The Biden administration and UnitedHealth are working to fix disabled billing systems following a cyberattack.

The Biden administration and UnitedHealth are working to fix disabled billing systems following a cyberattack.

Margaret Parsons, a dermatologist practicing at a firm of 20 individuals in Sacramento, California, is facing a predicament.

Since a Feb. 21 cyberattack

Parsons stated that due to a relatively unknown medical payment processing company, Change Healthcare, she and her colleagues have been unable to electronically invoice for their services.

According to her, Noridian Healthcare Solutions, the Medicare payment processor for California, has stopped accepting paper claims as of this week. She also estimated that paper claims typically take three to six months to be processed and result in payment.

the ,

A suspected cyber attack targeted Change Healthcare, a branch of UnitedHealth Group’s Optum division. This is believed to be the most significant and impactful event of its kind to hit the American healthcare system. Multiple medical practices, hospitals, and organizations have been affected.pharmacies

Difficulty in discovering solutions, the assault is revealing the health care system’s general susceptibility to unauthorized users, as well as weaknesses in the reaction of the Biden administration.

Currently, the government has primarily used voluntary standards to safeguard the networks of the healthcare system, according to Beau Woods, one of the co-founders of the cyber advocacy organization I Am The Cavalry. However, Woods stated that this approach of relying on voluntary actions is not effective and proposes that the federal government should allocate more funding and prioritize addressing this issue.

“Resolving the crisis will require a significant amount of time. According to John Riggi, the national advisor on cybersecurity for the hospital association, recovering from a Change attack and similar attacks on the healthcare system typically takes at least 30 days to restore core systems.”

On March 7th, UnitedHealth Group announced that two services, involving electronic payments and medical claims, will be reinstated later this month. The company advised their provider and payer clients to utilize the established workarounds until the systems are restored.

“We are fully committed to rectifying this as quickly as possible,” stated CEO Andrew Witty.

Both providers and patients are currently facing financial burdens. It is not uncommon to hear of individuals having to pay for necessary medications using their own money. Independent medical practices are particularly at risk.

An independent primary care physician on Long Island in New York, Stephen Sisselman, wondered how he could cover the costs of paying staff, supplies, and malpractice insurance without any revenue. He declared it to be an impossible task.

The chief revenue officer of the Jackson Health System, located in Miami-Dade County, Florida, Myriam Torres, stated that they could potentially lose up to $30 million in payments if the outage persists for a month. Certain insurance companies have proposed sending physical checks by mail.

Both UnitedHealth and the federal government have faced backlash from health providers, namely hospitals, regarding their respective relief initiatives. According to Sisselman, Optum offered his practice, which generates hundreds of thousands of dollars per month, a loan of only $540 per week. Other providers and hospitals spoken to by KFF Health News reported receiving similarly inadequate offers from the insurer.

On March 7, the company announced its intention to provide alternative financing choices for providers.

The government is being urged by providers to take action.

On March 5th, nearly two weeks following the initial report from Change about a cybersecurity issue, the Department of Health and Human Services declared various aid programs for healthcare providers.

One recommendation is for insurers to advance payments for Medicare claims — similar to a program that aided health systems early in the pandemic. But physicians and others are worried that would help only hospitals, not independent practices or providers.

Anders Gilberg, who works at the Medical Group Management Association, a group that represents medical practices, wrote a message on the social media platform X (formerly called Twitter) stating that the government should mandate that its contractors give physician practices the same opportunity to receive accelerated payments as hospitals are being given.

The HHS representative, Jeff Nesbit, acknowledged the consequences of the attack and stated that they are currently investigating their ability to aid these essential providers. They are also collaborating with states to assist in this effort. Nesbit also stated that Medicare is pressuring UnitedHealth Group to provide improved choices for temporary payments to providers.

The federal government suggests promoting the use of different vendors instead of Change among providers. Sisselman expressed his goal to begin submitting claims through a new vendor within 24 to 48 hours. However, this may not be feasible for all providers.

Torres stated that recommendations from UnitedHealth and regulatory agencies to have providers alter their clearinghouses, submit paper claims, or speed up payments are not beneficial.

“It’s highly impractical,” she stated regarding the suggestion. “If you have access to their claims processing tool, there’s no action you can take.”

The president of the Florida Hospital Association, Mary Mayhew, stated that her organization has developed complex systems that heavily rely on Change Healthcare. She explained that switching to a different process could take up to 90 days, during which they will experience a lack of cash flow. She emphasized that this process is not as simple as flipping a switch.

Nesbit recognized that changing clearinghouses is challenging, but he emphasized that the main focus should be on restoring the flow of claims. He also noted that Medicare has instructed its contractors and advised insurers to facilitate these transitions.

Healthcare authorities, such as state Medicaid directors, are urging the Biden administration to handle the Change attack with the same level of urgency as the pandemic. They view it as a critical danger to the healthcare system that requires exceptional adaptability from government insurance programs and regulators.

Providers and other individuals have expressed concerns about lacking essential details about the attack, despite the significant impact of financial issues. While UnitedHealth Group and the American Hospital Association have released information and held discussions about the incident, many still feel uninformed.

The AHA’s Riggi has requested additional information from UnitedHealth Group. He believes it is understandable for the company to keep certain information confidential, such as unverified data or to cooperate with law enforcement. However, hospitals are interested in the details of the breach in order to strengthen their own security measures.

He stated that there is a demand for more information within the sector, as organizations want to protect themselves.

Rumors have proliferated.

“It can be challenging: On any given day, you must carefully consider who to trust,” stated Saad Chaudhry, an executive at Luminis Health hospital system in Maryland, in an interview with KFF Health News. “Will you trust these deceitful individuals? Or will you trust the organization itself, which is heavily invested in maintaining a positive public image and has reasons to downplay this type of situation?”

What happens next?

According to Wired Magazine, an individual made a payment of $22 million in bitcoin to the ransomware group believed to be responsible for the attack. If this was indeed a ransom meant to resolve part of the breach, it is a huge profit for the hackers.

According to cybersecurity professionals, certain hospitals that have experienced breaches have been asked to pay ransoms ranging from $10,000 to $10 million. A significant sum paid to the hackers could encourage further attacks.

Josh Corman, a former federal cybersecurity official and co-founder of I Am The Cavalry, stated that where there is gold in the hills, there is a frenzy to find it.

Sanofi A

Over a longer period of time, this attack raises concerns about the strategies used by private companies and government regulators in the U.S. healthcare system to protect against cyber threats. These types of attacks have become more frequent, with criminals and hackers, potentially backed by governmental entities such as Russia or North Korea, causing disruptions to systems in organizations like the UK’s National Health Service and pharmaceutical companies like Merck and Sanofi.
numerous hospitals.

In 2023, the FBI disclosed 249 incidents of ransomware attacks targeting health care and public health agencies, however, Corman speculates that the actual number is greater.

However, cybersecurity experts have noted that federal efforts to safeguard the healthcare system are inconsistent and incomplete. Although it is currently unknown how the hacking of Change occurred, experts have cautioned that breaches can happen through something as simple as a phishing link in an email or through more complex methods. As a result, regulators must prioritize enhancing security measures for all types of products.

Efforts to repair these defenses have been sluggish, particularly when it comes to medical devices. These devices, which may have outdated software, pose a potential entry point for hackers to infiltrate hospital networks or cause malfunctions.

The FDA now has greater power to evaluate the cyber security of medical equipment and provide warnings regarding their safety. However, this does not guarantee that vulnerable machines will be removed from hospitals. Many products remain in use due to the high cost of removing or replacing them.

A spokesperson for Senator Mark Warner (D-Va.) stated that Warner had previously suggested a program similar to “Cash for Clunkers” in order to financially incentivize hospitals to improve the cybersecurity of their outdated medical devices. However, this proposal was not given serious consideration. Riggi believes that the effectiveness of such a program would depend on its execution.

The system has many vulnerabilities and policymakers may not initially recognize them. Even mundane components, like heating and air conditioning, can be hacked if they are connected to a hospital’s internet network, putting the institution at risk of a breach.

Implementing additional protective measures necessitates an increase in manpower and resources, which are frequently lacking. In 2017, Woods and Corman contributed to an HHS publication examining the level of digital preparedness within the healthcare industry. In the course of their investigation, they discovered that certain higher-income hospitals possessed a team of specialized IT professionals and ample resources to safeguard their networks, while the majority of hospitals lacked dedicated security personnel. Corman refers to these hospitals as being “highly vulnerable but at a disadvantage in the cyber realm.”

Riggi stated that the urge is present and they are aware of its significance, but the problem lies in the available resources.

The Department of Health and Human Services (HHS) has suggested implementing a mandatory level of cyber security measures for hospitals in order for them to be eligible for Medicare, which is a crucial source of income for the entire healthcare sector. However, Riggi states that the American Hospital Association (AHA) does not back this proposal.

He stated that we are against mandates without funding and we also disapprove of using a severe punishment.

This article was produced by KFF Health News, formerly known as Kaiser Health News (KHN), a national newsroom that produces in-depth journalism about health issues and is one of the core operating programs at KFF — the independent source for health policy research, polling, and journalism. KFF Health News is the publisher of California Healthline, an editorially independent service of the California Health Care Foundation.

Source: cbsnews.com