On Feb. 21, Optum announced that its subsidiary, Change Healthcare, was the victim of a massive cyberattack. Change Healthcare is one of the largest clearinghouses for medical claims. Clearinghouses such as Change Healthcare serve an essential role in the health care revenue cycle management process. They ensure that medical claims are properly formatted to be received by each payer. Most insurance claims are submitted by doctors to commercial and government payers through a clearinghouse. Change Healthcare processes 1 in 3 patient records; about 15 billion health care transactions every year.
Physician practices and hospitals were immediately advised to disconnect from Optum to mitigate against future impact. While there was concern that the malicious actor could have access to all of its parent company, United Health Group’s (UHG’s) servers, Optum says it is confident that the attack was contained to Change Healthcare.
Due to the attack, Change Healthcare’s systems are still down, causing struggles for physician practices and hospitals filing claims, as well as for pharmacies processing prescriptions. As of this morning, the systems are down for a twelfth consecutive day. Practices are attempting to enact workarounds to keep their doors open and continue serving patients. Many physician groups are already struggling financially as a result of this cyberattack because these workarounds take time to solidify. Providers who use this clearinghouse will continue to face revenue cycle disruptions until a workaround is established or Change Healthcare is reconnected.
Change Healthcare cyber outage, an AMA dedicated webpage on this issue, will be updated as more information becomes available. UHG also has a website dedicated to the cyberattack.
OPTIONS
In addition, UHG created a temporary financial relief program that some physicians may qualify for. This program is intended to provide no-fee, no-interest financial assistance to providers who have experienced payment disruptions. This financial assistance will need to be repaid to UHG once connectivity is restored and things are back to normal.
According to the program description, providers must demonstrate payment disruptions to qualify. Optum says “For clarity, this is not a program for providers who have had claims submission disruptions but rather for those whose payment distribution has been impacted.” Providers must complete an eligibility form and the applicant must have an Optum Pay account.
UHG is warning providers to be wary of imposter financial assistance programs that are contacting medical practices in an attempt to scam them.
It could be weeks before this situation is resolved, and Change Healthcare is reconnected to the UHG network. As an interim step, UHG is working with other clearinghouses to identify alternative pathways for submitting claims. UHG expects to announce more details soon.
Cyberattacks such as this have rapidly become the norm in health care. In 2023 46 U.S. hospital systems suffered ransomware attacks impacting 141 hospitals, which caused system disruptions and loss of patient data. This is a growing problem that is only going to continue to get worse as cyber capabilities grow.
Allergists should consider establishing a line of credit for their offices if they don’t already have one. Disruption due to cyberattacks is part of the insurance package covering many practices; all practices should be aware of the terms of those coverages. If you have been affected by this attack, you should contact your insurance carrier. If this disruption continues much longer, you must consider the arduous process of changing to a new clearinghouse.
Various federal agencies play a role in strengthening the health care sector’s preparedness for cyberattacks. These agencies include the Cybersecurity and Infrastructure Security Agency (CISA), the HHS Office of Civil Rights, the Office of the National Coordinator for Health Information Technology, and the State Department. However, these organizations focus on preventing and responding to attacks. While sometimes agencies such as the Federal Bureau of Investigation help the compromised entity regain control of their systems, these agencies focus on preventing, responding, and recovering from an attack. They generally do not provide resources or relief for those impacted by an attack, especially those indirectly impacted (such as the physician practices and hospitals that use Change Healthcare).
The agencies noted above tend to more effectively establish guidelines designed to manage cybersecurity risk. For example, in mid-February, the National Institute for Standards and Technology released a special publication linking NIST’s Cybersecurity Framework to the HIPAA Security Rule. NIST’s Cybersecurity Framework takes an industry-neutral approach to cybersecurity risk management, but directly linking it to the HIPAA Security Rule goes a step further, providing health care information technology staff with the guidance necessary to offer the best data security. This helps protect sensitive personal health information while keeping hospitals and physician practices safe and operational.
The Change Healthcare cyberattack just marks the next chapter in cyberattacks on the health care sector. These kinds of attacks show no signs of slowing down, so health care organizations must take precautions to enhance their cybersecurity risk management.
ADDITIONAL RESOURCES
ACAAI offers several resources on cybersecurity and ransomware in our Risk and Compliance Toolkit. The toolkit was developed to keep your practice in compliance with federal regulations, reduce risk, and create a culture of safety. It includes the 2024 HHS cybersecurity performance goals – a roadmap of layers of protection that can prevent a breach should any single line of defense be compromised.
Also included in this toolkit is the AMA’s CME video training series “Cybersecurity for the Clinician,” which uses easy, nontechnical language to educate physicians about cyberattacks. The toolkit provides guidance on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) including HIPAA law security plan requirements and a Security Risk Assessment Tool. Additional resources about cybersecurity are included – check them out!
The Advocacy Council will continue to monitor this issue and its effects on allergy practices. We’ll advise our members as more information becomes available.
The Advocacy Council – ADVOCATING FOR ALLERGISTS AND THEIR PATIENTS.
