Will the Change Healthcare Cyberattack Prompt a Federal Response?

The American Medical Association is urging the Health and Human Services Department to address the outage, including making money and resources available to affected providers

The ongoing cybersecurity incident involving Change Healthcare is prompting healthcare organizations across the country to take a closer look at how they’re protecting data and monitoring for intrusions.

The American Medical Association is now weighing in, with a letter to Health and Human Services Secretary Javier Becerra urging HHS to take action.

“As the situation continues to deteriorate and physicians await further guidance from Change Healthcare, we ask the Department to use all its available authorities to ensure that physician practices can continue to function, and patients can continue to receive the care that they need,” AMA CEO and EVP James Madara, MD, wrote.

The cyberattack on the IT business of UnitedHealth, which came to light roughly two weeks ago, has crippled operations at thousands of pharmacies across the country, and in doing so affected many more providers. Experts estimate the industry is losing more than $100 million a day due to the outage, which is rumored to have been a ransomware attack.

According to CNN, the affected network was still offline, though a Change Healthcare spokesman said many affected providers are using “alternative clearing houses” to submit claims.

“Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need,” Company Spokesman Tyler Mason said in an email to the network. “As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds.”

Nevertheless, many healthcare organizations are still struggling. According to the AMA, physician practices are dealing with five major concerns:

• Interruption of administrative and billing processes. Because of the attack, providers are unable to send claims, verify eligibility to confirm insurance coverage and benefit specifications, obtain prior authorization approvals, or receive electronic remittance advice. “A considerable proportion of revenue cycle processes have ground to a halt across practices,” Madara wrote. “Are there flexibilities that HHS can encourage health plans to provide to physician practices on meeting timely claim submission requirements?”
• Administrative burdens shifted to practices. Because of the outage, providers are taking on more data-entry tasks to submit claims through other portals and dealing with insurance carriers who might not accept paper claims. These workarounds are adding new burdens and costs onto already-pressured providers.
• “Significant” concerns over data privacy and security. The size and severity of the attack is leaving many in the healthcare industry worried about whether their cybersecurity measures would hold up to a similar attack.
• Uncertainly over when and how to re-establish connectivity to Change Healthcare. Many are also wondering how to determine whether Change Healthcare will be able to go back to business as usual. They’ll need assurances that this type of attack can’t happen again.
• Concerns over sustainability. Many providers affected by the outage haven’t been able to submit claims since February 21. Not everyone has found an effective workaround, and some may be in danger of shutting down operations.

In his letter, Madara urged HHS to use emergency funds and any other financial resources to help affected providers stay afloat.

“Given the severe impact of this cybersecurity incident thus far and the significant and continuing erosion of Medicare payment to physicians, the AMA is concerned about the undue financial hardships facing physician practices if this incident is not resolved quickly,” he said. “It is especially challenging financially at the beginning of the year since many practices do not carry over reserves. We are particularly concerned about small, safety net, rural, and other less-resourced practices that often serve underserved patient communities.”