Change Healthcare Attack Fueling 'Year of Chaos' for Hospital CEOs

The cyberattack is the latest event to force leaders to alter their approach.

Hospital and health systems have been going through the wringer for a few years now. The last thing CEOs needed on their plate was a cyberattack at the scale and magnitude of the one Change Healthcare suffered.

And yet, what is being called “the most significant cyberattack on the U.S. healthcare system in American history” is now the latest event in a series of twists and turns to send a shiver down hospital leaders’ spines and have them rethinking their strategies.

“Cybersecurity issues are just added icing on the cake,” Matt Heywood, CEO of Aspirus Health, told HealthLeaders.

The financial implications have been massive.

Change Healthcare processes 15 billion transactions annually and the lost payments from the attack are draining hospitals by the day. According to a survey by the American Hospital Association that collected responses from nearly 1,000 hospitals, 94% of operators are reporting financial impact, with more than half reporting “significant or serious” impact. Of the 82% of hospitals reporting impacts on their cash flow, nearly 60% report that the impacts to revenue is $1 million per day or greater.

It's never a good time for hospitals to be losing money, but the cyberattack has exacerbated the multiple financial challenges many operators have already been fighting. It’s creating somewhat of a perfect storm, Heywood stated.

“I coined that 2024 is going to be ‘the year of chaos.’ What I mean by that is you're going to have organizations that have had two to three years of financial issues really start struggle,” he said.

“You're going to have some of these issues with the for profits and hedge funds because the easy money is going away. And as that easy money goes away, the structures of some of those deals are not viable anymore. So you're seeing a lot of clean up and a lot of turmoil in 2024 and you're going to see it carry on in probably 2025, if not a little further out.”

The future is now

If there were any CEOs on the fence about investing in technology, especially on the cybersecurity and IT side, the Change Healthcare situation should have plenty reconsidering their stance.

When something is affecting the bottom line so drastically, hospital decision-makers have no choice but to re-strategize with the aim of both preventing future attacks and steadying the ship when it inevitably does occur.

“Hopefully it gets a lot of CEOs’ attention because they need to cross their T's and dot their I’s, close loopholes in their systems, and upgrade systems,” Ben Wobker, founder and CEO of Lake Washington Physical Therapy, told HealthLeaders. “It sounds like that's going to be the case here according to the headlines, but then again, you have to have that allocation of security spend and technology spend and make that a bigger budget line item.”

The AHA survey found that most hospitals are implementing workarounds to deal with the cyberattack, but those solutions are labor intensive and costly. Healthcare, as an industry, is known to be slow in implementing new technology, but with the rate tech is growing at, hospitals may not have much of a choice anymore for slow playing it.

Investment, of course, requires money and resources. That’s why Heywood believes it’s as important as ever to ensure you have some financial wiggle room to not only spend on technology, but to potentially throw capital at whatever is around the corner.

“You have to have a strong balance sheet,” he said. “You have to have cash on hand to be able to weather some of these storms that are coming. You're going to need to be in in this tight environment. You're going to need to be willing to spend money on cybersecurity and your IT. If you're already financially challenged, you do not want to be cutting your IT, your security, because that only further puts you in a bind.”

When it comes to dealing with the fallout of a cyberattack, however, technology is only one part of the equation.

You’re only as good as the systems you have in place and those systems aren’t immune to failure, Wobker noted. Updating and refreshing hardware and software should be the first step, but there also needs to be contingency plans in place to go offline.

Straying too far from traditional methods isn’t the answer either, according to Heywood.

“Now if you ask people to go back to paper, it's like, ‘Oh my gosh, I'm back in the stone age,’ he said. “So you have to have preparations to go back to paper in order to be able to get through a down time and you have to have backup systems so you could shut something down and turn it back on.”

There are few positives in the Change Healthcare attack, but the one silver lining may be the lessons that CEOs are forced to take away from it.

Whether it’s another cyberattack, pandemic, or anything else, those lessons should have hospitals better prepared for whatever is next.