“There are only two types of companies: those that have been hacked, and those that will be.” – Robert Mueller
“Dear Health Care Leaders,
As you know, last month Change Healthcare was the target of a cyberattack that has had significant impacts on much of the nation’s health care system. The effects of this attack are far-reaching; Change Healthcare, owned by UnitedHealth Group (UHG), processes 15 billion health care transactions annually and is involved in one in every three patient records. The attack has impacted payments to hospitals, physicians, pharmacists, and other health care providers across the country. Many of these providers are concerned about their ability to offer care in the absence of timely payments, but providers persist despite the need for numerous onerous workarounds and cash flow uncertainty.”
So began a letter dated March 10 from Xavier Becerra, the Secretary of the U.S. Department of Health and Human Services (HHS), referencing what is emerging as one of the most extensive and impactful cyberattacks in U.S. history. The scrutiny directed at Change’s parent company UnitedHeath Group – from Congress, HHS, the media and others – is only just beginning, and there is no telling what sort of new regulations, penalties and associated policy change will be the end result. In the meantime, the MHA has stepped up to support our members by sharing as much information and intelligence as possible, and by advocating for flexibility and relief from both private payers and the state Medicaid program.
America’s hospitals are no strangers to external events creating seismic upheaval in our daily operations. Sometimes those events emanate from the world of public policy and politics, sometimes they come in the form of a localized natural disaster or tragic mass casualty event, and no one needs to be reminded of the impact of the global COVID-19 pandemic. But in the wake of the Change Healthcare crisis, there is no doubt cybersecurity now deserves to be on the top of the list of concerns for hospital leaders across the country, and right here in Michigan.
For some time now, the FBI has stated that healthcare organizations are the top target of cybercriminals across the globe, and these attacks have increased significantly in the last two years. Data sharing requirements in healthcare and the connectivity of health information – while well-intended – creates many potential risks for cybercriminals to exploit. Hospitals take these attacks extremely seriously. They are threat-to-life crimes because of the impact they can have on patient safety and access to care, and are formally treated as such by the FBI.
Again, this is not a new issue. A year and a half ago, cybersecurity was the topic for my CEO Report, where we expressed the potential for cybercrimes to cripple an organization. At that time, we saw how multi-national organizations with U.S.-based operations were impacted when Ukrainian government and critical infrastructure organizations were victims of cyberattacks during the Russian invasion of Ukraine. Yet again, we saw how the breach of one organization can cause rippling consequences for an entire industry; one that accounts for 17.3% of our nation’s Gross Domestic Product.
This is why the MHA has been engaged on this topic for many years and goes to great lengths to assist our members. The MHA was closely involved in the creation of the Michigan Healthcare Security Operations Center (HSOC) to help monitor and react to cyber risks with participating member organizations. We also partner with MHA Service Corporation Endorsed Business Partner CyberForceQ, a leader in the field, to assist members who need cybersecurity assistance. For the first time, we also have our very own MHA Vice President and Chief Information Security Officer, Mike Nowak, who works closely with the HSOC, our member CISOs and our external partners in this space. And Jim Lee, our senior vice president, data policy & analytics, continues to lead our MHA Health Information Technology Strategy Council, which is providing meaningful insight on the impact of this latest attack.
It can take months for a third-party review to determine what information was breached and ultimately taken. But from the hospital perspective, it is clear the Change Healthcare cyberattack is yet another example of a breach that initiates with an outside vendor, and those vendors are not always completely transparent and forthcoming with those organizations directly impacted by the breach. One thing we know for sure: our hospitals are victims in these situations and should be treated as such. We want to work with state and federal policymakers and regulatory agencies to prevent cyberattacks, and to root out and punish the criminals who perpetrate these crimes. We will be very concerned about any proposals that unfairly punish hospitals or create new barriers to our ability to provide timely access to quality care.
Our members are going to great lengths to mitigate potential risk. However, more can be done at a federal level to thwart bad actors. Hospitals and health systems are part of critical infrastructure, so our law enforcement agencies need the funding and staff to defend against cybercriminals. The American Hospital Association urged the government to use all diplomatic, financial, law enforcement, intelligence and military cyber capabilities to disrupt these criminal organizations, much like what was done in the global fight against terrorism in the wake of 9/11.
Thankfully, it appears our hospitals and health systems in Michigan have been able to manage this crisis better than counterparts in other states. The work of the MHA and our partners has helped make Michigan a leader in this space and to be prepared to respond to these situations. Our cybersecurity efforts are constantly at work, 24/7 year-round, mirroring the same cadence of our hospitals and their patient care. Yet the human component of healthcare is the most vulnerable. It only takes one individual to not notice a phishing or social engineering attempt for yet another failure that can impact hundreds of organizations, thousands of healthcare workers and tens of thousands of patients. This is why we must remain constantly vigilant as the cyber threat landscape continues to grow.
As always, I welcome your thoughts.