Cyberattack hits physicians hard, but industry stakeholders respond.
September 2024 – The Journal of Healthcare Contracting
On Feb. 21, a company many in the industry were not familiar with – Change Healthcare – experienced a cyberattack that critically impacted the U.S. healthcare system. At the time, the healthcare clearinghouse, touched one in three patient records and processed 15 billion healthcare transactions annually. Potentially devastating to many physician practices and their patients, the cyberattack provided distributors an opportunity to step in and help them weather the storm.
“Cyber incidents are the new normal,” says Ryan Hungate, DDS, MS, chief clinical officer, Henry Schein One.
“The numbers are increasing because of growing vulnerabilities in healthcare systems,” wrote the editors of The Lancet in late May. “Electronic health records, medical devices, laboratory services, pharmacies, clinical decision support systems and many more applications and services are digitally interconnected and used by many different users.
“Use of new digital technologies, such as mHealth, telehealth, and AI-supported diagnostic tools, accelerated during the COVID-19 pandemic and were added with little consideration of security issues. At the same time, many healthcare providers and services still use outdated technologies and software. This interconnectedness makes healthcare systems an easy target. Cybercriminals only need to find one weak entry point to paralyze the entire system.”
What is Change Healthcare?
For many physicians, hospitals, and health insurance companies, Change Healthcare serves as a clearinghouse through which eligibility inquiries are received and responded to, claims are submitted and processed, and remittance is sent back to the physician or health care provider, pointed out the American Medical Association in a May 1 statement to the U.S. Senate Committee on Finance, which was investigating the cyberattack. For some payers, Change Healthcare even handles claims payment.
“Change Healthcare also plays a primary role in communicating prescriptions to pharmacies and determining pharmacy, insurance and patient costs. It facilitates exchanges between physicians, hospitals and labs – including the ordering of labs and the sending of results. Change Healthcare supports the exchange of information related to prior authorizations and other utilization management requirements. And it has products and services that reach into practice management systems and electronic medical record systems for dozens of other practice management, clinical and revenue cycle purposes.”
Impact on physicians
In his statement to the Senate Committee, Anders Gilbert, senior vice president, government affairs for the Medical Group Management Association (MGMA), pointed out that MGMA members experienced myriad negative consequences following the cyberattack, including severe billing and cash flow disruptions, inability to submit claims, limited or no electronic remittance advice (ERA) from health plans, an inability to transmit electronic prescriptions, a lack of connectivity to data infrastructure, health information technology disruptions and more.
“Physician practices diligently instituted workarounds for various processes to remain operational, which required significant labor costs and time to institute, diverting critical resources from patient care. The lack of cash flow led to medical groups having to make difficult financial decisions as it was early in the year and practices already had limited working capital on hand due to tax considerations. Smaller practices were particularly
affected given their tight margins and had to utilize lines of credit with high interest rates just to keep their doors open.”
Even a month after the cyberattack, the American Medical Association reported its members were experiencing ongoing difficulties. An AMA survey showed that 90% of the surveyed physicians reported that they were still losing revenue from unpaid claims. More than one-quarter said that their practice revenue for the prior week was down by more than 70%, compared with an average week before the cyberattack. Among other findings:
- 85% continued to experience disruptions in claim payments.
- 79% still could not receive electronic remittance advice.
- 75% reported barriers with claim submission.
- 60% faced challenges in verifying patient eligibility.
In addition, 62% of respondents said they were still using personal funds to cover practice expenses and 34% were not able to make payroll.
From a fiscal perspective, the cyberattack affected stand-alone hospitals (i.e., those not part of a larger IDN), rural hospitals and physician offices that lacked the financial resources to weather the storm, says Tim House, national vice president of sales, Concordance Healthcare Solutions. “When a breach occurs, it can impact the ability to order product, pay for product and submit claims. The financial burden has a domino effect. But a strong relationship between the distributor and the care provider can help facilitate the continuity of care that the patient needs. During this breach we offered our support to multiple facilities, and that strengthened our relationships with them.”
Distributors respond
“Our two biggest concerns were helping make sure our customers could see patients during and after the cyberattack, and making sure they had enough money to keep their doors open,” says Dr. Hungate.
Henry Schein One was able to help customers transition quickly to alternate clearinghouses, he says. “For those who were more adversely affected we were able to facilitate financial assistance. It was a matter of letting them know ‘we’ve got you, here are the steps you need to take next, and here’s what you need to understand about how you may be affected in the weeks or months ahead.’” The company created dedicated websites with the latest news about the cyberattack. As helpful as these measures were, practices still had technological kinks to iron out, such as re-registering for electronic remittance advice.
Concordance was able to replicate orders from previous days’/weeks’ orders without the need for customers to submit a new order if their system became inoperable, says House. “Our system is smart enough to see patterns, provide predictability and demand forecasts so that we can meet their needs. We worked tirelessly in a manual setting to ensure we got product to their docks and ultimately to the patient.
“Another action that we took was to extend payment terms for some customers. One medium-size hospital in particular was very appreciative of those efforts, he says. “We extended DSO from 15 days to 180 days, which took the burden off their entire system, allowing them to pay their physicians and other past-due bills that were mission-critical.
“Our reps worked directly with customers to replicate orders that were in our system from prior weeks to ensure they had product on their docks,” says House. “We also leveraged our Surgence tool to look at proactive inventory reports and on-hand inventory.” (Concordance describes Surgence as a healthcare supply chain ecosystem that fully connects providers, distributors and suppliers by bringing visibility to supply and demand information.)
What happens next time?
“The cyberattack on Change Healthcare made it evident that there are significant vulnerabilities in our healthcare system, which must be addressed, especially as the threat of such attacks only continues to rise,” Gilbert told the Senate Finance Committee. “Moving forward, health plans, clearinghouses and other third-party vendors must have safeguards and contingency plans in place to better protect physician practices from cash flow and administrative impacts resulting from a cyber incident.
“Physician practices must continue to work to ensure they have adopted ironclad cybersecurity policies and procedures to best protect the data of their patients and their ability to provide high-quality care. When contemplating the fallout, we urge against establishing penalties, or conditioning relief funds, for medical groups in response to cyberattacks perpetuated against other healthcare actors. There are a multitude of security and data privacy regulations governing medical groups; introducing barriers to future relief would work against supporting medical groups’ ability to operate in the face of considerable interruption.”
Says Dr. Hungate, “Overall, to protect against future cyber incidents, it is important for the healthcare industry to continue to remain educated on, and aware of, cyber threats. Additionally, being resilient and having the ability to respond swiftly is critical. By fostering a culture of adaptability, and remaining vigilant, healthcare teams can mitigate risks and maintain trust in an evolving healthcare landscape.
“This incident affected basically every doctor in the United State. That forces all of us to ask, ‘What do we do next time?’ We will offer technology outreach and help our customers understand what they need to do to survive. Those customers who are most engaged with our reps come out on top of this.”