Publication
Article
Pharmacy Times
Legislative efforts regarding cybersecurity are ongoing, but individuals and organizations should remain vigilant.
On February 21, 2024, ransomware was deployed into the Change Healthcare (CHC) computer system. Once it was discovered, CHC immediately disconnected its systems to prevent further spread. As a result, hospitals, physicians’ offices, and pharmacies could not process claims, leaving many patients without access to care.1 More than 90% of the nation’s 70,000 pharmacies were required to implement electronic work-arounds, whereas the remaining 10% used offline methods.2
Image credit: Negro Elkha | stock.adobe.com
According to an American Hospital Association survey conducted in March 2024, 94% of hospitals reported financial impact, with approximately 60% reporting a daily loss of at least $1 million due to the incident. Although many hospitals could implement work-arounds, the majority found the process difficult and expensive.3
Josephine M. Gresko is a PharmD candidate at the Virginia Commonwealth University School of Pharmacy in Richmond.
Joseph L. Fink III, JD, DSc (Hon), BSPharm, FAPhA, is professor emeritus of pharmacy law and policy as well as former Kentucky Pharmacists Association Professor of Leadership at the University of Kentucky College of Pharmacy in Lexington.
CHC is a medical billing clearinghouse responsible for 15 billion medical claims annually, or approximately 40% of all claims. It was acquired in 2022 and merged with Optum as a subsidiary of UnitedHealth Group. CHC needed technological upgrades due to the company’s age at its acquisition. It was discovered that the attacked server did not use multifactor authentication, a current industry standard.1 The ransomware group claiming responsibility for the incident, BlackCat/ALPHV, allegedly used compromised credentials to gain access to CHC’s system and deploy the ransomware while stealing data.4
Ransomware is malware that denies users access to data by encrypting it with a key known only to the hacker. The decryption key can only be acquired if the user pays the ransom, usually in cryptocurrency.5 It has been estimated that CHC paid about 350 bitcoins (US $22 million).4
Data from the incident show that an estimated one-third of Americans had their health information leaked.1 CHC is unable to confirm what specific data were involved with the leak, but possibilities include contact information, health insurance information, protected health information, or billing identification such as Social Security numbers. In June 2024, CHC started notifying impacted individuals.6
Vigilance and preparedness for potential cyberattacks is crucial. Compliance with the Health Insurance Portability and Accountability Act (HIPAA) can help covered entities protect themselves against ransomware attacks. The HIPAA Security Rule requires covered entities to implement security measures to mitigate the risk of ransomware introduction, including conducting risk analyses, establishing procedures for preventing and detecting ransomware, and training individuals to detect and report ransomware.5
If a cyberattack results in a breach, covered entities must notify affected individuals and the Secretary of the US Department of Health and Human Services (HHS). The covered entity must inform prominent media outlets if a breach affects more than 500 individuals.7
New federal legislation has been introduced in the US Congress in response to this incident to improve cybersecurity. The Health Care Cybersecurity Improvement Act of 2024, introduced by US Sen Mark Warner (D, Virginia), would change Medicare’s accelerated and advanced payment programs. To receive payment from such programs due to a cybersecurity incident, entities must demonstrate that they meet minimum cybersecurity standards.8
The Centers for Medicare & Medicaid Services (CMS) Accelerated and Advanced Payments Program (AAP) is designed to provide relief to cash flow disruptions experienced by certain Medicare Part A and Part B suppliers. This program was expanded in early March 2024 to include Change Healthcare/Optum Payment Disruption (CHOPD) accelerated and advance payments. As of mid-June 2024, 4200 Part A and 4722 Part B providers received more than $2.55 billion and $717.18 million in CHOPD accelerated payments, respectively. The CHOPD AAP was terminated on July 12, 2024, because CMS has recovered 96% of its distributed payments. Now service providers and suppliers need to contact CHC if they are still experiencing difficulty with billing due to the cyberattack.9 The Strengthening Cybersecurity in Health Care Act, introduced by US Sen Marco Rubio (R, Florida), would require the HHS inspector general to routinely evaluate existing cybersecurity protocols and practices by performing various procedures, such as penetration tests. These procedures would be used to determine ways in which system processes could become compromised, leading to breaches in patient data and impacting patient safety.10 As the investigation continues, CHC urges individuals to monitor bank accounts, credit card statements, and explanation of benefits statements for signs of suspicious activity. CHC also states that it will pay for 2 years of credit monitoring and identity protection services for individuals who believe their information was impacted.6
