The recent (February 21, 2024) cyberattack on Change Healthcare has caused a shutdown of most of its operations.
Change is one of the biggest clearinghouses in the industry, and handles the routing of claims, remittance advices, eligibility, prescriptions, and prior authorization transactions throughout the United States. This shutdown impacted hospitals, physician offices, and other health plans that relied on Change to send and deliver transactions.
The immediate impact was the inability of pharmacies to get prescriptions approved and paid for, for hospitals and other providers to submit claims and get paid, and for other transactions to be concluded. The impact on patients and providers has been estimated in the hundreds of millions of dollars.
Some mitigation efforts were put in place by the Centers for Medicare & Medicaid Services (CMS) and others to allow for advance payments and loans to providers. Of course, all of these will have to be reconciled as the claims finally begin flowing again, as Change is beginning to get systems back online and process transactions.
The federal response has taken a few forms. The U.S. Department of Health and Human Services (HHS) is undertaking a HIPAA investigation to determine if any protected health data (PHI) has been exposed; and several congresspeople are looking at laws to strengthen healthcare security. However, the real work of this must be undertaken by entities themselves in strengthening their cybersecurity defenses and developing backup plans for situations like this.
America’s healthcare system has taken great strides in the last 20 years in implementing electronic transactions for the exchange of healthcare data and work continues to move forward in having clinical data become more available for exchange. However, this cybersecurity incident shows the fragility of the system, especially when a major player gets shut down.
To date, healthcare cybersecurity spending has not kept pace with other industries. It will have to be seen if this incident spurs further investment.
If not, the industry remains vulnerable.