In the early morning hours of February 21st, Change Healthcare, a company unknown to most Americans but which plays a major role in the U.S. health care system, issued a short statement It said some applications were “currently unavailable.”
By afternoon, the company described the situation as a “cybersecurity” issue.
Since then, it has rapidly evolved into a crisis.
The company, which was recently acquired by insurance giant UnitedHealth Group, reportedly suffered a cyber attack. The impact is far-reaching and is expected to grow further. Change Healthcare’s business is to maintain the pipeline of care, including making payments and requesting medical approval from insurance companies.These pipes handle heavy loads: change stated on the website“Our cloud-based network supports 14 billion clinical, financial and operational transactions annually.”
Initial media reports focused on the impact on pharmacies, but engineers say that underestimates the problem.American Hospital Association many people say Some members don’t receive a paycheck, and doctors can’t confirm whether patients have health insurance.
Some medical facilities in Florida have reported problems with insurance payments and other aspects of their relationship with UnitedHealth.
But that’s only part of the emergency. commonwealOrganizations that help healthcare providers share medical records and information critical to care are also leveraging Change technology.system Records included Courtney Baker, Commonweal’s marketing manager, said the network was “disabled out of an abundance of caution.”
“This is a small ripple, and if it’s not resolved, it’s going to get bigger and bigger over time,” said Saad Chaudhry, chief digital and information officer at Maryland hospital system Luminis Health. told the news.
Here’s what you need to know about this hack.
Who did it?
Media reports have highlighted ALPHV, a notorious ransomware group also known as Blackcat, which has been targeted by numerous law enforcement agencies around the world. UnitedHealth Group said it was a “suspected nation-state-related” attack, but some outside analysts said challenge a connection. The gang is suspected of hacking numerous targets, including casino companies MGM and Caesars.
Ministry of Justice Accused in Decemberit turns out that before the Change hack, the group’s victims had already paid hundreds of millions of dollars in ransom.
Is this a new problem?
Absolutely not. According to a study published in JAMA Health Forum in December 2022, the annual number of ransomware attacks on hospitals and other healthcare providers is Doubling from 2016 to 2021.
“It’s pretty much the same,” said Aaron Milli, chief digital and information officer at Baptist Health in Jacksonville.
The attack disables the target’s computer system, forcing the provider to move to paper, slowing it down and making it vulnerable to missing information.
Additionally, a study published in JAMA Network Open in May 2023 examining the impact of attacks on healthcare systems found that wait times at local emergency departments, median length of stay, It was found that the number of patients being discharged from hospital was all increasing. result, written by the authormeaning that a cyberattack “should be considered a regional disaster.”
Miri said the attack had devastated local hospitals. And when healthcare workers take a hit, so do patient safety issues.
What does that mean for patients?
Every year, more Americans’ health data is compromised. This leaves people exposed to identity theft and medical errors.
Nursing care can also be a burden. For example, his 2017 attack called “NotPetya” rural hospitals in west virginia Restarting business deals a blow to pharmaceutical company Merck It’s very difficult Failed to meet HPV vaccine production targets.
The Change Healthcare attack could result in some patients being sent to new pharmacies that are less affected by billing issues. Patients’ bills could also be delayed, industry executives said. Many patients will likely receive a notification that their data has been breached at some point. Depending on the exact data stolen, these patients could be at risk of identity theft, Chaudhry said. In these situations, companies often offer free credit monitoring services.
“Patients are dying because of this,” Miri said.In fact, an October preprint by researchers at the University of Minnesota An increase of approximately 21% was observed. Mortality rate of patients in hospitals hit by ransomware.
How did it happen?
The Center for Health Information Sharing and Analysis, an industry coordinating group disseminating information about the attack, said: told the members This is most likely caused by a flaw in an application called ConnectWise ScreenConnect. Exact details could not be confirmed.
This is a tool used by technical support teams to remotely troubleshoot computer problems, and H-ISAC warned its members that the attack “appears to be fairly easy to pull off.” The group said it expected more victims and advised its members to update their technology. When the attack first occurred, AHA recommended a member Disconnect from the systems of both Change and its parent company, UnitedHealth’s Optum division. That could impact services ranging from claim approval to reference tools.
Millions of Americans see physicians and other practitioners employed by UnitedHealth and enroll in its insurance plans.
UnitedHealth said only Change’s systems are affected and that it is safe for hospitals to use other digital services provided by UnitedHealth and Optum, such as claims and processing systems.
But “not many chief information officers are looking to reconnect right away,” Chaudhry said. “It’s an uneasy feeling.”
Miri said Baptist uses the conglomerate’s technology and trusts UnitedHealth’s word that it is safe.
Where is the federal government?
Neither executive was optimistic about the future of cybersecurity in healthcare. “The situation will get even worse,” Chaudhry said.
“It’s unfortunate that the federal government isn’t providing more support,” Miri said. “If our nuclear infrastructure came under attack, you would think the federal government would respond more courageously.”
Although the Justice Department and the State Department have targeted the ALPHV group, the government has continued to operate behind the scenes after this attack. Chaudhry said the FBI and Department of Health and Human Services were on a conference call hosted by the AHA to brief members on the situation.
Miri said hospitals, especially in rural areas, could use more money for security, and agencies like the Food and Drug Administration should set mandatory standards for cybersecurity.
There is some recognition among officials that improvements are needed.
“This attack is further evidence that the status quo is not working, and we need to take steps to strengthen cybersecurity in the healthcare industry,” said Sen. Mark Warner (D-Va.), chairman of the Senate Select Committee. said. He is an information commissioner and long-time advocate for stronger cybersecurity, he said in a statement to KFF Health News.
KFF Health News is a national newsroom that produces in-depth journalism on health issues and is one of KFF’s core operating programs and an independent source of health policy research, polling and journalism.Click here for details KFF.
Copyright 2024 Health News Florida