IT Experts: Change Healthcare Debacle Calls for Provider Action
A team of healthcare policy, medical-informatics, and cybersecurity leaders on Sep. 9 published an article in the Viewpoint section of JAMA Internal Medicine online, looking at what the industry might learn from the Change Healthcare debacle. In “Cybersecurity Lessons from the Change Healthcare Attack,” Haan T. Neprash, Ph.D., Christian Dameff, M.D., and Jeffrey Tully, M.D., examine some of the elements of what happened earlier this year to Change Healthcare, and what steps could be taken from the breach disaster.
The authors note that “The recent ransomware attack on the technology conglomerate Change Healthcare may herald a new era of cyber threats, wherein hackers target key elements of health care infrastructure rather than individual HDOs [healthcare delivery organizations]. Change Healthcare (a subsidiary of Optum Inc, a subsidiary of UnitedHealth Group) offers revenue and payment cycle management services. When a ransomware attack disabled many of their electronic systems, thousands of physicians (many previously unaware of the existence of the company) and hospitals across the country were suddenly unable to submit claims and receive payment. By some estimates, this meant $100 million per day in deferred patient care revenue for the more than 3 weeks required to restore Change Healthcare systems to full functionality. As a result,” they write, “many HDOs reported difficulties purchasing supplies, paying staff, and covering other expenses. Beyond delayed revenue, the Change Healthcare attack also disrupted many HDOs’ ability to verify patients’ insurance coverage, seek prior authorization, electronically exchange clinical information, and e-prescribe medications.”
What’s more, they note, a survey fielded by the American Medical Association nearly two months after the attack found 60 percent of respondents reporting continuing challenges in verifying patients’ insurance details and 86 percent reporting continuing disruptions in the claims submissions process.
As the article’s authors note, “The Change Healthcare attack hints at the existence of a tremendously consolidated and, therefore, vulnerable market for key health care infrastructure services. This particular attack was so disruptive because Change Healthcare processes an estimated 15 billion health care transactions and touches 1 in every 3 patient records.6 Based on market share alone, it is not surprising that Change Healthcare presented an appealing target for hackers. Furthermore, the corporate anatomy of the company, evolving as a series of acquisitions, mergers, and consolidations, may have resulted in additional risk, as the disparate technology platforms, software collections, and networks of each individual subsidiary are subsumed into the larger whole. After an alleged $22 million ransom payment was made to the organization claiming responsibility for the attack, the incentives for cybercriminals to target health care infrastructure services seem increasingly lucrative.”
Inevitably, the author’s articles write, the Change Healthcare disaster garnered the attention of regulators and policymakers—far more, in fact, than any previous healthcare data breach. What to do? They write that “As cyber threats evolve in sophistication, so too do the actions necessary to prevent and prepare for them. Specifically, the Change Healthcare attack suggests that HDOs would do well to answer the following questions: Who are your critical third-party vendors, financial intermediaries, and infrastructure dependencies? Do they engage in appropriate cybersecurity prevention and planning activities? In the event of multiweek third-party downtime, how would you minimize the effects on care delivery and business continuity? While discovering the answers to these questions is largely the responsibility of information security professionals and emergency managers, physicians know best how patient care workflows may depend on external entities. We suggest that clinicians work hand-in-hand with information security staff to develop and refine cybersecurity incident response plans. Furthermore, we suggest that HDOs conduct cyber incident planning at the regional level, in recognition of the fact that cyberattacks affect patterns of care well beyond the entity experiencing the attack.”
Inevitably, addressing the cluster of issues involved, the article’s authors emphasize that a broad, collaborative approach will be needed, with patient care organization leaders needing to strongly upgrade their approach to working with third-party vendors and financial intermediaries to collaboratively identify weaknesses and address them. In the end, they note, “While the Change Healthcare attack is the first example of large-scale disruption of critical health care infrastructure, it is unlikely to be the last. Market consolidation and a push for interoperability go hand in hand with the proliferation of cybersecurity vulnerabilities. Our ability to prevent, prepare for, and respond to cybersecurity incidents will depend on our ability to better understand the hidden connections within clinical infrastructure and keep our finger on the digital pulse of medicine.”