Issues in healthcare cybersecurity revealed with the Change Healthcare cyberattack—here’s what you can do
In the aftermath of the cyberattack in February 2024 on Change Healthcare systems, which are part of UnitedHealth Group, medical providers are taking a look at their own cybersecurity. There are certain steps you must take for your practice, and some additional procedures that are worth considering.
Before we get to what you can do to better protect your patients and organization, here’s a quick recap of what happened and what’s being done about the Change Healthcare attack.
What happened to Optum’s systems?
This quote from Change Healthcare sums it up:
“Change Healthcare has experienced a cybersecurity issue, and we have multiple workarounds to ensure provider claims are addressed and people have access to the medications and care they need.”
The very same Change Healthcare that manages 50% of all health insurance claims in the U.S.
The impact of the cyberattack is widespread.
Physicians, hospitals, medical centers—no one is getting paid. There are issues billing patients and verifying coverage for care.
Some patients have been forced to delay procedures. Pharmacies are unable to fill medications.
“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO of UnitedHealth Group.
In an effort to help medical practices, UnitedHealth launched a temporary funding program for providers and processed a backlog of claims worth over $14 billion.
(Why there were that many claims backlogged is beyond me. Add that to the list of reasons providers are moving to the Direct Primary Care Model.)
…while UHC’s response is helpful (to a degree) for the immediate situation, what can you be doing for your practice’s long-term protection?
What does this mean for healthcare security?
If you don’t have systems and processes in place, you’re screwed!
If this is happening to the big guys, you need to evaluate if you are prepared.
(It’s worth noting that a whopping 83% of physicians told AMA researchers that their practices have experienced a cyberattack.)
This latest, massive cyberattack on UnitedHealth brings up questions to consider, including:
- Do you have cybersecurity?
- What protection do you have?
- What is your data security process?
Hurricane Katrina opened the Feds eyes to the need for risk assessment and process management. As a result, they’ve implemented one thing with the HIPAA Security Rule that you must do.
In addition, there are several smart steps you could take in an effort to shore up your cybersecurity.
What can you do to better protect your medical practice?
The biggest clearinghouse in the country and the biggest payers have been attacked—let’s protect you, your patients, and your practice.
You must address these areas of your healthcare practice:
You’re required to complete an Annual Security Risk Assessment.
If you haven’t implemented this yet, there’s absolutely no time to waste.
(This has to be completed before filing for the MIPS (Merit-based Incentive Payment System) at the end of the month.)
Additional best practices include:
- Multi-factor authentication
- Back everything up to the Cloud
- Create a disaster recovery protocol
- Keep paper copies available of all intake forms
- Have a couple days worth of schedules and patient records printed
- Ensure you have cybersecurity insurance coverage ($50,000 minimum)
This all boils down to: getting IT protection, having internal processes, & appropriately training staff.
What support is available for you?
I’m a physician advocate—I want you to be protected, find & fill the gaps, and have a thriving medical practice!
Services offered from CHCBC:
Evaluate and Assess
We take the temperature of where your practice is currently at. Then we fill gaps we find in processes and systems and take the time to train the staff with any updates.
Your practice and patients deserve to be safeguarded. But you don’t have to do it alone.
