When It Comes to Cybersecurity, Could Health System Consolidation Hurt Patients?
Over the past decade, the pace of consolidation within US healthcare has increased as mergers and the formation of larger systems have helped to spread overhead costs. This in turn has permitted the acquisition of new expensive technologies and the development of deep clinical and cybersecurity expertise which can be shared across a much larger pool of individual providers within a health system.
Consolidation however is not a bed of roses. Nor is it a panacea for rising healthcare costs - costs that are rising at rates greatly outpacing inflation while insurance payments remain largely static. Consolidation reduces competition and the number of options available to a community, restricting patient choice and in some cases, is directly contributing to price rises for both health insurance and medical services in these communities.
Saving rural health but at a cost
Through consolidation, many small and rural hospitals have been saved from closure, as costs are shed and many core services such as IT, billing, risk assessment, and regulatory compliance are taken over and centralized by the acquiring party. However, this change from local data center to remote data center often hundreds of miles away, increases dependance on core systems for remote facilities. This means that in the event of a severed network connection, or a ransomware attack at the system level, remote hospitals have very limited access to the healthcare IT and IoT systems needed to diagnose, treat, monitor, or manage patients in their care, something they could do before being acquired using local IT resources. These difficulties may extend to even the reading of a simple X-Ray or CT scan in a remote clinic or rural hospital.
Consolidation is also leading to a reduction in available healthcare services in many hospitals as expensive diagnostic and treatment services are moved to large city hospitals where the economics of supporting expensive units, their equipment, and the specialist staff needed to run them can be more easily justified. This is depriving rural communities of key medical capabilities and subjecting patients to expensive and inconvenient travel requirements.
An example of this might be a local road traffic accident, where a broken bone and internal injuries are suspected, yet the closest medical imaging could be several hours away by ambulance.
A recent case study depicted the plight of a high-risk pregnancy where the woman and her family lived in a small community where all medical services including general practice / primary care had been recently withdrawn, and her only recourse was a weekly call with an obstetrician several hundred miles away until she reached term and was forced to move in with relatives closer to a hospital.
Another and often cited example, is for a growing number of rural cancer patients many of which will now need to be transported to a large city hospital for their radiotherapy and chemotherapy - often several times a week. At 200 miles or more round trip this is obviously expensive and wasteful, especially as most health insurance plans do not include coverage for ambulance journeys. Here, the economics of US healthcare are having a direct impact upon patient care, outcomes, and even morbidity, and mortality.
New single points of failure
Consolidation is also leading to the formation of single points of failure. A recent example of this would be the Change Healthcare cyberattack which hundreds of health systems across the country use for medical billing and pre-authorization of medical services, prescriptions, etc. The failure of Change Healthcare, now part of Optum, and owned by United Health Group, resulted in many patients having to delay medical procedures, or deprived them of their prescription medications when pre-authorizations could not be obtained. Because providers were not able to bill insurance providers, it also deprived health systems of payments needed to cover their overheads including doctor and nurse salaries and has reportedly forced some into severe financial difficulties including receivership.
Several years ago, there were many companies providing similar services to Change Healthcare, but consolidation has greatly reduced the number of available alternatives today. Very few providers are setup to quickly switch from one service provider to another for any level of redundancy when things go wrong. And no other competitor to powerhouses like Optum’s Change Healthcare are able to ramp up to take on huge additional capacity when things go wrong with a competitor.
Lack of Resiliency
What makes this more concerning is that the healthcare industry has not embraced resiliency in the way that other industries have been forced to given rising cybercrime. There are now many single points of failure, that could easily take down entire health systems, and thus subject entire communities to minimal or reduced healthcare services.
A great example of the cascading failure brought about by an attack on a single application or service provider would be the recent ransomware attack on Synnovis, a provider of pathology services. This is a joint venture between SYNLAB, Europe’s largest provider of medical testing and diagnostics and King’s College Hospital NHS Trust and Guy’s and St Thomas’ NHS Trust. It includes the Royal Brompton and the Evelina London Children’s Hospital and a large number of primary care facilities across southeast London. Just as the failure of Change Healthcare impacted a third of Americans, so too has the London cyberattack impacted a large number of Londoners. The attack has resulted in the cancellation of over a thousand procedures and an urgent call for blood donors, while all pathology services have had to revert to paper-based records.
While there is a future intent for different NHS trusts to be interconnected to facilitate the pooling and sharing of resources, including pathology services, the money and political will to build this has so far not been feasible given rising healthcare costs and very limited budgets. Had American health systems invested in a backup or secondary provider for pre-authorization of medical services and prescriptions, then the Change Healthcare attack would not have had such a devastating impact on the American population and so many health systems. Nor most likely, would UHG management have felt compelled to pay a $20 million ransom to cybercriminals in a failed attempt to quickly restore systems and recover and secure their regulated PHI data. A payment that ironically has probably fueled the further growth of the criminal cyber extortion industry and promised future cyber-extortion attacks.
In conclusion, perhaps then, consolidation is not the panacea that we have been led to believe it to be. By placing all our eggs in a number of single baskets we have introduced further risks to an already highly risky industry. As the recent CrowdStrike outage has shown, these single points of failure extend all the way to the industry’s almost ubiquitous adoption of Microsoft Windows across payers and providers. Perhaps then, there is something to be said for ‘Security Through Obscurity’ and not following the crowd.
Of all the airlines impacted by 4 days of outages and delays this past weekend, only one, SouthWest stands out and being unaffected. SouthWest, despite years of pressure from Redmond, still runs most of its systems on Windows 3.1 from 1992.
Richard Staynings is an internationally respected leader in healthcare cybersecurity. He is currently chief security strategiest for Cylera, a pioneer in the medical device and HIoT security area. He also teachers postgraduate courses in cybersecurity, healthcare informatics, and healthcare management at the University of Denver University College.