At the end of February, Change Healthcare, a unit of UnitedHealth Group, was the victim of a cybersecurity incident, causing fallout across healthcare operations in the U.S. The attack disrupted billing and insurance, posing a direct threat to patient care and essential operations.
Disruptions from the attack have been felt across multiple levels of the healthcare system, with many practices taking a large financial hit. The delay in claims processing totaled more than $6.3 billion between Feb. 21 and March 9, among the more than 1,850 hospitals and 250,000 physicians practices in one data set.
“What makes this different than previous healthcare attacks is the breadth of the industry that has been affected. Change Healthcare is one of the most widely used clearinghouse platforms in the U.S., so providers of all types and sizes have experienced disruption as a result of a single, targeted strike,” said Ky Chaffin, managing director of financial services, health systems at BOK Financial®. “The magnitude of the impact from this attack is immense. We are working with our provider clients in acute care, post-acute, long-term care and medical practices, in locations across the country, all of whom are dealing with some level of disruption.”
Many providers will continue feeling the impacts for months to come, said Robert Dudley, managing director of health systems at BOK Financial.
Healthcare providers are often a target of cyber criminals because of the nature of the personal identifiable information (PII) and personal health information (PHI) available. This data can often be sold on the black market to cyber criminals to turn a healthy profit, but also results in potential harm to both providers and patients alike.
“Managing the timing of cash flows and maintaining adequate liquidity are constant challenges for most healthcare providers,” Chaffin said.
“Any disruption in the billing and collections cycle is felt almost immediately, so a prolonged delay of this nature can have devastating effects on these organizations and their ability to provide the care we all depend on.”- Ky Chaffin, managing director of financial services, health systems at BOK Financial
How to prepare your business for an attack
While the impact of a cyberattack may vary from business to business, one thing experts agree on is that preparation is the key to ensuring your company is armed with the protections it needs in the event a cyber event occurs. This includes ensuring your employees have the training they need to identify potential scams.
“The sensitivity of the data created and possessed by healthcare organizations, the highly technical and arcane nature of the payment system, and the critical nature of the services provided make the healthcare industry a valuable target for cyber criminals. It’s not a matter of if, but when, an attack will happen,” said Chaffin.
Here are five ways for you to protect and prepare your business, according to Dudley and Chaffin:
1. Engage in strategic risk mitigation. Start with a deep dive into the protections you have in place through a 360-degree cybersecurity assessment that takes a comprehensive look at your network environment and makes recommendations about ways you can enhance your security posture. The time to do this assessment is before an attack occurs, experts said.
“It’s not a good time for a 360 review when you’re already responding to an attack. Preparing in advance by engaging your IT teams and third-party consultants to assess and improve your security protocols is critical,” Chaffin explained.
2. Invest in cyber protections. Ensure your organization is protected by investing in enhanced spam filters to identify instances of phishing, enable multi-factor identification across the organization, use artificial intelligence-driven monitoring for suspicious activity, build more business resiliency practices into your cybersecurity strategy and consider partnering with an external detection and response (MDR) provider.
3. Ensure you have enough coverage. Cybersecurity insurance is one way to help your business mitigate losses from a variety of cyber-related incidents, including data breaches, business interruption and network damage. The goal of this type of insurance is to help your organization restore operations from data corruption or loss, as well as to safeguard your business assets from any potential lawsuits that may arise. Many policies also cover the cost of investigations into fault or brand management—but it’s critical to talk to insurance providers about what they deem necessary based on your organization’s needs.
4. Review your organization’s liquidity. It’s important to strike a balance between available cash on hand and the potential for accessing a line of credit, Dudley suggests. The Change Healthcare cyberattack highlights the necessity for organizations to have access to capital and the importance of business continuity planning for a healthcare provider.
5. Ensure redundancy around your organization. Part of being prepared for a potential cyberattack is having a disaster recovery plan in place, which accounts for redundancy in operations. In the event of a cyberattack or failure, redundancy allows your network to remain in service by providing alternative backup equipment so that you can continue to operate.
Chaffin suggests also looking at your options for redundancy in treasury and revenue cycle functions, in the event of a cyberattack that takes down your ability to process payment or issue payroll. “Redundancy ensures that if there are cyber issues on the provider side or the bank side, you have the ability to continue to operate,” he said.
The reality of cyberattacks of this nature is that they will continue to happen, Dudley said. As more is revealed about the attack on Change Healthcare, he said healthcare providers—and the industry at large—will be looking at crucial defenses and what the industry can learn from the situation.
“This feels like a watershed event,” Chaffin added. “It has highlighted a crucial weakness in the payment system and I sense a renewed motivation to strengthen the protections in place even further, which is critical as these attacks continue to happen.”
. © 2024 BOKF, NA.