IT experts: The debacle surrounding changes in healthcare requires action from providers

A team of leading minds in health policy, medical informatics and cybersecurity published an article on September 9 in the Viewpoint section of JAMA Internal Medicine online, see what The industry could learn from the Change Healthcare debacle. In “Cybersecurity Lessons from the Change Healthcare Attack,” Haan T. Neprash, Ph.D., Christian Dameff, MD, and Jeffrey Tully, MD, examine some of the elements of what happened to Change Healthcare earlier this year and what steps could be taken in the wake of the disaster.

The authors point out that “the recent ransomware attack on technology company Change Healthcare could usher in a new era of cyber threats in which hackers target core elements of the healthcare infrastructure rather than individual HDOs. [healthcare delivery organizations]. Change Healthcare (a subsidiary of Optum Inc, a subsidiary of UnitedHealth Group) provides revenue and payment cycle management services. When a ransomware attack crippled many of their electronic systems, thousands of physicians (many previously unaware of the company's existence) and hospitals across the country suddenly found themselves unable to submit claims and receive payments. By some estimates, this meant $100 million per day in deferred patient care revenue for the more than three weeks it took to get Change Healthcare's systems back to full operation. “As a result,” they write, “many HDOs reported difficulties purchasing supplies, paying staff, and covering other expenses. In addition to delayed revenue, the attack on Change Healthcare also disrupted many HDOs' ability to verify patient insurance coverage, obtain prior authorizations, exchange clinical information electronically, and prescribe medications electronically.”

In addition, they point out, a survey by the American Medical Association nearly two months after the attack found that 60 percent of respondents continued to have problems verifying patients' insurance information and 86 percent reported ongoing disruptions in filing claims.

As the authors of the article note, “The attack on Change Healthcare points to the existence of a hugely consolidated and therefore vulnerable market for critical healthcare infrastructure services. This particular attack was so disruptive because Change Healthcare handles an estimated 15 billion healthcare transactions and touches one in three patient records.6 Based on market share alone, it is not surprising that Change Healthcare was an attractive target for hackers. In addition, the company's corporate structure, which has evolved through a series of acquisitions, mergers and consolidations, may have created additional risk as each subsidiary's disparate technology platforms, software collections and networks are integrated into the larger whole. After a reported $22 million ransom payment was made to the organization that claimed responsibility for the attack, the incentives for cybercriminals to target healthcare infrastructure services appear to be increasingly lucrative.”

As the author writes in his articles, the Change Healthcare disaster inevitably attracted the attention of regulators and policymakers—far more than any previous healthcare data breach. What to do? The author writes: “As cyber threats become more complex, the measures required to prevent and prepare for them also become more sophisticated. The Change Healthcare attack in particular suggests that HDOs would do well to answer the following questions: Who are your key third-party vendors, financial intermediaries, and infrastructure dependencies? Do they implement adequate cybersecurity prevention and planning measures? In the event of third-party vendor downtime lasting several weeks, how would you minimize the impact on healthcare delivery and business continuity? While answering these questions is largely the responsibility of information security professionals and emergency managers, physicians know best how patient care workflows can depend on outside entities. We recommend that clinicians work hand-in-hand with information security personnel to develop and refine cybersecurity incident response plans. In addition, we recommend that HDOs conduct their cyber incident planning at a regional level, recognizing that cyber attacks impact care patterns well beyond the attacked facility.”

The authors of the article address the various issues involved and inevitably stress that a broad, collaborative approach will be required. Leaders of patient care organizations must significantly improve their approach to working with third-party vendors and financial intermediaries to identify and remediate vulnerabilities together. They conclude: “While the Change Healthcare attack is the first example of large-scale disruption of critical healthcare infrastructure, it is unlikely to be the last. Market consolidation and the drive for interoperability go hand in hand with the proliferation of cybersecurity vulnerabilities. Our ability to prevent, prepare for and respond to cybersecurity incidents will depend on better understanding the hidden connections within clinical infrastructure and keeping our finger on the digital pulse of medicine.”