Margaret Parsons, one of three dermatologists at a 20-person practice in Sacramento, California, is in a bind.
Since a Feb. 21 cyberattack on a previously obscure medical payment processing company, Change Healthcare, Parsons said, she and her colleagues haven鈥檛 been able to electronically bill for their services.
She heard , California鈥檚 Medicare payment processor, was not accepting paper claims as of earlier this week, she said. And paper claims can take 3-6 months to result in payment anyway, she estimated.
鈥淲e will be in trouble in very short order, and are very stressed,鈥 she said in an interview with 蘑菇影院 Health News.
A California Medical Association spokesperson said March 7 that the Centers for Medicare & Medicaid Services had agreed in a meeting to encourage payment processors like Noridian to accept paper claims. A Noridian spokesperson referred questions to CMS.
The American Hospital Association calls the suspected ransomware attack on Change Healthcare, a unit of insurance giant UnitedHealth Group鈥檚 Optum division, 鈥渢he most significant and consequential incident of its kind against the U.S. health care system in history.鈥 While doctors鈥 practices, hospital systems, and pharmacies struggle to find workarounds, the attack is exposing the health system鈥檚 broad vulnerability to hackers, as well as shortcomings in the Biden administration鈥檚 response.
To date, government has relied on more voluntary standards to protect the health care system鈥檚 networks, Beau Woods, a co-founder of the cyber advocacy group I Am The Cavalry, said. But 鈥渢he purely optional, do-this-out-of-the-goodness-of-your-heart model clearly is not working,鈥 he said. The federal government needs to devote greater funding, and more focus, to the problem, he said.
The crisis will take time to resolve. Comparing the Change attack to others against parts of the health care system, 鈥渨e have seen it generally takes a minimum of 30 days to restore core systems,鈥 said , the hospital association鈥檚 national adviser on cybersecurity.
In a March 7 statement, UnitedHealth Group said two services 鈥 related to electronic payments and medical claims 鈥 would be restored later in the month. 鈥淲hile we work to restore these systems, we strongly recommend our provider and payer clients use the applicable workarounds we have established,鈥 the company said.
鈥淲e鈥檙e determined to make this right as fast as possible,鈥 said company CEO Andrew Witty.
Providers and patients are meanwhile paying the price. Reports of people paying out-of-pocket to fill vital prescriptions have been common. Independent physician practices are particularly vulnerable.
鈥淗ow can you pay staff, supplies, malpractice insurance 鈥 all this 鈥 without revenue?鈥 said Stephen Sisselman, an independent primary care physician on Long Island in New York. 鈥淚t鈥檚 impossible.鈥
Jackson Health System, in Miami-Dade County, Florida, may miss out on as much as $30 million in payments if the outage lasts a month, said , its chief revenue officer. Some insurers have offered to mail paper checks.
Relief programs announced by have been criticized by health providers, especially hospitals. Sisselman said Optum offered his practice, which he said has revenue of hundreds of thousands of dollars a month, a loan of $540 a week. Other providers and hospitals interviewed by 蘑菇影院 Health News said their offers from the insurer were similarly paltry.
In its March 7 statement, the company said it would offer new financing options to providers.
Providers Pressure Government to Act
On March 5, almost two weeks after Change first reported what it initially called a cybersecurity 鈥渋ssue,鈥 the Health and Human Services Department announced several assistance programs for health providers.
One recommendation is for insurers to advance payments for Medicare claims 鈥 similar to a program that aided health systems early in the pandemic. But physicians and others are worried that would help only hospitals, not independent practices or providers.
, a lobbyist with the Medical Group Management Association, which represents physician practices, , formerly known as Twitter, that the government 鈥渕ust require its contractors to extend the availability of accelerated payments to physician practices in a similar manner to which they are being offered to hospitals.鈥
HHS spokesperson Jeff Nesbit said the administration 鈥渞ecognizes the impact鈥 of the attack and is 鈥渁ctively looking at their authority to help support these critical providers at this time and working with states to do the same.鈥 He said Medicare is pressing UnitedHealth Group to 鈥渙ffer better options for interim payments to providers.鈥
Another idea from the federal government is to encourage providers to switch vendors away from Change. Sisselman said he hoped to start submitting claims through a new vendor within 24 to 48 hours. But it鈥檚 not a practicable solution for everyone.
Torres said suggestions from UnitedHealth and regulators that providers change clearinghouses, file paper claims, or expedite payments are not helping.
鈥淚t鈥檚 highly unrealistic,鈥 she said of the advice. 鈥淚f you鈥檝e got their claims processing tool, there鈥檚 nothing you can do.鈥
, president of the Florida Hospital Association, said her members have built up sophisticated systems reliant on Change Healthcare. Switching processes could take 90 days 鈥 during which they鈥檒l be without cash flow, she said. 鈥淚t鈥檚 not like flipping a switch.鈥
Nesbit acknowledged switching clearinghouses is difficult, 鈥渂ut the first priority should be resuming full claims flow,鈥 he said. Medicare has directed its contractors and advised insurers to ease such changes, he added.
Health care leaders including state Medicaid directors have called on the Biden administration to treat the Change attack similarly to the pandemic 鈥 a threat to the health system so severe that it demands extraordinary flexibility on the part of government insurance programs and regulators.
Beyond the money matters 鈥 critical as they are 鈥 providers and others say they lack basic information about the attack. UnitedHealth Group and the American Hospital Association have held calls and published releases about the incident; nevertheless, many still feel they鈥檙e in the dark.
Riggi of the AHA wants more information from UnitedHealth Group. He said it鈥檚 reasonable for the conglomerate to keep some information closely held, for example if it鈥檚 not verified or to assist law enforcement. But hospitals would like to know how the breach was perpetrated so they can reinforce their own defenses.
鈥淭he sector is clamoring for more information, ultimately to protect their own organizations,鈥 he said.
Rumors have proliferated.
鈥淚t gets a little rough: Any given day you鈥檙e going to have to pick and choose who to believe,鈥 Saad Chaudhry, an executive at Maryland hospital system Luminis Health, told 蘑菇影院 Health News. 鈥淒o you believe these thieves? Do you believe the organization itself, that has everything riding on their public image, who have incentives to minimize this kind of thing?鈥
What Happens Next?
Wired Magazine reported that someone paid the ransomware gang believed to be behind the attack $22 million in bitcoin. If that was indeed a ransom intended to resolve some aspect of the breach, it鈥檚 a bonanza for hackers.
Cybersecurity experts say some hospitals that have suffered attacks have faced ransom demands for as little as $10,000 and as much as . A large payment to the Change hackers could incentivize more attacks.
鈥淲hen there鈥檚 gold in the hills, there鈥檚 a gold rush,鈥 said , another co-founder of I Am The Cavalry and a former federal cybersecurity official.
Longer-term, the attack intensifies questions about how the private companies that comprise the U.S. health system and the government that regulates them are defending against cyberthreats. Attacks have been common: Thieves and hackers, often believed to be sponsored or harbored by countries like Russia and North Korea, have knocked down systems in the United Kingdom鈥檚 National Health Service, pharma giants like Merck, and numerous hospitals.
The 249 ransomware attacks against health care and public health organizations in 2023, but Corman believes the number is higher.
But federal efforts to protect the health system are a patchwork, according to cybersecurity experts. While it鈥檚 not yet clear how Change was hacked, experts have warned a breach can occur through a phishing link in an email or more exotic pathways. That means regulators need to consider hardening all kinds of products.
One example of the slow-at-best efforts to mend these defenses concerns medical devices. Devices with outdated software could provide a pathway for hackers to get into a hospital network or simply degrade its functioning.
The FDA recently gained more authority to assess medical devices鈥 digital defenses and issue safety communications about them. But that doesn鈥檛 mean vulnerable machines will be removed from hospitals. Products often linger because they鈥檙e expensive to take out of service or replace.
Senator Mark Warner (D-Va.) has previously proposed a 鈥淐ash for Clunkers鈥-type program to pay hospitals to update the cybersecurity of their old medical devices, but it was 鈥渘ever seriously pursued,鈥 Warner spokesperson Rachel Cohen said. Riggi said such a program might make sense, depending on how it鈥檚 implemented.
Weaknesses in the system are widespread and often don鈥檛 occur to policymakers immediately. Even something as prosaic as a heating and air conditioning system can, if connected to a hospital鈥檚 internet network, be hacked and allow the institution to be breached.
But erecting more defenses requires more people and resources 鈥 which often aren鈥檛 available. In 2017, Woods and Corman assisted on an surveying the digital readiness of the health care sector. As part of their research, they found a slice of wealthier hospitals had the information technology staff and resources to defend their systems 鈥 but the vast majority had no dedicated security staff. Corman calls them 鈥渢arget-rich but cyber-poor.鈥
鈥淭he desire is there. They understand the importance,鈥 Riggi said. 鈥淭he issue is the resources.鈥
HHS has proposed requiring minimum cyberdefenses for hospitals to participate in Medicare, a vital source of revenue for the entire industry. But Riggi says the AHA won鈥檛 support it.
鈥淲e oppose unfunded mandates and oppose the use of such a harsh penalty,鈥 he said.
