This year's ransomware attack on Change Healthcare sent shockwaves through hospitals across the U.S., disrupting revenue cycle management, compromising data privacy, and threatening the financial stability of many healthcare providers already recovering from the pandemic's fiscal strain.
The attack caused an outage at Optum's Change Healthcare, immediately hampering hospitals that relied on the platform to process claims. However, restoring the system was only the first step; the incident continues to influence how healthcare organizations are planning for the future.
"This year's Change Healthcare breach served as a wake-up call for the entire industry and highlighted the growing vulnerability of health IT infrastructures," said Melissa Cohen, chief innovation and transformation officer at Ithaca, N.Y.-based Cayuga Health System. "The impact of these breaches goes beyond just data loss; there's a direct effect on patient care. The costs associated with these breaches, including regulatory penalties and recovery efforts, place a massive financial strain on healthcare systems already operating under tight margins."
Health systems are now reevaluating security measures and deploying advanced encryption, zero-trust frameworks and AI-based threat detection, said Ms. Cohen. But with the rapidly evolving cybersecurity landscape, hospitals at the cutting edge today can fall behind quickly.
"Phishing attempts, malware and data breaches that lead to the need to take down systems and force organizations to go backwards and revert to antiquated ways (downtime procedures) not only affect clinical care but affect the financial health of an organization," said Shelly Nash, DO, senior vice president and CMIO of Fresenius Medical Care. "We went through the Change Healthcare incident and then had more down-time from the CrowdStrike incident. Every healthcare organization needs to be diligent in the security of their own systems and training their users to be diligent, and also really understanding what measures every vendor or organization we connect to or work with is doing to ensure our systems are safe, secure and functional."
Balaji Raman, director of financial IT systems at Catholic Health Services of Long Island in New York, said the Change Healthcare outage delayed billing and revenue processes as well as threatened patient care because the flow of essential information about the patient halted. He cautioned against over-reliance on digital solutions to avoid big losses when patient data is compromised.
"The rapid adoption of new technologies, often without sufficient security measures, exacerbates these threats," Mr. Raman said. "It's essential for healthcare organizations to prioritize robust cybersecurity and system reliance strategies, including continuous monitoring, staff training and investment in advanced security tools to protect both their patients and their revenue streams."
Health systems across the U.S. are taking similar action and making additional IT and cybersecurity investments this year. KLAS and Bain & Co. conducted a survey of 150 healthcare providers and payers, finding around 70% of the providers were affected by the Change Healthcare cybersecurity incident, which prompted them to:
- Audit internal systems: 44%
- Audit current vendors: 43%
- Up cybersecurity software spend: 38%
- Boost cybersecurity professional and managed services spend: 19%
"While cybersecurity was already top of mind for most organizations, they are allocating greater efforts and spending to this area, including auditing internal systems and third-party solutions and building redundancy to mitigate future risks," states the report, which was released Sept. 17. KLAS and Bain & Co., noted the incident also sparked several boards "to review single points of vulnerability within the IT stack, with organizations allocating a budget toward developing greater redundancy around critical systems."
Patient data was stolen during the ransomware attack, and the hackers posted some files online. The Change Healthcare breach underscored the importance of secure interoperability, which is still elusive for many organizations. Privacy violations and operational disruptions that come from inconsistent data exchange practices remain a threat to health systems, said Babatope Fatuyi, MD, CMIO of UTHealth Houston.
"The evolving regulatory landscape around data access adds complexity, making it difficult for healthcare institutions to navigate compliance confidentially," said Dr. Fatuyi.
Health systems can mitigate the threats by ensuring data exchange is secure, transparent and aligned with patient care needs. But that's easier said than done, especially if the EHR isn't fully interoperable.
"The ongoing tension between major EHR systems and the vulnerabilities exposed by breaches, like the one at Change Healthcare, also threatens to fragment interoperability landscape, potentially leading to silos that hinder seamless patient care," said Dr. Fatuyi. "For UTHealth Houston, staying ahead of these challenges requires robust governance, proactive compliance strategies and a focus on maintaining trust and transparency in all data exchanges."