Practice Management Alert

The cyberattack underscores the interconnectedness of U.S. healthcare.

The Blackcat cyberattack that hit Change Healthcare, a unit of UnitedHealth Group (UHG), in late February proved to be a crisis for many in the healthcare industry, including patients. As of publication, the cyberattack is still affecting the day-to-day workflow of many individual practices, as well as larger healthcare entities like hospital systems.

Weeks later, Change Healthcare and UHG are still working to get everything back on track, in terms of claims submissions and payment. Federal entities like the U.S. Department of Health and Human Services (HHS) are citing this catastrophe as an urgent reason to bolster cybersecurity across the entire U.S. healthcare ecosystem.

Revisit the Vocab

Change Healthcare is an insurance clearinghouse, which is a processing space for insurance claims submitted by providers to an insurance company (which may also be called a payer or a commercial carrier).

The cyberattack perpetuated was a Blackcat ransomware attack. According to an HHS presentation in January 2023, Blackcat ransomware was first detected in November 2021 and poses a triple extortion threat — ransomware, threat of leaking stolen data, and distributed denial of service attacks — that could make the healthcare industry especially vulnerable.

In the presentation, HHS quoted the Blackcat group, saying: “We do not attack state medical institutions, ambulances, hospitals. This rule does not apply to pharmaceutical companies, private clinics.”

The HHS added this addendum: “Many cybercriminal gangs have broken promises not to attack healthcare targets in the past.”

You can view the presentation here, www.hhs.gov/sites/default/files/royal-blackcat-ransomware-tlpclear.pdf.

Read the Fine Print

The extent of the fallout from the cyberattack is not yet known. The Centers for Medicare & Medicaid Services (CMS) and HHS have announced consideration of accelerated or advanced payments for Medicare Part A and Part B providers. The entities encouraged affected providers to either seek more information from their respective Medicare Administrative Contractors (MACs) or pursue the workarounds publicized by UHG and Optum Pay. In a March 8 press release, Catherine Howden, director of CMS News and Media Group, also noted that some Medicaid providers are impacted by the attack and subsequent freeze on payments, and that the agency is “working closely with states” and “are urging Medicaid managed care plans to make prospective payments to impacted providers, as well.”

The workarounds offered by UHG and Optum Health on behalf of Change Healthcare have raised some eyebrows.

Richard J. Pollack, president and CEO of the American Hospital Association (AHA), published a letter to Dirk McMahon, the president and COO of UnitedHealth Group, in which he pointed out that the workarounds offered are “expensive, time consuming and inefficient to implement” and “not universally available.” He also says that the Temporary Funding Assistance Program is available to a very small number of hospitals/health systems, and the fine-print terms and conditions required to partake are “shockingly onerous.” You can read the letter and AHA’s concerns here, www.aha.org/lettercomment/2024-03-04-aha-expresses-concerns-uhg-program-response-cyberattack-change-healthcare.

You can find UHG’s updates on their response to the cyberattack here, www.unitedhealthgroup.com/ns/changehealthcare.html.

Take Action Accordingly

The FBI, HHS, and Cybersecurity & Infrastructure Security Agency (CISA) recommended taking the following four steps today (and every day) to help protect your respective computer and IT systems from a ransomware attack:

1. “Routinely take inventory of assets and data to identify authorized and unauthorized devices and software.
2. “Prioritize remediation of known exploited vulnerabilities.
3. “Enable and enforce multifactor authentication with strong passwords.
4. “Close unused ports and remove applications not deemed necessary for day-to-day operations.”

The entities also recommend regular and continuing education and training for all staff members regarding the various types of threats and breaches that may occur via a cyberattack in a healthcare setting.

The need to bolster cybersecurity in the healthcare sector, as well as infrastructure systems involving pipeline, aviation, and rail systems, has been an increasingly urgent goal of the Biden-Harris administration HHS.

HHS notes that the Blackcat ransomware incident involving Change Healthcare demonstrates the interconnectedness of the U.S. healthcare “ecosystem,” and the need to boost resiliency across the entire industry.