A number of Healthcare Labyrinth blog readers asked me if I would write on the Change Healthcare cyberattack and its implications. Below is what I have culled together over the past month and my thoughts about what happened and repercussions. I will attempt to write at a high level and not get too technical – in part because details are still scarce.
Overview of what happened
We are a month into the Change Healthcare cyberattack. On February 21, 2024, Change Healthcare reported that it was a victim of a cyberattack. It appears that the attack was a ransomware attack by the BlackCat organization and affiliates. It is known to target the healthcare industry. Change Healthcare may have paid a ransom of as much as $22 million, but this has not been confirmed. The attackers claimed about six terabytes of PHI and PII data were stolen (this could be tens of millions of Americans impacted). Change as of yet is still recovering and has not stood up alternative infrastructure for everything. It is making progress, but a lot remains offline.
Because of the major impact on the healthcare system as a whole and providers, United HealthGroup, its parent, has made as much as $3 billion in assistance available. The Centers for Medicare and Medicaid Services (CMS) is also paving the way for advanced payments and other assistance via the Medicare fee-for-service (FFS) and state Medicaid programs.
What is Change Healthcare
Change Healthcare evolved over time. It was bought by Optum, the service subsidiary of UnitedHealth Group, in late 2022 for about $13 billion. It has numerous technology and other assets, which touch almost every corner of the healthcare system. Change is one of the biggest clearinghouses out there, which moves claims from providers to plans and back. Without getting too much into specific products, here is a table that shows how far-reaching Change’s tentacles are and how the cyberattack impacted physician offices and other providers (over one million), dentists (tens of thousands), pharmacies (tens of thousands), health plans and third party administrators (about 2,500).
How far-reaching was the impact?
As can be seen above, the cyberattack impacted pharmacies and providers in a great way. Essentially, pharmacies and providers under contract with Change were unable to bill health plans or patients as electronic and other options were unavailable. At health plans, inbound claims from providers dried up if they were fully reliant on Change. Even big plans saw a large percentage reduction (e.g., 20%). One study of hospitals and providers concluded that claims dropped by about a third nationwide initially. The American Hospital Association reported that 94% of all hospitals were impacted. Change handles fifteen billion transactions and 1.5 trillion claims annually. An estimate suggests Change touches 1 in 3 patient records.
While health plans had numerous impacts, the financial impact was less given their size and financial resources. Providers generally may have cash on hand to function for no more 60 days, so the disruption for providers is huge. Smaller providers’ liquidity and financial stability are a big worry, especially as he fallout continues. One key point: Change is so far-reaching that the cyberattack and disruption of Change services is said to have cost providers between $500M and $1 billion in payments a day (admittedly it is hard to validate these numbers). At any rate, it will take a long time to catch up if all of the money can even be recovered.
What actually happened?
Details are sparse because Change has not been disclosive for a number of reasons, including the investigation and security. But most or all of Change’s technology systems were brought down via the ransomware attack. BlackCat accesses and compromises user and admin accounts in the Active Directory or related authentication system. The approach allows the cyberattacker to take advantage of any vulnerability it can locate throughout an ecosystem of the target organization, associated vendors, and even clients. If anyone has a vulnerability or fails to close a known one timely, the attackers get in. They then deploy ransomware to disable the systems. The entity impacted is asked to pay a ransom to have the systems re-enabled and to return any stolen information. That so many systems at Change were impacted makes sense as most or all of them may have used a common authentication system. That in and of itself could be a lesson learned here.
BlackCat is a Russian-speaking group but the Federal Bureau of Investigation (FBI) has yet to tie the group to Russia proper or the Russian government. BlackCat employs an affiliate model, where entities associate with BlackCat and use the ransomware software to penetrate organizations’ systems. The ransom is then shared between BlackCat and the affiliate. There is some reason to believe that BlackCat has gone dark over a disagreement with the affiliate over the Change attack. But it stands to reason that it will re-emerge. At the very least, cyberattacks and ransomware will not go away as the Change event shows how lucrative such attacks can be. The Change story is repeated each day in and out of healthcare.
Status
Change has been able to reintroduce some of its technology systems. Volume in some cases are returning to normal. In other cases, systems are not yet up or only partially restored. Reports suggest that the last major system will be up soon. But other reports suggest much more work needs to be done to restore all services. Some says only 20 services are back online and 100 more are still offline (Change appears to have prioritized the biggest volume services first.)
Health plans and providers have been looking to migrate many critical services from Change. The problem is that such standups can take months given the technical nature and integrations needed. Plans and providers have had to resort to manual and paper processes to survive as other electronic options are stood up. The administrative costs and impacts are huge. Some have successfully moved to other vendors, while others are relying on Change to get systems and operations back up.
Beyond the provider cashflow impact, the attack came at a bad time for health plans in terms of NCQA HEDIS quality reports due in early June. In the first part of the year, health plans usually are finalizing claims for the previous year and conducting manual chart reviews to ensure that quality measure compliance is as high as possible. Reports are that Change’s HEDIS technology systems were impacted at this critical point. It may lead CMS and state Medicaid agencies to give these plans more time to submit. Even with more time, measure rates could be impacted.
What will happen to Change and the healthcare system as whole?
Impact on Change Healthcare:
Change is being investigated by the federal government for the attack. The investigation could result in understanding whether Change had deficient technology security and/or lacked readiness to respond to the attack (from a business continuity and disaster recovery standpoint). Generally, it could mean plans and providers migrate away now and over time from Change. Does that mean Change ceases to exist? Maybe in name given the events. Its parent Optum is likely to change the name and rebrand it. The reality is that Change/Optum/United HealthGroup will maintain a major presence based on its sheer reach in healthcare. But the reputational impact, potential loss of revenue, potential fines, and lawsuit costs could be great. It could impact not just Change, but the wider Optum enterprise.
Review of consolidations and healthcare concentration:
It will lead to a reaction from lawmakers and regulators. Oftentimes, responses from politicians are over-reactions and over-reach. Maybe not here. There is growing concern about the massive consolidation occurring in the healthcare industry – whether health plans, provider organizations, hospitals, or providers/physicians becoming owned by hospitals and private equity firms. President Biden has a very active healthcare anti-trust agenda that will better scrutinize and challenge mergers, acquisitions, and consolidations. The Change event is sure to broaden what is looked at now, perhaps leading to examination or caps on how much of various parts of the healthcare infrastructure one firm owns. With the latest technology, you can no longer argue that only the big guys are reliable and can perform.
It may lead many to rethink whether the massive consolidation in healthcare is a good idea. That is fair. The massive consolidation has not led to a decrease in price. In many sectors price increases when there is consolidation. And there is good reason to think that quality suffers as well. Quality can mean outcomes from a health plan, hospital, or other provider. But it can also mean the overall efficiency and wherewithal of the system or aspects of the system. Change Healthcare’s impact could be an example of this latter point. I say “could” because we have to know more. Was Change really negligent in terms of protecting its services for clients and maintaining business continuity during the disaster? We don’t know if they were negligent, but some will argue their preparedness to ensure business continuity was just not there. (In fairness, others argue that if Change were still on its own, the fallout may have been worse because it would not have had a United behind it to help recover.)
One other point here: massive consolidation might actually be anti-innovation. As more and more is gobbled up by the biggest firms, they do not need to stay on the cutting edge, differentiate themselves, or be creative. Security and how technology are driven are two very important examples. As well, these major organizations do not really integrate the software (some of it admittedly good) they acquire and instead create a complex web of technology systems. This, too, leads to vulnerabilities.
Last, more in this case may not be better. It puts a cyber target on big firms’ backs as they have the wherewithal to pay a ransom.
Rethinking how legacy healthcare really is:
It will also lead many to rethink the legacy nature of some of our healthcare systems. What do I mean by legacy? Two things really. On one account many systems in healthcare are now legacy and the software and technology used to support it are more prone to outages, cyberattacks, and more. More broadly, our healthcare technology backbone is legacy. Yes, we may do electronic payments, tinker with artificial intelligence and machine learning, and things like that. But much of it is based on decades old, inefficient, and brittle technology. Refreshing technology in so many areas of healthcare is important to keep up with the times, be efficient, be responsive, and be secure. And big firms should not be permitted to “spaghetti together” solutions that create vulnerability and confusion.
Rethinking cyber preparedness:
The events, too, shine a light on our huge lack of preparedness for such cyber events. Ironically, the federal government is prioritizing interoperability. That is a good thing. But will it be safe and secure? Not only do we need to rethink and refresh technology in our overall system, but providers and health plans alike must take cyber security seriously. For many, it is an after-thought. Others simply do not have the technical expertise to ensure first-class security. Still others do not have the financial resources. The Change events seem to be leading to a national examination of cybersecurity. Federal dollars could be allocated. Requirements could be placed on providers and health plans alike. Certifications could be mandated.
And that would be a good thing.
Aiming for healthcare reform to reduce administrative costs:
And last, could this lead to an overall re-consideration of how to make our healthcare system much less administratively burdensome. We spend huge amounts each year on administrative costs. The Change systems are part of those costs and a lot of what they do is – well – wasteful in terms of the system as a whole. In my book, The Healthcare Labyrinth (available at this site), I have argued that the U.S. system would be smart to adopt uniform price setting throughout the nation (perhaps regionally). This would allow health plans to compete on quality and service, rather than investing so much in administrative costs due to disparate costs, different prices, and so on. Through such a system, admin costs would drop dramatically. We would have a cheaper and more rational system. This is how every other developed world does it regardless of the type of healthcare system they have.
And that would be a good thing, too.
#changehealthcare #cyberattacks #healthcare #healthcarereform
— Marc S. Ryan