We improve the future by learning from past mistakes, and we ignore those lessons at our peril.
Just over a year ago, a devastating ransomware attack on Change Healthcare all but incapacitated our health care system. The attack and its fallout demonstrated the need to strengthen cybersecurity protections, provide much more robust risk assessment and disaster-recovery planning, and build greater redundancy and resiliency into health care systems to ensure continuity in both patient care and business operations.
We can be certain that more cyberattacks are coming. We must take comprehensive action now to reduce our vulnerabilities, speed up the recovery process and mitigate the harm to patients, physician practices, hospitals, pharmacies and other key players in health care. The AMA played a vital role in helping physicians maintain financial stability in the wake of the Change Healthcare breach and continues to advocate at all levels for workable solutions while offering multiple resources to strengthen cybersecurity at physician practices and throughout our health system.
Broadscale disruption
Well before the extent of the Change Healthcare cybersecurity breach became apparent, we at the AMA had stepped up our advocacy to secure mandates for stronger resiliency requirements at all health care clearinghouses, as well as at health plans and intermediaries. The importance of the role that clearinghouses like Change Healthcare play cannot be overstated, as they direct the flow of medical claims and insurance payments across the health care system.
When the Change Healthcare ransomware attack took down the nation’s largest medical clearinghouse, the consequences were as devastating as they were widespread. Change Healthcare, a unit of UnitedHealth Group, handled 15 billion transactions annually when it was targeted, or more than one-third of all health care claims.
The fallout from the attack disrupted physician practices nationwide for months on both operational and financial levels, with smaller practices taking the biggest economic hit. An AMA physician survey (PDF) conducted at the end of April 2024 revealed that nearly two-thirds of respondents were still using personal funds to cover practice expenses. Even so, physicians continued to put patients first; only 15% said they had reduced their office hours in the wake of the cyberattack.
Don’t let it happen again
The Change Healthcare fiasco vividly demonstrated the need to hold multibillion-dollar clearinghouses and health plans to a higher federal standard of cybersecurity. Hackers were able to shut down Change Healthcare, compromise the protected health information of 190 million Americans, and paralyze huge segments of the nation’s health care system simply by exploiting a lack of industry-standard multifactor authentication on a legacy server.
That is simply unacceptable. The AMA believes clearinghouses, health plans and their intermediaries should immediately undertake a rigorous risk-assessment process that encompasses disaster mitigation, cyber incident recovery, and business continuity planning to support the resilience of critical health care functions and systems.
The Change Healthcare cyberattack also emphasized the importance of giving physicians greater flexibility to switch clearinghouses in the wake of a crisis. While some practices were able to make such a switch last spring, a whole host of obstacles—including staffing time and costs, electronic health record or practice management system incompatibility, and contractual obligations, among others—stopped many other practices from doing so. We need to create a standardized clearinghouse-enrollment process that would allow physician practices, particularly small independent practices, to change quickly and efficiently to another vendor and maintain smooth operations.
Finally, the Change Healthcare experience clearly shows the danger posed by ever-increasing levels of concentration within health care, particularly among health plans. The AMA remains a strong advocate of reducing consolidation in health care while encouraging greater competition as the best path toward cutting costs, improving outcomes, and boosting the overall quality of care patients receive.
I was encouraged to learn that just last month, the U.S. Department of Justice announced it will continue to use the merger guidelines issued in December 2023 by that agency and the Federal Trade Commission. These guidelines have the potential to subject health-insurer mergers to greater scrutiny and potentially limit further consolidation.
As the physician’s powerful ally in patient care, the AMA responded quickly to mitigate fallout from the Change Healthcare cyberattack, and continues to provide advocacy and guidance, such as an eight-part video training series (start here with “Episode 1: Cyber Safety is Patient Safety”) that is available through the AMA Ed Hub™. We remain committed to helping physicians and health systems take every possible step to thwart hacker incidents by ensuring that cybersecurity best practices are both affordable and available.
Want the latest viewpoints from AMA leadership?
