Hard lessons learned from healthcare violations of change

We improve our future by learning from past mistakes and ignore those lessons in our dangers.

Just a year ago, a catastrophic ransomware attack was everything except healthcare, except for all healthcare systems. The attack and its fallout demonstrated the need to build greater redundancy and resilience to health systems to enhance cybersecurity protection, provide much more robust risk assessments and disaster recovery plans, and ensure continuity in both patient care and business operations.

You can see that more cyber attacks are coming. Comprehensive action must be taken now to reduce vulnerability, speed up the recovery process, and reduce harm to patients, physician practices, hospitals, pharmacies and other key players in healthcare. The AMA plays a key role in helping physicians maintain financial stability in response to change medical violations, and continues to advocate for viable solutions at all levels, providing multiple resources to enhance cybersecurity across physician practices and health systems.

Before the scope of the healthcare cybersecurity breaches became clear, the AMA strengthened our advocacy to ensure the delegation of stronger resilience requirements at all healthcare clearing houses and health plans and intermediaries. Clearinghouses like Change Healthcare Play direct the flow of medical claims and insurance payments throughout the healthcare system, so it cannot be overstated.

When changes to healthcare ransomware attacks defeated the nation's largest medical clearing house, the results were as devastating as far as it was. Changes to Healthcare, a unit of UnitedHealth Group, processed 15 billion transactions each year when targeted.

The fallout from the attacks has disrupted the practices of doctors around the country for months, both at operational and financial levels, earning its biggest economic hit. The AMA Physician Survey (PDF) conducted at the end of April 2024 revealed that almost two-thirds of respondents still use personal funds to cover their medical expenses. Still, doctors continued to put patients first. Only 15% said they had shortened their business hours due to the cyber attack.

The Healthcare Fiasco change clearly demonstrated the need to keep billions of dollars clearing houses and health plans at higher federal standards of cybersecurity. Hackers were able to paralyze a huge segment of the country's health care system simply by shutting down health changes, compromising the protected health information of 190 million Americans, and leveraging the lack of industry-standard multifactor authentication for legacy servers.

It simply isn't acceptable. The AMA believes that clearinghouses, health plans and their intermediaries should immediately implement a rigorous risk assessment process, including disaster mitigation, cyber incident recovery, and business continuity plans to support critical healthcare functions and systems resilience.

Healthcare's Change Cyber ​​Attack also highlighted the importance of increasing flexibility for doctors to switch clearing houses in the wake of the crisis. Although some practices were able to make such a switch last spring, many obstacles have stopped many other practices, including staffing time and cost, incompatibility of electronic health records or practice management systems, and contractual obligations. A standardized clearing house implementation process should be created that allows physician practices, especially small, independent practices, to allow for quick and efficient changes to other vendors, and to maintain smooth operation.

Finally, experiences of healthcare change clearly show the risk that concentration levels within healthcare continue to increase, particularly within health planning. The AMA promotes competition as the best path to reducing costs, improving outcomes and improving patient overall quality, whilst strongly advocating for reducing healthcare integration.

Last month, the U.S. Department of Justice announced in December 2023 that it would continue to use merger guidelines issued by its agencies and the Federal Trade Commission. These guidelines could result in more scrutiny of health and insurance mergers and could limit further integration.

As a powerful ally of physicians in patient care, AMA will respond quickly, mitigate fallout from Healthcare cyberattacks, and continue to provide advocacy and guidance, including an eight-part video training series available through AMA ED HUB™ (starting with “Episode 1: Cyber ​​Safety Is Patient Safety”). We continue to work to help physicians and healthcare systems take every step of the way to stop hacker incidents by ensuring that cybersecurity best practices are available at affordable prices.