Hey everyone, I'm Drex, and this is the 2 Minute Drill, brought to you exclusively by ORDR, the Connected Asset Visibility and Security Company. ORDR brings nearly instant visibility to everything on your network, with hardly any setup time from your team. Find out more at thisweekhealth. com slash ORDR.

That's O R D R, thisweekhealth. com slash ORDR. On the two minute drill, we do at least three stories at least two times a week, all part of one great community, the 229 cyber risk community here at This Week Health, and maybe not three stories today, just probably one story because there's one big story.

So thanks for joining me today. Here's some stuff you might want to know about. You know those times when you think things are bad? We're not going well, and one way to get out of that funk is to kind of understand everything isn't about you, and if you lift your head up and you look around, you'll find somebody who's probably got it worse than you do.

Well, yesterday, that person was probably Andrew Witte, CEO of UnitedHealthcare Group, the parent company of Change Healthcare. Witte gave testimony at two congressional committees yesterday, the House Energy and Commerce Committee and the Senate Finance Committee, and those in both chambers unleashed.

Blistering criticism, totaling seven plus hours of what I can only imagine to be some of the worst of his professional life. There will be a lot more written about this testimony online and there are already several stories posted at ThisWeekHealth. com slash news. Here's a few of the highlights.

Representative McMorris characterized it as a case study in crisis mismanagement for decades to come. But he did repeatedly apologize for the breach and the extensive outage saying that he and the company will not rest until we fix this. And he made reference to the free credit monitoring for patients, which one senator referred to as the thoughts and prayers of data breaches.

But he also talked about the 6. 5 billion in no interest loans that had been advanced to doctors and hospitals affected by the cyber outage. He also admitted that about a third of the U. S. population might be included in the data that was stolen, and he talked about how the bad guys had access to their systems for nine days before the bad guys finally exploded the ransomware that took them down and left pharmacists, doctors, and hospitals unable to file claims.

He also described how cybercriminals access change healthcare through a portal that didn't have multi factor authentication, or MFA, enabled, and I can't believe he said this, but he committed to having all systems across the company using MFA Within the next six months. I don't think that probably helped his case.

Several lawmakers called for the 450 billion dollar United Health Group conglomerate to be broken up. At various points it was called a monopoly on steroids by Senator Warner and Senator Wyden of Oregon said, The change hack is a dire warning about the consequences of two big to fail megacorporations gobbling up larger and larger shares of the healthcare system.

Back to the testimony. Witte also confirmed that UnitedHealth paid a 22 million ransom. And of course, that also drew the ire of those in attendance. Senator Tom Tillis, in a great move of theater, waved around a copy of Hacking for Dummies as he joined in Witte's verbal beating. Really, no matter what Witte said or how many times he apologized, legislators were Basically pretty relentless and very unforgiving.

Any attempt at an explanation fell flat. When he tried to explain that change came with significant tech debt, that they were working to upgrade this stuff when the attack happened, nobody wanted to hear it. As an aside, that was one of the things that was pretty easy to relate to. They did an acquisition of Change, which was a collection of acquisitions itself, and those new companies came with outdated infrastructure and applications, and they had a plan to replace them.

But they got caught before the upgrades were done. If you're going through any kind of M& A right now, I bet you can relate. And maybe this is a good part of this bad story that can help make the case about tech debt to your leadership team. In a nutshell, Witty was mostly contrite and he took his lumps, but it was a bad day, not just for Witty, but for healthcare.

You and I are insiders in all of this, but for those who aren't, They'd probably like to think that this situation was an exception across the industry. It's a fluke. I think the reality is, and I hate to say it, it's probably more likely than not that we'll see this play from bad guys again in the future.

Okay, I know I say the two minute drill is about three stories, but like I said, it was a lot for me to cover in just one story today. And look, I just saved you from seven hours of C SPAN video, so Cut me some slack, will ya? And there's all the stories we post at thisweekhealth. com slash news. It's actually a great way to start your day, getting up to date on all the stuff that's happening, not only in cyber, but across healthcare and tech.

Check it out at thisweekhealth. com slash news. One more thing, you can be a part of what we're doing here. Take a look at thisweekhealth. com slash security and click on the join the community button. I'll keep you posted on all the cool stuff that's happening here. And that's it for the Two Minute Drill.

Thanks again to our partner Order, the exclusive sponsor of the Two Minute Drill. You can see them at RSA, that's coming up really soon. And you can talk to them there about Order AI Chasm, which is also available in the AWS marketplace now. Thanks for your time today. Stay a little paranoid. I'll see you around campus.