With this goal in mind, lawmakers in the U.S. House asked health-care representatives this week for their opinions. And, indeed, the impacts of the Change Healthcare attack have been hard felt. In one example, a diabetic patient faced the choice of paying $1,200 out of pocket — or going without medical supplies that could risk life-threatening complications, said U.S. Rep. Frank Pallone during a House hearing this week.
Texas-based orthopedic surgeon Adam Bruggeman said his practice stopped receiving information from insurers needed to determine if patients’ bills were paid. Patients have also been receiving erroneous bills, and staff members were forced to resort to time-consuming reconciliation practices, some of which required at least 20 minutes per payment, he said.
Submitting paper claims also means less time to see patients, said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association. One hospital spent an entire day manually filing a 600-page claim for a single patient, he said.
The financial impact of this is severe, because the average physician practice has between a few weeks and one month of cash on hand, Bruggeman said. With revenue cut off by the cyber attack, more than half of physicians turned to personal funds to cover their expenses, an American Medical Association survey found.
Change Healthcare’s restoration didn't fix all the fallout, either. Some insurers have rejected overdue claims that practices couldn’t file on time, Bruggeman said. Due to the incident, some practices ran out of money and had to sell to avoid shuttering — sometimes with Change’s parent company swooping in to snap them up.
On top of that, stolen health-care information is now being leaked on the dark web.
So, how did it get this bad?
Change was “the victim of the most significant cyber attack on the U.S. health-care sector in history,” Riggi said. Its dominant role in the sector made for a wide blast radius — even hospitals without direct connections to Change were affected because their partners used it. Change now purports to affect a third of all patient records in the U.S.
Going forward, one organization should not be allowed to become a “single point of failure” for an entire sector, said Greg Garcia, executive director for cybersecurity at the Healthcare Sector Coordinating Council.
When the government weighs health-care sector merger and acquisitions requests in the future, the government must consider whether proposed consolidation would leave the sector with fewer redundancies that could enable a cyber attack with catastrophic impacts. Mapping the health sector’s infrastructure would help highlight areas of concern, so government could better make such evaluations.
Meanwhile, health-care cybersecurity risks are growing. Medical IoT continues to proliferate, and there is also a shift toward value-based care instead of fee-for-service care, which means collecting more information.
Third-party providers can be major threat vectors. Riggi said 95 percent of 2023’s largest health-care data breaches involved “business associates and other nonhospital health-care entities.” He urged providers of health-care technology to make their offerings secure by design and by default. Rep. Michael Burgess noted that the Patch Act now requires companies manufacturing Internet-connected medical devices to have certain cybersecurity controls in place, prior to receiving U.S. Food and Drug Administration approval to go to market. Burgess suggested building on such policies.
Simultaneously, health-care organizations need to have tight cybersecurity. Sector-specific best practices exist but need greater adoption; efforts to raise awareness and provide funding could help, Garcia said. The Healthcare Sector Coordinating Council released recommendations in 2019 with a five-year strategic plan, and the Department of Health and Human Services also released a voluntary four-step plan for strengthening health-care cybersecurity in 2023.
But limited time and money can prevent some practices from doing more. Riggi said changing the picture would take significant spending from the federal government. Still, Garcia praised one federal plan to give high-need hospitals financial help toward reaching a cybersecurity baseline.
Federal government also needs to be able to rapidly respond to systemic cyber attacks, just like the Federal Emergency Management Agency responds to natural disasters, said Scott MacLean, the College of Healthcare Information Management Executives board chair.
That disaster response should include declaring a national cyber emergency, quickly delivering financial support, temporarily suspend regulatory speedbumps, and activating a catastrophic national cyber insurance that supplements private insurance, as well as deploying mobile health-care services that could serve those in greatest need, Garcia said.
