How the Change cyberattack is affecting the healthcare industry

The cyberattack on Change Healthcare may go down as “the most significant cyberattack on the US healthcare system in American history,” according to trade group American Hospital Association—and one expert says it could take the healthcare industry years to recover.

Despite rumors that Change Healthcare paid a $22 million ransom after the February 21 attack, health systems and providers across the US are still crippled by the disruption. They’re unable to access patient insurance coverage, process prescriptions, or schedule appointments—standard processes that generate revenue.

Digital health risk assurance firm First Health Advisory estimated that the cyberattack is costing healthcare providers $100 million daily—and some healthcare executives have started to worry about covering basic operational costs.

“For smaller hospitals with less cash on hand, this is creating issues, but even for very large organizations, the disruption in revenue has the potential to disrupt payroll, supplies, contract work, and more,” Steve Cagle, CEO of healthcare security and risk management company Clearwater, told Healthcare Brew. “In other words, it continues to disrupt care delivery, putting patients and organizations at risk and costing many organizations financial harm.”

Cagle added that “we won’t know the full extent [of the cyberattack] for several months, likely even years.”

At least one healthcare facility has temporarily shuttered in part due to the attack. Bonamour Health Group, which owns the nursing home Jefferson Hills Healthcare and Rehabilitation Center in Pennsylvania, said in a statement that the home is closed for the time being because the cyberattack has affected its ability to maintain staffing levels, CBS News reported on Monday.

The American Medical Association (AMA) released a statement on Monday saying the attack “threatens the viability of many practices, particularly small practices and those in rural and underserved areas.”“This is an immense crisis demanding immediate attention,” Jesse Ehrenfeld, AMA’s president, said in the statement.

Moving forward

The US Department of Health and Human Services (HHS) released a statement on Tuesday detailing the steps it plans to take to help health systems and providers get through the cyberattack, like urging insurers to ease requirements that can slow down the billing process, including prior authorizations.

“This incident is a reminder of the interconnectedness of the domestic healthcare ecosystem and of the urgency of strengthening cybersecurity resiliency across the ecosystem,” the HHS said in the statement. “The system and the American people can ill afford further disruptions in care.”

The attack may prompt some positive change. Hospitals are likely to put much more time and energy into improving their cybersecurity measures, according to Carter Groome, CEO of First Health Advisory.

“In boardrooms across the US, from a healthcare perspective, cybersecurity now is on the agenda in every meeting [...] and it’s because of the loss of revenue or the potential loss of revenue as a result of the cyberattack,” he said.

Michael Bahar, colead of global cybersecurity and data privacy at law firm Eversheds Sutherland, said hospitals across the US should look at whether they rely too much on a single service provider to store their sensitive and confidential data.

“One thing that I suspect [is companies will] increase their resiliency and [do] things like risk assessments to strengthen their contractual requirements and cybersecurity with anyone they give their personal health information or other confidential information to—or otherwise rely upon,” Bahar said.

Cliff Steinhauer, director of information security and engagement at the nonprofit National Cybersecurity Alliance, said he’d like to see healthcare organizations that have suffered cyberattacks in the past share information so everyone can learn and improve their responses based on those experiences.

“If anything, this attack may be a wake-up call for smaller organizations that may not think they’re a target,” Steinhauer said. “The truth is, no system is completely secure [but] there’s certainly lots of things we can do to make them more secure.”