The Change Healthcare Fiasco

We’ve recently experienced a shock wave throughout the healthcare system caused by an age-old threat to the digital world – cyber hacking. Change Healthcare, an automated clearing house that is part of UnitedHealth Group and the backbone of the country’s healthcare payment system, experienced a ransomware attack from a hacker group on February 21, 2024, causing them to stop service altogether for a few days to recover from the menace and allow the FBI to investigate the crime. Ransomware and associated data breaches are not unknown to the healthcare industry. Hospitals, large physician groups and even insurance companies have experienced hacking attacks from malicious groups of shadow criminals, sometimes sitting in faraway countries and behind layers of digital shroud. Law enforcement has exposed many such groups, but others have popped up. What made this attack especially lethal was the organization they chose to attack and the impact that the disruption of their operation caused. To understand this better, we need to understand the value chain of the healthcare system. For those who are not so intricately connected with this industry, let me try to explain.

Healthcare Value Chain: From Providing Care to Getting Paid

The healthcare value chain could seem like a complex structure for those who are not part of this industry. However, there are many similarities with other service industries in which intermediaries exist between service providers and recipients. Patients in the United States typically fall under two broader categories: insured and uninsured. Those who are insured are allocated into three major buckets: (1) commercial insurance, (2) Medicare and (3) Medicaid. People who are uninsured could then be covered by some local governmental insurance plan (e.g., county-level insurance program) or they might have to pay out of pocket. People who are covered by commercial insurance could be covered by their employers, which is most of the cases, or if they are self-employed, might purchase their own insurance from an insurance exchange. Many large employers contract with commercial insurance companies such as Aetna, Cigna, Anthem or Blue Cross to administer their insurance coverage program. However, instead of the insurance companies paying, employers pay for the medical services consumed by their employees. As you can see, this is already getting complex (see Figure 1).

Depending on the insurance type, there could be a requirement for seeking prior approval for service from the insurance companies (also called “prior authorization”). Typically, health maintenance organization (HMO) plans require this kind of approval, but many preferred provider organization (PPO) plans require an insurance company’s medical staff to determine whether the requested service or medication is “medically necessary” for the diagnosed condition of the patient. If a medical service, including dispensing of medication, is done without an approval of the prior authorization, the reimbursement of the cost, the claim, could be declined by the insurance company. Medicare and Medicaid programs are governed by federal and state governments, respectively, which do not have similar burdens of prior authorization requirements for payment.

After receiving a prior authorization approval (if necessary) and providing a service to a patient, a provider organization or pharmacy submits a reimbursement claim to the patient’s insurance company appropriately. This submission needs to follow a very standardized format if submitted electronically and typically goes through an intermediary called an automated clearing house (ACH). The purpose of the clearing house is to ensure that the data submitted conforms to standards and is accurate except for fields like name of the provider, date of service or the claim amount. Validity of that information is typically held by the appropriate insurance companies who hold the provider-payer contracts. The ACH ensures that mistakes are prevented before the claims reach adjudication by the insurance companies. After insurance companies adjudicate claims, i.e., approve or deny a claim, the payment advice is also sent back to the providers via the ACH so claims can be reconciled at the end. Lab work, imaging and durable medical equipment providers follow a similar protocol for providing service and getting paid.

Although ACHs play a big role in the commercial insurance space, they are typically not required for Medicaid claims in which service providers submit their claims directly to their state’s Medicaid system for payment. Medicare, on the other hand, could go through a clearing house, depending on the type of service rendered (e.g., Part B vaccination claims). Nonetheless, there is still a huge number of claims and hence payment transactions that depend on the availability of ACH networks (see Figure 2).

Why Change Healthcare is Important

Change Healthcare is a healthcare company with the largest ACH, processing 15 billion claims totaling more than $1.5 trillion a year. In a lawsuit filed in 2022,

the Justice Department wrote that Change Healthcare supports handling 50% of all medical claims in the United States. The lawsuit failed to block UnitedHealth from acquiring the company. Hospitals across the United States suffered because they were not able to discharge certain patients and couldn’t get their medications filled. Medical practices that rely on cash flows from prompt claim reimbursements suffered because they were unable to electronically submit their claims to the insurance companies. The only workaround available was to switch to paper submissions via fax. Luckily, because fax machines or eFaxes are not a thing of the past in medical practices, provider organizations using manual data entry either on paper or in PDFs were able to send their claims directly to the insurance companies.. It is, however, worth remembering that in pursuit of operational excellence and digital transformation prerogative led by innovative leadership, many insurance companies have moved away from workflows of accepting large volumes of paper forms arriving via eFax or fax machine for adjudication. So, even if the input side of the assembly line could be adjusted with manual effort, it was not something that could be adjusted throughout the system without causing major system clogging, which inevitably happened in February and March 2024. This became so acute that Senate Majority Leader Chuck Schumer said in a released statement, “The delay in payments is costing hospitals across America millions for every single week this continues, and people are even struggling to get prescriptions filled at their local pharmacy. That’s why I am calling on CMS to use its authority to cut through the red tape and provide accelerated and advanced payments to impacted health care providers just as they did during covid.” This shows how harmful and impactful this cybersecurity attack was to the nation’s healthcare system.

Where Are We Now?

Security researchers discovered that a payment of 350 bitcoins, worth $22 million, was made to a bitcoin cryptocurrency wallet associated with BlackCat/ALPHV, which claimed responsibility for the cyberattack. Change Healthcare, however, did not confirm or deny this. In the meantime, Medicare announced a lifeline for the physicians and practices affected by this cybersecurity attack on Change Healthcare. Lawmakers and physicians recently said that emergency funding will be made available to offer financial relief to physician groups and other healthcare providers that have rapidly exhausted their cash reserves and are struggling to meet payroll.

However, Change is still not back online, and weeks if not months of continued disruptions and system backlogging are still expected as fallout from this event. It is quite a scary scenario, and as the geopolitical environment heats up and cybercrime becomes an effective tool to harm a country’s key sector or even sectors at once, this scenario almost resembles a war zone. For example, Microsoft’s recent warning about executive emails hacked by those of a country that is not friendly with the United States. Microsoft warned that using this, the hackers might try to get into their customer systems to further their cyberattack. As more and more mission-critical sectors like healthcare, finance and government move to public cloud environments hosted by Microsoft, Amazon and Google, companies are increasingly becoming targets of relentless threat from overseas enemies. In the case of the hacker group that is supposedly responsible for the Change Healthcare mess, the FBI mentioned that the group was previously exposed and subsequently dismantled; but they popped up again seemingly out of nowhere. The lure of money and sometimes backing of a malicious government could be strong enough to keep this kind of effort ongoing.

What is the Path Forward?

The Change Healthcare incident could be an eye-opener for many. A large clearing house that is privately owned and unregulated but carries more than 50% of the payment transactions of an industry in our country is vulnerable, regardless of its information security architecture. Should lawmakers regulate such companies like they do for other critical infrastructure? Should this be declared a critical infrastructure and then regulated and protected with a federal oversight agency like the airline industry is by the Federal Aviation Administration? Given the fact that the world is increasingly becoming more networked, and advanced technology to break into such networks is more cheaply available, it is inevitable that hardening of information security and breaking of that layer will continue to move at the same pace. There is no obvious winner here, especially with cyber enmity growing among nations. We have no choice but to rely on large trillion-dollar corporations such as Microsoft, Amazon or Google to host our data because smaller organizations will not stand a chance against the sophisticated hackers. But when a behemoth like that loses their grip on the data they host, how do we protect ourselves? Questions like these are in front of cybersecurity experts and lawmakers.

Afterword

Technology will continue to advance. As we are experiencing in artificial intelligence, we will see the same happen in technologies for network penetration. Defense and offense will both continue to advance by leaps and bounds. As countries, societies and custodians of mission-critical data systems, we will have to strike a balance between centralization and federation, open market and protectionism, online and offline approaches for data. These are hard questions and fraught with social, political, technical and sometimes even ethical challenges. But as the pain inflicted on the healthcare system by the Change Healthcare fiasco has proven, the importance and timeliness of considering such hard topics objectively could not be overstated.