The federal government could be doing more to prevent cyberattacks like the one that happened to Change Healthcare, the UnitedHealth Group (UHG) subsidiary, a cybersecurity expert told MedPage Today.
Change Healthcare likely was performing the kind of “penetration tests” needed to help determine how vulnerable its system was to being hacked, but “I think we, as a nation, are doing a very poor job with regard to creating requirements for outside reporting” of those penetration tests to a government agency, said Jason Hogg, a former FBI special agent. “And I also believe … we should actually have an independent government agency, whether it’s under the Department of Homeland Security or some other agency, begin to do what they call ‘outside in’ testing,” in which government-employed hackers attempt to penetrate both a company’s software and their physical location in order to see if they can steal data.
Hogg, who is currently executive-in-residence at Great Hill Partners, an investment firm, spoke during a Zoom interview with a public relations person present. He was referring to the Feb. 21 cyberattack that affected the ability of Change Healthcare, a payment clearinghouse, to process claims sent by doctors, hospitals, pharmacies, and other healthcare providers to payers. The company handles up to one in three patient records in the country. The attack has resulted in payment delays and hampered operations for many Change customers.
On the administrative side, cyberattacks like this one “indicate the need to examine the role of these processors in the environment we are currently in,” said Jason Lucas, a principal at Avalere, a healthcare consulting firm.
“Originally, the business of clearinghouses and claims processing was very independent from healthcare payers,” and there were a lot more payers and claims processors, he said. “What we’ve seen over the last 20 years has been a consolidation of the number of the actual number of payers, and we’ve also seen those payers go into the area of claims adjudication and claims processing.”
Currently, the two big players in claims processing clearinghouses are Change Healthcare and Availity, which is owned in part by insurers Humana and Elevance Health (formerly Anthem Blue Cross Blue Shield) with a minority stake held by the investment arm of drugmaker Novo Nordisk, said Lucas, who spoke during an online call at which a public relations person was present. He suggested that physician practices “probably need to take a close look at either having multiple clearinghouses they’re connected to, or [try to] understand the transition from one clearinghouse to another, and how to do that as part of a disaster recovery plan.”
The Biden administration has taken several actions to try to lessen the effects of the attack. On March 9, the Centers for Medicare & Medicaid Services (CMS) said in a fact sheet that the agency was “in frequent communication with UnitedHealth Group and Change/Optum and will continue to press them to swiftly communicate with the health care sector and to offer better options for interim payments to providers and suppliers to ensure continuity of operations for all health care providers and suppliers impacted by the incident. CMS is also meeting with private health care plans and is encouraging their continued efforts to help avoid further disruption to the health care sector.”
On the same day, CMS announced the availability of accelerated payments to Medicare Part A providers and advance payments to Medicare Part B suppliers experiencing claims disruptions as a result of the cyberattack.
“The … accelerated and advance payments may be granted in amounts representative of up to 30 days of claims payments to eligible providers and suppliers,” the agency noted. “The average 30-day payment is based on the total claims paid to the provider/supplier between August 1, 2023 and October 31, 2023, divided by three. These payments will be repaid through automatic recoupment from Medicare claims for a period of 90 days. A demand will be issued for any remaining balance on day 91 following the issuance of the accelerated or advance payment.”
In addition, the administration summoned UnitedHealth CEO Andrew Witty to the White House on March 12, where he and other leaders in the payer community were urged to make funds available to providers who weren’t getting paid because of the attack. “[HHS] Secretary [Xavier] Becerra and Domestic Policy Advisor [Neera] Tanden made clear the government and private sector must work together to help providers make payroll and deliver timely care to the American people and that insurers help providers in this moment of challenge,” HHS said in a press release after the meeting.
And on Wednesday, HHS’s Office for Civil Rights (OCR) opened an investigation into the cyberattack. The office said in a press release that because OCR is responsible for administering the privacy, security, and breach notification provisions in the Health Insurance Portability and Accountability Act (HIPAA), “given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA rules.”
Hogg agreed that an investigation was a good idea, but “it shouldn’t be about singling out [a particular company],” he said. “In the FBI, there’s a term — an ‘after action’ report, similar to [what’s done in] the military. The investigation is important, but it needs to be in the context of learning from what happens and then assessing what the exposure is to the industry, rather than singling out any one enterprise, and then putting a plan of action in place to address the vulnerabilities.”
![author['full_name']](https://clf1.medpagetoday.com/media/images/author/JoyceFrieden_188.jpg)
Please enable JavaScript to view the