the employees are the weak chain. What about those with zero trust access policies?
My knowledge derives from personal experience, but if you want digestible evidence you can go read the books: “Click Here to Kill Everybody” by well known cryptographer Bruce Schneier or “This Is How They Tell Me The World Ends” by the lead cybersecurity reporter of the New York Times, Nicole Perlroth.
Almost 90% of breaches start with an email so code your developers write have very little to do with primary attack vector. You have to realize that well resourced APT like say APT-29 actually run research labs where among other things they test their exploits against all top tier Endpoint security solutions. So if you are a target of well resourced group they are going to get in.
70% of security vulnerabilities in code are memory safety issues. However the vast majority of in then wild attacks were not against security vulnerabilities but against people. No technology can protect you from someone giving out the secret keys to the attacker.
just false, if you look at most of the ransomware cases for example. This whole fixation of "human layer security" has done more harm to cybersecurity than many actually malicious things. Wasting your money and resources on training Karen from HR to spot 20% more phishing emails yields exactly the results you'd think it does.
I hope we can get out of that nonsense and tackle cyber issues with actual technological investments as it should and can be done.
The only part of what you said that disagrees with me is the words "just false". I don't know how to ensure "Karen from HR" doesn't fall for those things, but training is clearly not enough (or at least current training, I'm not hopeful for future efforts but...). Either way, since the attack wasn't against something a programing language can protect against no amount of fixing programming languages will help.
We need come up with answers that work despite humans not being perfect. This is a hard problem. (what gets hard is sometimes someone will lose/forget a key and so you need to issue a replacement but only to the correct person)
The technology solution here is not allowing Karen from HR to have a password at all and instead using something like Yubikey + FIDO, which can't be phished.
Which is great until someone who might or might not really be "Karen from HR" says they lost their Yubikey and needs a new one. This workflow must exist, but it is generally easy for an attacker to get authenticated by that system.
There's no evidence that this attack was due to poor UHG developer quality. It appears to have been an infrastructure security vulnerability in the Change Healthcare business unit, which UHG acquired just last year.
I would bet my life savings UHG developers pleaded with management for years to get the resources they desperately need to resolve these problems, but management ignored every request because it didn't have any external impact.
Management in healthcare tech is comprised entirely by some of the most mind boggling idiots on Earth, whose only qualification might be being an adult, since their ability to read, write, and comprehend information is universally worse than a child. This is without exception, in my experience.
The systems built were designed for a business that evolved, and the assumptions and constraints changed in a way that sometimes requires redoing things. This can be as simple as an assumption about how sales will be acquiring new clients, and how those new clients affect overall system scalability. If there's a long pipeline of feature requests and sales supersedes product managers on roadmaps, doing the necessary work to scale the systems is going to be deprioritized to a point where anything other than downtime is acceptable from a business standpoint. Sales are made on features being built, not on an impending doom that has yet to happen. This extends to other aspects of systems, like security.
No, developers aren't responsible for infrastructure. Most large enterprises have separate specialized positions for sysadmin, networking, storage, firewalls, etc.
