A team of leaders in health policy, health informatics, and cybersecurity published an article in the Viewpoint section of the online edition of JAMA Internal Medicine on September 9th, The industry may be able to learn from the Change Healthcare disaster. In “Cybersecurity Lessons from the Change Healthcare Attack,” Dr. Haan T. Neprash, Dr. Christian Dameff, and Dr. Jeffrey Tully examine some of the elements of what happened to Change Healthcare earlier this year and what steps can be taken to combat this breach disaster.
“The recent ransomware attack on technology conglomerate Change Healthcare may herald a new era of cyber threats in which hackers target key elements of the healthcare infrastructure rather than individual HDOs (healthcare delivery organizations),” the authors write. Change Healthcare (a subsidiary of Optum Inc, a subsidiary of UnitedHealth Group) provides revenue and payment cycle management services. When a ransomware attack disabled many of its electronic systems, thousands of physicians (many of whom had never heard of the company before) and hospitals across the country suddenly found themselves unable to submit claims and get paid. By one estimate, this meant that it took more than three weeks to restore Change Healthcare systems to full functionality, deferring $100 million per day in patient care revenue. As a result, many HDOs reported difficulties purchasing supplies, paying staff, and paying other expenses,” the authors write. Beyond revenue delays, the Change Healthcare attack also disrupted many HDOs’ ability to verify patient coverage, obtain prior authorizations, electronically exchange clinical information and e-prescribe medications.
Additionally, they point out that in a survey conducted by the American Medical Association about two months after the attacks, 60 percent of respondents reported continuing difficulty verifying patients’ insurance details, and 86 percent reported ongoing interruptions to the claims process.
The article’s authors note: “The attack on Change Healthcare suggests that a major healthcare infrastructure services market is highly consolidated and vulnerable. The attack was disruptive because Change Healthcare processes an estimated 15 billion healthcare transactions, affecting one-third of patient records.6 Based on market share alone, it is not surprising that Change Healthcare was an attractive target for hackers. Moreover, the company’s corporate structure, which has evolved through a series of acquisitions, mergers, and consolidations, may have posed additional risks as each subsidiary’s different technology platforms, software collections, and networks are integrated into a larger whole. Following an alleged $22 million ransom paid to the organization claiming responsibility for the attack, the incentive for cybercriminals to target healthcare infrastructure services appears even more attractive.”
Inevitably, the Change Healthcare disaster caught the attention of regulators and policymakers, according to the authors’ article. In fact, it attracted far more attention than any previous health data breach. What should we do? The authors write, “As cyber threats grow in sophistication, so do the measures needed to prevent and prepare for them. Specifically, the Change Healthcare attack suggests that HDOs need to answer the following questions: Who are our critical third-party vendors, financial intermediaries, and infrastructure dependencies? Do they have appropriate cybersecurity prevention and planning activities in place? If a third party were to go down for a few weeks, how would we minimize the impact on care delivery and business continuity? Finding answers to these questions is primarily the responsibility of information security professionals and emergency managers, but it is physicians who know best that patient care workflows may depend on external entities. We recommend that clinicians work closely with information security staff to develop and refine cybersecurity incident response plans. Furthermore, recognizing the fact that cyberattacks affect patterns of care far beyond the organization attacked, we suggest that HDOs implement cyberincident plans at the local level.”
Inevitably, to address the range of issues involved, the article’s authors emphasize that a broad, collaborative approach will be required, stating that patient care organization leaders will need to work with third-party vendors and financial intermediaries to identify weak spots and significantly upgrade their approach to addressing them. Finally, the authors state: “The Change Healthcare attack is the first example of a large-scale disruption of critical healthcare infrastructure, but it is unlikely to be the last. Market integration and the drive for interoperability go hand in hand with the proliferation of cybersecurity vulnerabilities. Our ability to prevent, prepare for, and respond to cybersecurity incidents will depend on our ability to better understand the hidden connections within clinical infrastructure and keep our finger on the digital pulse of healthcare.”
