After Change Healthcare massive cyberattack, lawmakers consider what comes next in cybersecurity

© Gary Blakeley - stock.adobe.com

After the Change Healthcare cyberattack, federal lawmakers are considering ways to bolster the online security of health care organizations.

The House of Representatives’ Energy and Commerce Committee’s Health Subcommittee in the April 16 convened the hearing, “Examining Health Sector Cybersecurity In The Wake Of The Change Healthcare Attack.”

Across the United States, health care organizations have invested attention, time and money, and lawmakers have passed legal requirements, all geared to bolster the computer networks that store data about patient health and how they pay for medical care. Health care organizations remain a target for computer thieves who steal information to use for deception, hold for ransom, or sell to other online scofflaws.

“Patient data is gold,” said Rep. Kim Schrier, MD (D-Washington). In a hearing lasting almost three hours, she and fellow lawmakers recounted widespread effects ranging from constituent experiences of patients not receiving adequate care, to physicians and hospitals scraping for adequate pay to keep the doors open.

Committee Ranking Member Rep. Frank Pallone (D-New Jersey) said one constituent was told by every pharmacy in his community that he had to pay up to $1,200 for a bundle of 600 glucose sticks to test his blood sugar, because no pharmacies could access his Medicare Part D benefits. Rep. Morgan Griffith (R-Virginia) described a constituent paying $1,100 out of pocket for medicine because her copay card would not work. Rep. Greg Pence (R-Indiana) noted a hospital in his Indiana district expected a delay of up to $60 million in revenue. In Ohio, the cost to all hospitals is estimated at $500 million, said Rep. Troy Balderson (R-Ohio).

Witnesses brought a number of suggestions on what to do next to avoid another major cyberattack, or at least lessen the effects when the next one comes.

How bad is it?

Adam Bruggeman, MD, MJHA, FAAOS, FAOA, outlined the billing process for physicians’ offices. When that process shut down due to the Change Healthcare cyberattack, his office had sufficient cash reserves to stay open, but still faced significant challenges.

Medical billing teams may be six to eight weeks behind, and while the process is coming back online, now some insurers are denying claim due to lack of timely filing, Bruggeman said. That in turn forces a burdensome appeals process.

“The attack has exposed the vulnerabilities in our health care system and the disproportionate burden placed on physician practices by insurers, government payers, and third-party vendors,” Bruggeman said.

Physicians may be liable for penalties for stolen patient data, an unacceptable business practice when the cyberattack was completely outside of their control, Bruggeman said.

Preparing for the hearing, the College of Healthcare Information Management Executives (CHIME) polled its membership and found 21% had not reconnected to any Change Healthcare services, said Scott MacLean, CHIME board chair and senior vice president and chief information officer of MedStar Health.

Members selected the top three among a dozen suggestions about federal support to bolster cybersecurity:

• Mandating compliance with best practices for payers and third-party (50%)
• Financial incentives or payments (46%)
• Designating health care major cyber incidents as a national emergency (38%)

Among the CHIME members, 85% experienced detrimental effects on claims; 81% had setbacks in reimbursement; 75% grappled with disruptions to revenue cycle; and 71% encountered issues with claims submissions.

Who wasn’t there

United Healthcare did not have anyone at the hearing, but they were represented when Subcommittee Ranking Member Rep. Anna Eshoo (D-California) read a Wall Street Journal headline from that day stating “UnitedHealth Stock Jumps After Earnings Beat Expectations, Despite Cyberattack.” As of yesterday, UnitedHealth’s first quarter results said: “Revenues of $99.8 Billion Grew Nearly $8 Billion Year Over Year.” Energy & Commerce Committee Chair Rep. Cathy McMorris Rodgers (R-Washington) noted the company recently briefed the committee and has committed to testify at a future hearing, and Eshoo said the CEO of UnitedHealth Care will “come in,” to speak to legislators.

Less clear was how the company’s computers were vulnerable.

“Change Healthcare has not provided any detailed reporting of all the vulnerabilities exploited during this cyberattack – and we believe that their reputational protection and legal liability positioning should not be prioritized over patient safety and the overall operational health of the nationally connected health care industry,” MacLean said.

Not a surprise

It’s been almost three years since a ransomware attack on Colonial Pipeline brought debilitating functionality and national attention to cybersecurity on vital infrastructure in the United States, said Rep. Jay Obernolte (R-California). No business should be surprised at this issue, so UnitedHealth’s slow restoration of services was unacceptable, he said. While not speaking for UnitedHealth, John Riggi, American Hospital Association (AHA) national adviser for cybersecurity and risk, said restoring computer services after a cyberattack can be a slow and methodical process. But he also noted UnitedHealth would be expected to use the most advanced, redundant, resilient technology to prevent an attack like this.

Consolidation as a vulnerability

Along with structures of computer networks, the representatives discussed structures of health care as a business.

Even on good days, there is evidence that consolidation and vertical integration lead to higher costs and lower quality for patients, Bruggeman said.

“Now we are also seeing how consolidating more of our health care spending around a single point of failure can make the situation more severe, more costly, and harder to fix when something goes wrong,” he said. “As more claims and more patient information continue to be funneled through a handful of large entities, the Federal Trade Commission will also need to look closely at whether vertical integration is making those entities a greater target for cyberattacks.”

He found agreement from some fellow physicians in Congress.

In 2022, the U.S. Department of Justice sued to block UnitedHealth’s acquisition of Change Healthcare on the basis of too much consolidation because the company would control more than half of American’s health insurance claims, Schrier said. “This attack suggests those concerns were valid,” she said.

Schrier, Pallone, Rep. Michael Burgess, MD (R-Texas), Rep. Larry Bucshon, MD (R-Indiana) all mentioned consolidation and vertical integrations as factors that create vulnerabilities in health care. Bucshon suggested the Federal Trade Commission examine health care consolidation, and Rep. Buddy Carter (R-Georgia), a career pharmacist, said that agency “more than any other agency has failed the American people by allowing this vertical integration to happen.”

Five-year plan

• As for future protections, the Healthcare and Public Health Sector Coordinating Council (HSCC) is an industry-led advisory council of health care organizations and government agencies. It has a five-year Health Industry Cybersecurity Strategic Plan, and industry and government need an all-hands-on-deck responsibility to implement it, said HSCC Executive Director Greg Garcia. He recommended five actions that could help:
• Perform a health infrastructure mapping and risk assessment.
• Assess consolidation proposals for mergers and acquisitions against their potential for increased cyber incident and impact risk.
• Hold third-party product and service providers and business associates to a higher standard of “secure by design and secure by default.”
• Invest in a government-industry rapid response capability.
• Invest in a cyber safety net for the nation’s underserved providers, built on accountability and incentives.

Hospitals’ perspective

Physicians, administrators and insurers now are working out disruptions in pay. The American Hospital Association (AHA) is urging payers to broadly adopt waivers of timely filing requirements for new claims and appeals of denied claims within a 45-day window of the Feb. 21 attack, Riggi said. Congressional action may be needed, but hospitals should not bear responsibility for insurers’ security breaches, and new security standards on hospitals would not have prevented the UnitedHealth attack, he said.

“The AHA opposes proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” Riggi said. “To make meaningful progress in the war on cybercrime, Congress and the Administration should focus on the entire health care sector and not just hospitals.”