cover story TWO

Anatomy of a Cyberattack

The Change Healthcare incident

By Tenbit Emiru, MD, PhD, MBA

Once Change Healthcare learned of the attack, they disconnected 21 applications and enlisted law enforcement and independent experts to investigate. Internally, for both providers and health plans, this mass outage of online services created havoc for ranks of employees involved in the administrative functions that underpin the business of health care. In short, the outage prevented many health plans and health care providers from requesting and receiving payments for services.

Change Healthcare’s applications used by providers, hospitals, pharmacies and plans like UCare are vast and far-reaching. They automate electronic prescribing, electronic payments, and medical and health-related claims submissions. They are also used for:

• Enrollments
• Eligibility determinations
• Prior authorizations
• Claims processing
• Production of Explanation of Benefits and Explanation of Payments
• Chart abstractions
• Quality measurements

The interconnectedness of health care magnified the extent of disruption and work stoppage. In addition to claims for direct medical services, inpatient hospitalizations, ER use, specialists, to name a few, claims for affiliated services such as rides to medical appointments were also impacted. 

The American Hospital Association (AHA) cites the incident as the most significant cyberattack in 

U.S. health care history.

By the Numbers

Nationally, Change Healthcare handles 15 billion transactions annually, totaling more than $1.5 trillion a year. Change Healthcare claims that one in every three patient records in the country flows through its clearinghouse. The United Healthcare/Optum-owned company has more than 160 health plan customers, in addition to countless provider and pharmacy customers.

The American Hospital Association (AHA) cites the incident as the most significant cyberattack in U.S. health care history, affecting patient care at almost three-fourths of U.S. hospitals. They conducted a survey of about 1,000 hospitals in mid-March that found 94% of hospitals experienced a financial impact with more than half reporting “significant or serious” impact. More than 80% of hospitals said the cyberattack affected their cash flow, with 60% of those reporting revenue losses of $1 million per day or more.

Most notably, the survey found that 74% of hospitals reported impacts to patient care as a result of the attack. While hospitals are implementing workarounds to mitigate patient impact, those workarounds are labor intensive and costly.  

Member-first Crisis Response

Upon learning of the cyberattack, our first concern was for members not being able to fill prescriptions at pharmacies. We also worried they might experience delays or disruptions in care. The quick thinking of our pharmacy department in that first week ensured our members’ access to their prescriptions within hours or days. They put in place Good Faith fills, flexed co-pays and enabled point-of-service member eligibility at pharmacies with our Pharmacy Benefit Manager, Navitus. 

We were also concerned about the downstream impact on our members from cash flow issues impacting our provider partners. These financial challenges arose for large health systems, small clinics, specialty groups, hospitals and pharmacies — really all providers along the continuum of care. Fortunately, UCare never established network connectivity with Change Healthcare, so there were no threats to our other systems or services.

When disaster struck, our senior leaders could count on our business recovery, claims and configuration, government relations, health care economics, information technology, legal, pharmacy, and provider relations and contracting teams (and other first responders) to be “on the case.” Within an hour of learning of the incident the morning of Feb. 21, we activated business continuity plans. Teams immediately started brainstorming and implementing solutions and workarounds to restore the flow of claims and payments. Additional reporting, risk adjustment, security, coding and documentation requirements made this no easy task.

As we move to full restoration of services, a core group of staff and leaders continue to meet twice daily to remove roadblocks, assess resource needs, report progress and maintain momentum.

Safeguarding Consumers

While the cyberattack systematically tested operational processes between providers and payers, from what we know, our insured patients were unaffected. This is good news. It also attests to the quick response from payers, providers, legislators and regulatory agencies to unite around a common goal of protecting consumers from harm.

We carefully monitored incoming calls and messages from members, website searches and even social media messages to gauge the impact of the cyberattack. We were pleased to hear silence on that front. Throughout, our members continued to receive care as scheduled and medications as prescribed. Prior authorizations also were unaffected.

First Aid to Providers

From the start, we were concerned about providers going an extended period of time with no payment for services. As a result, we made several executive decisions to offer special assistance to tide them over, based on individual needs.

A one-size-fits-all solution was not the answer because the impact varied among providers, depending on whether they primarily used Change Healthcare or an alternate platform to submit electronic claims, as well as many other operational variables. We focused our attention on helping providers who were most reliant on Change Healthcare. And we engaged with providers to learn more about the extent of impact, and how we could best help.

Providers of all sizes and geographies — rural and metro — required well-thought-out custom solutions. We took a series of steps including:

• Creating an alert page on our website with up-to-date guidance for providers https://www.ucare.org/providers/policies-resources/change-healthcare-optum
• Providing our Provider Assistance Center with key talking points
• Working late nights and weekends to speed up processing of electronic claims that were received prior to the outage, and to catch up on backlogs caused by the outage, with the goal of enhancing provider cash flow
• Connecting to new clearinghouses and claims payment services, which required quick action from our legal and finance teams to negotiate new contracts
• Assisting providers in enrolling in new clearinghouses and claims payment services
• Increasing the number of weekly claims payments runs
• Advancing interest-free payments, equal to typical claims payments, to providers on a case-by-case basis
• Monitoring to ensure no impacts on prior authorizations
  

Within an hour of learning of the incident the morning of Feb. 21, we activated business continuity plans.

As a leading Medicaid and Medicare government programs plan, we were also proactive about notifying our regulatory state and federal partners and our county service providers. Employees at Minnesota’s Department of Human Services recognized our speedy response during an incident call with providers. We met with our trade associations, America’s Health Insurance Plans (AHIP), Alliance of Community Health Plans (ACHP) and Association for Community Affiliated Plans (ACAP), to discuss the state of affairs, monitor industry response and share best practices.

In a letter to Secretary Xavier Becerra at the Department of Health and Human Services (HHS), ACHP describes actions taken by health plans to mitigate harm. ACHP wrote: “One ACHP member company, UCare in Minnesota, began contacting providers as soon as Change Healthcare systems went down. In the following weeks, multiple provider partners have complimented the company’s diligence and quick response to the Change Healthcare crisis. UCare provider relations staff are actively engaged in the incident management process and prioritize provider impact and need status updates twice daily.”

The Power of Partnerships

Partnering with providers to ensure quality care to members and the community is nothing new for us. For 40 years, we’ve actively partnered with a growing network of Minnesota providers to ensure continued care for the community. This history of partnership, collaborative problem solving and deep trust made it possible to work with our providers to find solutions and address the impacts of the outage. We also tried to make it easy for providers, for example, by not making them jump through hoops to receive advance funds and assisting them with enrolling in alternate claims clearinghouses.

These deeply rooted, local health plan/health care provider partnerships are why Minnesota is cited nationally for its excellent health care outcomes. The state’s community-based nonprofit health plans take a collaborative approach, working with providers to support mutual missions to care for the local communities we collectively serve.

In the wake of the crisis, many providers thanked us for being the first health plan to step forward to help navigate the impact of the cyberattack and protect their patients/our members. This quick response is a testament to our longstanding provider partnerships and shared knowledge of our organizations. A leader of a large metro-area health system commented: “UCare has consistently demonstrated leadership in partnering to solve larger issues when they arise to ensure continuity of care for the community.”

Our local expertise, history and commitment to working jointly with providers drove us to do everything we could to lessen the impact during this major disruption and continue to drive us today — because it’s “how we roll.”

Aftereffects

The situation continues to evolve, and we continue to explore short- and long-term solutions. The Change Healthcare incident magnifies the vulnerability of health care electronic data exchange systems to cyberattacks and bad actors. Its impact will be felt for months and years to come, as heightened scrutiny is directed at the security, authentication and third-party validation of health care systems, platforms and applications.

Criminals are also at the ready to take advantage. A few weeks after the attack, Minnesota Attorney General Keith Ellison and a spokesperson for the Minnesota Hospital Association warned Minnesotans of scammers contacting people posing as hospital, clinic or pharmacy employees trying to obtain credit card information because of the outage.

The incident raises concerns about threats to national security since a criminal group in Russia allegedly hacked Change Healthcare. The prospect of entirely disabling health care across the country through a cyberattack is terrifying. But it could happen. Last year, more health care industry targets reported ransomware attacks to the FBI’s Internet Crime Complaint Center than any other of the 16 sectors of critical infrastructure.

For now, senior leaders at UnitedHealth Group are being questioned by legislators and regulators about security deficiencies, and after the system was disconnected, the company’s slow response and modest payment advances. HHS opened an investigation into whether Change Healthcare complied with federal law to protect patient data. Provider lawsuits and patient class action suits have been filed against UnitedHealth Group. Congressional hearings also have commenced.

Administrative aftershocks will continue. Returning to full restoration of services is not as simple as flipping a switch. Even when Change Healthcare’s applications or replacement systems are fully functional, it will take programming, contracting, security testing and additional staff and IT resources to be operating as before. Back-end clean up, reconciliation and accounting for claims during recovery will stretch on for months.

Ongoing Security

This incident was a test of our readiness and resilience. Our foresight not to connect our network to Change Healthcare protected us, our members and providers. Strong business continuity planning enabled our quick response to implement workarounds and alternate systems, support our providers, and ensure continuous care to members — as befits our mission of improving the health of our members through innovative services and partnerships across communities.

We passed this test, but the work of security is never done. As soon as one threat is defused, another presents itself. Our security team monitors this activity day in and day out and implements new security measures as needed. We continue to be ever-vigilant and to actively fortify our cybersecurity and protection of members’ personal health information. Health care is a mammoth ecosystem, and we’re doing our best to ensure everybody with a stake in our corner of it is safe and secure.



Tenbit Emiru, MD, PhD, MBA, is the executive vice president and chief medical officer at UCare.