What We Can Learn from the Change Healthcare Cyber Attack
Episode 67: What We Can Learn from the Change Healthcare Cyber Attack
The recent cyberattack on Change Healthcare has sent shockwaves through the healthcare market, underscoring the critical importance of cybersecurity in the healthcare sector. This event not only disrupted the company’s operations but also had a cascading effect on physician practices and medical groups reliant on its services for billing, claims management, and healthcare IT solutions. It continues to cascade down to impact patients as well. The attack highlights the vulnerability of healthcare providers to cyber threats, which can lead to significant operational and financial repercussions.
Let’s understand some of the major effects of this particular cyberattack on the Healthcare Market and Physician Practices:
First and likely most concerning is the Disruption of Billing and Claims Processing. Many physician practices are experiencing delays in billing and claims processing, which is pivotal for maintaining cash flow. This disruption can lead to a backlog of unprocessed claims, affecting practices’ revenue cycles and cashflow.
Next are the Increased Operational Burdens: The need to manually manage tasks typically automated by Change Healthcare’s solutions has increased the operational load on staff, diverting resources from patient care and shifting it over to administrative tasks.
And, we cannot forget Patient Data Security Concerns: The cyberattack raises concerns about the security of patient data, potentially undermining patients’ trust in their healthcare providers’ ability to protect sensitive information, even though the breach was through no fault of the physicians or the medical group. As physicians are on the front line, and the nameless, faceless “clearing house” is nowhere to be seen, physicians and their staff get the brunt of patient concerns.
Next up are Compliance Risks: Healthcare providers may face challenges in maintaining compliance with health information privacy and security standards, such as HIPAA, due to disruptions in regular operations. Any time there is a disruption in normal workflows, this creates an opportunity for other breakdowns. And, this is happening inside of an industry that is already beleaguered by the pandemic.
Given the concerns about the financial impact of all of this, what are some Strategies for Medical Groups to Mitigate Impact on Cashflow?
First is to Diversify Billing and Claims Management Solutions. Avoid reliance on a single vendor for critical services. Having multiple systems in place, or a backup option, can ensure continuity in billing and claims processing. This seems odd to think about in terms of your clearing house, because, well, the clearing house just always works. Until it doesn’t. In the past, we haven’t really seen backup clearing house set ups available on the market, but we will certainly see those after this event.
Second is to Enhance Cybersecurity Measures. Consider if it is time to step up your cybersecurity infrastructure and training for staff to recognize and prevent potential cyber threats. Regularly update systems and conduct security audits to identify vulnerabilities. It’s all part of doing business in the digital age.
Third is to Implement a Business Continuity Plan (BCP), also known as a Disaster Recovery Plan. If you don’t have a formal one, we strongly recommend that you develop and regularly update a BCP that includes procedures for maintaining operations during various types of disruptions, including cyberattacks. This plan should encompass data backup strategies, alternative communication methods, and contingency operational procedures.
Fourth is to Maintain an Emergency Fund: An accessible reserve of funds can help manage financial obligations during periods of disrupted cash flow, ensuring the practice can continue operating and paying staff. This may be additional capital that you’ve set aside, or it may be a Line of Credit facility that you have available with your bank. Either way, it should be sufficient to support your clinical operations for a minimum of three months in the event of a total disruption in your cash flow.
Lastly, it’s important at these times to Increase Communication with Patients: Keep patients informed about how their data is protected and what steps are being taken in response to the cyberattack. Transparent communication can help maintain trust and mitigate concerns.
The cyberattack on Change Healthcare serves as a potent reminder of the interconnectedness of modern healthcare and the need for robust cybersecurity measures. By taking proactive steps to diversify operational dependencies, enhance security, and prepare for emergencies, medical groups can better position themselves to withstand the financial and operational impacts of such incidents.
Medical groups are increasingly adopting innovative solutions to bolster their defenses against cyberattacks and ensure the continuity of their operations. These solutions not only aim to enhance cybersecurity but also to maintain operational efficiency and protect patient data integrity. Here are some of the cutting-edge strategies and technologies being employed:
Artificial Intelligence (AI) and Machine Learning (ML): AI and Machine Learning algorithms are being utilized to detect and respond to cyber threats in real-time. These technologies can analyze vast amounts of data to identify patterns indicative of a cyberattack, enabling quicker response times and minimizing potential damage.
Blockchain Technology: Some medical groups are exploring the use of blockchain technology to secure patient records. Blockchain’s decentralized nature makes it highly resistant to tampering, ensuring that patient data remains secure and immutable.
Cloud-Based Solutions: By adopting cloud-based healthcare solutions with robust security measures, medical groups can benefit from high-level encryption, regular security updates, and off-site data storage. This not only enhances data security but also ensures data is accessible even if the local systems are compromised. And, you don’t need to worry about the security of those systems – someone else has responsibility for that.
Multi-Factor Authentication (MFA): Implementing MFA adds an additional layer of security, making it more challenging for unauthorized users to gain access to critical systems and sensitive information. And yes, the use of it sometimes causes me to have an eye roll too. Then we have an event like this cyberattack to remind us why it’s all important.
Cybersecurity Training for Staff: Recognizing that human error often creates vulnerabilities, medical groups are investing in regular, comprehensive cybersecurity training for all staff members. This training includes recognizing phishing attempts, managing passwords securely, and understanding the importance of regular software updates.
Incident Response Teams: Forming dedicated incident response teams equipped with the necessary tools and authority to act swiftly in the event of a cyberattack helps minimize downtime and financial impact. These teams are responsible for managing the response to cyber incidents, from identification to resolution and post-incident analysis.
Telehealth Security Enhancements: With the rise of telehealth, medical groups are implementing advanced encryption and secure communication channels to protect patient data during online consultations. This heightened awareness also helps in a situation like this one.
Regular Security Audits and Risk Assessments: Conducting regular audits and assessments of IT systems and processes helps identify potential vulnerabilities before they can be exploited by cybercriminals. This proactive approach is crucial in maintaining a strong security posture. Your IT partner can work with you on this to assure that you’re investing appropriately (not too much and not too little) in your security assessments.
Data Backup and Recovery Plans: Ensuring that data is regularly backed up and that recovery plans are in place and tested can significantly reduce the impact of data loss or corruption due to a cyberattack.
By employing these innovative solutions, medical groups can not only mitigate the risks posed by cyberattacks but also enhance their overall operational resilience. I recognize that thinking about all of this can be overwhelming. My invitation to you is to select one or two areas to improve at your clinic. Once those are done, select one or two more. With this step wise approach, you’ll be able to navigate the complexities of cybersecurity in today’s digital age, ensuring that you can remain focused on delivering high-quality patient care.
Join me for our next episode, when I talk with Debra Phairas of Practice Liability Consultants about all things having to do with your practice in transition, whether it’s a retirement, a sale, or adding a new partner.