By David Sampson, VP of Cyber Risk & Strategy, Thrive.
In February, hackers took Change Healthcare offline in one of the most high-profile and wide-reaching cyberattacks to date. Change Healthcare serves hundreds of thousands of providers in the U.S. and processes billions of transactions every year. With Change Healthcare’s systems compromised, cash stopped flowing for hospitals and physician offices everywhere. Providers couldn’t submit new claims, pharmacies couldn’t charge appropriately for prescriptions, and prior authorizations couldn’t go through for critical procedures.
Even after Change Healthcare’s parent entity, UnitedHealth Group, paid a $22 million ransom to the group behind the attack, there’s still risk that sensitive patient data could be leaked online. More importantly, the healthcare industry saw how a cyberattack on a third-party vendor could directly interfere with patient care.
Unfortunately, cyberattacks on the healthcare industry are growing – and, like the Change Healthcare attack, can wreak havoc on everyday operations and impact patient safety. However, if hospitals take the right precautions, they can mitigate these risks and better protect themselves from hackers, ransoms, and disruptions to business.
The Importance of Evaluating Third-party Vendor Risk
Healthcare organizations often rely on third-party vendors for various services. Delivering high-quality patient care is complicated in and of itself. Building an ecosystem that includes services and solutions like telemedicine, wearables, digital electronic medical records (EMRs), patient-centered mobile apps, and other cutting-edge innovations is impossible for smaller healthcare providers.
Many times, the best way to extend the range of services offered is to work with third-party vendors. The problem is this outsourcing expands the surface area of attack for cyber criminals. Every third-party vendor relationship comes with a new IT integration and potential entry point for hackers. In other words, more third-party vendors means increased organizational risk.
Healthcare leaders must recognize this tradeoff and think intentionally about how best to strike the balance between healthcare excellence and IT integrity. Before onboarding a new vendor, providers must conduct thorough audits, identify all vulnerabilities, and work constantly to ensure systems are integrated in a safe, secure, and resilient fashion. This is not a point-in-time exercise, but one that both healthcare providers and vendors have to engage in regularly to keep intruders away from sensitive patient data.
The U.S. Department of Health and Human Services (HHS) is aware that Change Healthcare – a unit of UnitedHealth Group (UHG) – was impacted by a cybersecurity incident in late February. HHS recognizes the impact this attack has had on health care operations across the country. HHS’ first priority is to help coordinate efforts to avoid disruptions to care throughout the health care system.
HHS is in regular contact with UHG leadership, state partners, and with numerous external stakeholders to better understand the nature of the impacts and to ensure the effectiveness of UHG’s response. HHS has made clear its expectation that UHG does everything in its power to ensure continuity of operations for all health care providers impacted and HHS appreciates UHG’s continuous efforts to do so. HHS is also leading interagency coordination of the Federal government’s related activities, including working closely with the Federal Bureau of Investigations (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the White House, and other agencies to provide credible, actionable threat intelligence to industry wherever possible.
HHS refers directly to UHG for updates on their incident response progress and recovery planning. However, numerous hospitals, doctors, pharmacies and other stakeholders have highlighted potential cash flow concerns to HHS stemming from an inability to submit claims and receive payments. HHS has heard these concerns and is taking direct action and working to support the important needs of the health care community.
Today, HHS is announcing immediate steps that the Centers for Medicare & Medicaid Services (CMS) is taking to assist providers to continue to serve patients. CMS will continue to communicate with the health care community and assist, as appropriate. Providers should continue to work with all their payers for the latest updates on how to receive timely payments.
Affected parties should be aware of the following flexibilities in place:
Medicare providers needing to change clearinghouses that they use for claims processing during these outages should contact their Medicare Administrative Contractor (MAC) to request a new electronic data interchange (EDI) enrollment for the switch. The MAC will provide instructions based on the specific request to expedite the new EDI enrollment. CMS has instructed the MACs to expedite this process and move all provider and facility requests into production and ready to bill claims quickly. CMS is strongly encouraging other payers, including state Medicaid and Children’s Health Insurance Program (CHIP) agencies and Medicaid and CHIP managed care plans, to waive or expedite solutions for this requirement.
CMS will issue guidance to Medicare Advantage (MA) organizations and Part D sponsors encouraging them to remove or relax prior authorization, other utilization management, and timely filing requirements during these system outages. CMS is also encouraging MA plans to offer advance funding to providers most affected by this cyberattack.
CMS strongly encourages Medicaid and CHIP managed care plans to adopt the same strategies of removing or relaxing prior authorization and utilization management requirements, and consider offering advance funding to providers, on behalf of Medicaid and CHIP managed care enrollees to the extent permitted by the State.
If Medicare providers are having trouble filing claims or other necessary notices or other submissions, they should contact their MAC for details on exceptions, waivers, or extensions, or contact CMS regarding quality reporting programs.
CMS has contacted all of the MACs to make sure they are prepared to accept paper claims from providers who need to file them. While we recognize that electronic billing is preferable for everyone, the MACs must accept paper submissions if a provider needs to file claims in that method.
CMS has also heard from providers about the availability of accelerated payments, like those issued during the COVID-19 pandemic. We understand that many payers are making funds available while billing systems are offline, and providers should take advantage of those opportunities. However, CMS recognizes that hospitals may face significant cash flow problems from the unusual circumstances impacting hospitals’ operations, and – during outages arising from this event – facilities may submit accelerated payment requests to their respective servicing MACs for individual consideration. We are working to provide additional information to the MACs about the specific items and information a provider’s request should contain. Specific information will be available from the MACs later this week.
This incident is a reminder of the interconnectedness of the domestic health care ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem. That’s why, in December 2023, HHS released a concept paper that outlines the Department’s cybersecurity strategy for the sector. The concept paper builds on the National Cybersecurity Strategy that President Biden released last year, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks. The paper details four pillars for action, including publishing new voluntary health care-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, increasing accountability within the health care sector, and enhancing coordination through a one-stop shop.
HHS will continue to communicate with the health care sector and encourage continued dialogue among affected parties. We will continue to communicate with UHG, closely monitor their ongoing response to this cyberattack, and promote transparent, robust response while working with the industry to close any gaps that remain.
HHS also takes this opportunity to encourage all providers, technology vendors, and members of the health care ecosystem to double down on cybersecurity, with urgency. The system and the American people can ill afford further disruptions in care. Please visit the HPH Cyber Performance Goals website for more details on steps to stay protected.
The HealthCare Executive Group (HCEG), in partnership with Change Healthcare, published the 9th Annual Industry Pulse Research Report. Up to 255 survey respondents, with more than 48 percent being vice presidents or higher in executive leadership, shared their insight on the critical issues, challenges and opportunities ranked by HCEG members on the 2019 HCEG Top 10 list last fall.
The confirmation of the HCEG Top 10 and more detailed insights from the Industry Pulse survey are an invaluable resource for healthcare executives within their own organizations. Healthcare leaders can use this report to engage their management in deeper and more constructive efforts to competitively position themselves in their marketplace and to develop more robust and effective strategic programs.
“We hope the 2019 Annual Industry Pulse Report spurs conversation and action for current stakeholders in adapting much faster to demands of a 21st century healthcare system,” said Ferris Taylor, executive director of HCEG. “If traditional stakeholders aren’t able to transform healthcare, outside parties will.”
Healthcare Amid Continued Uncertainty Reflected in HCEG Top 10 & Industry Pulse
External Market Disruption (#7) entered the HCEG Top 10 list for the first time and is confirmed by the Industry Pulse Report with 32.2 percent of respondents anticipating the greatest impact to be “disrupting current business models.” Whether or not external entrants find healthcare to be more complicated than they thought is yet to be seen.
Payment Reform/Value-Based Payments (#4) has been on the HCEG Top 10 list every year for the last decade. 63.6 percent of the Industry Pulse Report respondents expect it will be three years or more before payments contain both upside and downside risk.
Consumerism (#2), Mobile/Digital Health (#5) and member engagement have ranked high in the HCEG Top 10 for a number of years. This year’s Industry Pulse Report shows the tools and services being used to enhance member/patient engagement and the best approaches for addressing passive patients, such as incentives, health literacy and cost transparency tools.
The Data & Analytics (#1) to support multiple healthcare priorities is highlighted this year. Progress in how primary sources of clinical data and analytics have recently been impacting the efficiency and effectiveness of healthcare quality and outcomes are also suggested.
Population Health/Social Determinants of Health (SDoH) (#3) moved higher in the HCEG Top 10 as the industry transitioned from broad medical condition segments of the population to looking at what is called “barriers to better health.” Industry Pulse survey respondents shared how their organizations are integrating SDoH and which non-medical barriers to care their organizations will take action on in the next 12 months. Also noted are anticipated challenges to integrating SDoH into population and clinical care programs.
Privacy/cybersecurity (#10) wasn’t a significant HCEG issue until four or five years ago when a 100 million member records were breached. Industry Pulse indicates that efforts to address cybersecurity threats may be stalling and provides specifics as to reasons. Recently, Modern Healthcare reported that 2 million member records were compromised across 31 different breaches in February 2019 alone — a 500 percent increase over February 2018. This should alarm the industry and HCEG encourages everyone to look at the reasons shared as to why Cybersecurity initiatives are not a higher priority.