Just_Super/Getty Images/iStockphoto
Dr. Margaret Parsons, one of three dermatologists at her 20-person practice in Sacramento, Calif., is in trouble.
Parsons said she and her colleagues have been unable to bill for services electronically since the Feb. 21 cyberattack on Change Healthcare, a previously unknown medical payment processing company.
She said she heard that Noridian Healthcare Solutions, California's Medicare payment processor, was not accepting paper claims as of earlier this week. And she estimates that paper bills can take her three to six months to get paid.
“We're going to be in trouble very soon and it's very stressful,” she said in an interview with KFF Health News.
The hacked company handles “14 billion clinical, financial and operational transactions annually,” according to its website.
A spokesperson for the California Medical Association announced on March 7 that the Centers for Medicare and Medicaid Services agreed at a meeting to encourage payment processors like Noridian to accept paper claims. A Noridian spokesperson referred questions to her CMS.
The American Hospital Association called the alleged ransomware attack on Change Healthcare, part of insurance giant UnitedHealth Group's Optum division, “the most significant and significant incident of its kind against the U.S. health care system in history.” It is called. While physician practices, hospital systems and pharmacies struggle to find workarounds, the attack exposes the health system's widespread vulnerabilities to hackers and the flaws in the Biden administration's response.
Until now, governments have relied on more voluntary standards to protect health system networks, said Beau Woods, co-founder of the cyber advocacy group I Am The Cavalry. But “the model of doing this purely voluntarily and out of your own good intentions is clearly not working,” he said. He said the federal government needs to put more money and focus on the issue.
The crisis will take time to resolve. Comparing Change attacks against parts of the health care system to other attacks, “we found that it typically takes at least 30 days to restore critical systems,” said John Rigi, the hospital association's national advisor on cybersecurity. .
UnitedHealth Group announced in a March 7 statement that two services related to electronic payments and medical billing will be restored by the end of the month. “While we are working to restore these systems, we strongly encourage our provider and payer customers to use the applicable workarounds we have established,” the company said.
“We are determined to resolve this issue as quickly as possible,” said CEO Andrew Whitty.
Meanwhile, healthcare providers and patients are paying the price. Reports of people paying out of pocket to fill important prescriptions are common. Independent physician practices are particularly vulnerable.
“How can you pay for all of this, your staff, supplies, malpractice insurance, if you have no income?” says Dr. Steven Sisselman, an independent primary care physician on Long Island, New York. “That's impossible.”
Jackson Health System in Miami-Dade County, Florida, could miss up to $30 million in payments if the power goes out for a month, Chief Revenue Officer Miriam Torres said. Some insurance companies offer to mail you a paper check.
Relief programs announced by both UnitedHealth and the federal government have been criticized by health care providers, especially hospitals. Sisselman said Optum offered him a loan of $540 a week because his clinic was generating hundreds of thousands of dollars a month in revenue. Other health care providers and hospitals interviewed by KFF Health News said their offers from insurance companies were similarly meager.
The company said in a March 7 statement that it is offering new financing options to providers.
Providers put pressure on governments to act
On March 5, nearly two weeks after Change first reported what it initially called a cybersecurity “issue,” the Department of Health and Human Services announced several assistance programs for health care providers.
One recommendation is for insurance companies to prepay Medicare claims. This is similar to programs that supported health systems early in the pandemic. But doctors and others worry it will only help hospitals, not independent clinics and health care providers.
“This is a very important decision,” said Anders Gilberg, a lobbyist for the Medical Group Management Association, which represents physician practices. Posted in Xformerly known as Twitter, said the government should “require contractors to extend the availability of early payments to physician practices in a similar way to that provided to hospitals. “There is.”
HHS spokesman Jeff Nesbitt said the government “recognizes the impact” of the attack and is “actively evaluating its authority to assist these critical providers at this time and will undertake similar efforts.” “We are working with the state to achieve this.” He said Medicare is asking UnitedHealth Group to “offer better options for interim payments to providers.”
Another idea from the federal government is to encourage providers to switch vendors away from Change. Sisselman said he hopes to begin filing claims through the new vendor within 24 to 48 hours. But it's not a viable solution for everyone.
Torres said suggestions from UnitedHealth and regulators for providers to change clearinghouses, submit paper claims or speed up payments are unhelpful.
“It's very unrealistic,” she said of this advice. “If you have their claims processing tools, there’s nothing you can do.”
Mary Mayhew, president of the Florida Hospital Association, said her members rely on Change Healthcare to build a sophisticated system. The switchover process could take 90 days, during which time there would be no cash flow, he said. “It’s not like flipping a switch.”
Mr Nesbitt acknowledged that switching clearing houses would be difficult, “but the priority is to resume full billing flow.” Medicare has directed contractors and advised insurance companies to ease these changes, he added.
Health care leaders, including state Medicaid directors, are calling on the Biden administration to treat the CHANGE attack like a pandemic. The threats to health care systems are so serious that they require extraordinary flexibility from government insurance programs and regulators.
Non-financial issues are important, but providers and other stakeholders say they lack basic information about this attack. UnitedHealth Group and the American Hospital Association spoke by phone and issued a release regarding the incident. Despite this, many still feel in the dark.
AHA's Riggi is seeking further information from UnitedHealth Group. He said it makes sense for conglomerates to keep some information secure, such as unverified information or to assist law enforcement. But he wants to know how the intrusion happened so hospitals can better protect themselves.
“The industry ultimately wants more information to protect its own organizations,” he said.
Rumors spread.
“It's going to be a little difficult. You always have to choose who you believe,” Saad Chaudhry, an executive at Maryland hospital system Luminis Health, told KFF Health News. “Do you believe these thieves? Do you believe the organization itself, which is all about their public image and has an incentive to minimize this kind of thing?”
What happens next?
Wired Magazine reported that someone paid $22 million in Bitcoin to the ransomware group believed to be behind the attack. If it was indeed a ransom aimed at resolving some aspect of the breach, it would be a jackpot for the hackers.
Cybersecurity experts say some affected hospitals face ransom demands of as low as $10,000 and as high as $10 million. Change Big payments to hackers could prompt further attacks.
“When there's gold in the mountains, there's a gold rush,” said Josh Corman, another co-founder of I Am The Cavalry and a former federal cybersecurity official.
In the long term, the attack raises questions about how the private companies that make up the U.S. health care system and the government that regulates them are defending against cyber threats. Attacks are frequent, with thieves and hackers believed to be sponsored or harbored by countries such as Russia and North Korea, taking down systems at Britain's National Health Service, major pharmaceutical companies such as Merck, and numerous hospitals. I let it happen.
The FBI reported 249 ransomware attacks on medical and public health organizations in 2023, but Corman believes the number is much higher.
Cybersecurity experts say federal efforts to protect the health care system are patchy. It's not yet clear how Change was hacked, but experts warn that the breach could occur through phishing links in emails or more unusual channels. That means regulators will need to consider hardening all types of products.
Medical devices are one example of slow progress in repairing these defenses. Devices with outdated software can provide an avenue for hackers to infiltrate a hospital's network or simply degrade its functionality.
The FDA recently expanded its authority to evaluate the digital defenses of medical devices and issue safety notices regarding medical devices. But that doesn't mean vulnerable machines will be removed from hospitals. Products often remain in service because they are expensive to take out of service or replace.
Sen. Mark Warner (D-Va.) previously proposed a “cash for flops” type program that would pay hospitals to update the cybersecurity on older medical equipment, but Warner spokeswoman Rachel Cohen “It was never seriously promoted,” he said. Rigi said such a program could make sense depending on how it is implemented.
Weaknesses in the system are widespread and often not immediately noticed by policymakers. Even something as mundane as a heating or air conditioning system can be hacked and compromised if it is connected to a hospital's internet network.
But building more defenses requires more people and resources, which are often unavailable. In 2017, Woods and Corman helped write her HHS report examining digital readiness in health care. As part of the study, it was found that some wealthy hospitals had the IT staff and resources to protect their systems, but the majority did not have dedicated security staff. Corman calls them “target rich but cyber poor.”
“The desire is there. They understand the importance,” Rizzi said. “The problem is resources.”
HHS proposed requiring minimum cyber defenses for hospitals to participate in Medicare, an important source of revenue for the entire industry. But Rigi says the AHA won't support that.
“We oppose unfunded mandates and oppose the imposition of such harsh penalties,” he said.
KFF Health News is a national newsroom that produces in-depth journalism on health issues and is one of KFF's core operating programs and an independent source of health policy research, polling, and journalism.Click here for details KFF.