From Breach to Regulation: How the Change Healthcare Ransomware is Shaping Compliance

The ransomware attack on Change Healthcare in late February, 2024 that forced the company to disconnect over 100 systems has proven to be the largest healthcare breach in many years. The BlackCat/ALPHV ransomware gang claimed responsibility for the hack, which resulted in Change Healthcare customers being unable to process payments and collect revenue in their operations. Change managed more than 15 billion transactions in 2023 for a total of $1.5 trillion in revenue collected. This makes the company a significant player in the healthcare ecosystem.

More than a month later, the company still has not brought all its systems back online. Physician-owned medical groups, psychiatry practices, and private medical practices across the country have gone without any cash flow for weeks. Skilled nursing facilities have already closed their doors in part because they can’t collect any revenue. The cascading failure of removing the ability to process payments through Change Healthcare’s systems can’t be understated in its impact on patient care and healthcare availability. 

The federal government has paid close attention to the whole process. The White House is in near-daily conversations with UnitedHealthcare Group, the parent company of Change Healthcare, and the Department of Health and Human Services’ Office of Civil Rights opened an investigation into the breach. Among the investigations and response plans, there is now also new legislation being proposed in Congress to limit the damage of future attacks like this one.

New Healthcare Cybersecurity Act Provides a Financial Backstop

In response to the Change Healthcare ransomware and its spreading impact, Senator Mark Warner (D-Virginia) introduced the Health Care Cybersecurity Improvement Act of 2024 on March 22. Warner is a co-chair of the Senate Cybersecurity Caucus and has been a loud voice for healthcare cybersecurity in recent years. This new legislation would make it so healthcare providers could get advance payments quickly to help stem the risk of financial insolvency.

Hospitals and healthcare facilities make these advance payment requests in extreme circumstances, such as the COVID-19 pandemic, and CMS makes the determination to release the appropriate funds. The requirements built into the act would only release these funds if the healthcare organization had what Warner calls a minimum level of cybersecurity defenses in place. The payments would be processed through the Center for Medicare and Medicaid Services (CMS) Advanced and Accelerated Payments program, which has historically been used to solve emergency cash flow problems for Medicare Part A and Medicare Part B healthcare providers. The new act, as proposed by Senator Warner, would alter these payment programs along a few different dimensions:

The new act, as proposed by Senator Warner, would alter these payment programs along a few different dimensions: 

  • The Secretary would need to determine if the need for payments is because of a cyber incident.
  • If the payment reason is because of a cyber incident, requiring the healthcare provider in question to meet minimum cybersecurity standards.
  • If a provider’s intermediary was the target, that company must also meet minimum cybersecurity standards for the provider to receive payments.
  • These minimum standards would need to be determined by the Secretary of Health and Human Services. The bill would go into force two years from when it was passed.

This new proposed legislation goes beyond the Health Insurance Portability and Accountability Act (HIPAA), which focuses exclusively on patient data. Warner’s legislation seeks to put in place cybersecurity hygiene standards industry-wide so healthcare providers and the companies who serve them have in place defenses meant to protect their critical systems from an attack like the one currently affecting Change Healthcare. This proposed rule is a recognition that something needs to be done to limit the impact of future attacks like this.

Healthcare Cybersecurity Regulations Need to Evolve 

There’s no current estimate of the full impact of the Change Healthcare attack. The Massachusetts Health and Hospital Association said the outage is costing the state’s healthcare system around $24.2 million a day. Senator Maggie Hassan (D-NH) said that rural New Hampshire hospitals haven’t received 98% of the Medicare payments they were expecting. 

The Wall Street Journal’s consolidated reporting on the attack and its impacts noted that the difference in size of hospitals across the country means that anywhere from several thousand to several million dollars in payments are being held back. The American Hospital Association, for example, found that 60% of its members lose more than $1 million in revenue per day because of the ongoing operational disruption. 

This attack demonstrates that there needs to be a re-evaluation of cybersecurity priorities in healthcare. HIPAA’s focus on securing patient data is a laudable one, however, it doesn’t go far enough in defending healthcare organizations from a cyber attack. This is especially true when a firm like Change Healthcare, which provides critical non-patient care services, is attacked. 

Hospitals and other healthcare providers have long emphasized patient care in their technology investments. This is not a bad thing. However, the Change Healthcare attack as well as the rising tide of ransomware attacks on the healthcare system more generally proves that there needs to be some baseline standards for defending hospital and healthcare infrastructure. 

This new proposed legislation from Senator Warner would be a critical piece of making that happen. What the minimum standards are isn’t defined in the text of Warner’s legislation, instead leaving that to the HHS Secretary, but providing statutory approval to the federal government to make those determinations is nevertheless a major step forward. 

The Centers for Medicare & Medicaid Services and HHS have already agreed to make advanced and accelerated payments on a case-by-case basis during the crisis. The difference is that Warner’s new legislation would make this state of affairs more programmatic and official. This backstop, should it pass, would go a long way toward protecting financially vulnerable hospitals from the revenue impacts of a future cyberattack. 

It could also protect patient care. The AHA survey found that nearly three-quarters (74 percent) of responding hospitals reported a direct impact on patient care because of the Change Healthcare attack. Around 40 percent of hospitals said patients are having difficulty accessing care because of delays in processing health plan utilization requirements, such as prior authorization. 

Warner’s change in legislation would thus ultimately be a good thing. Defining standard security measures and using the force of law to ensure a backstop may serve to limit the danger of a successful incident. However, this early in the process there’s no telling what the minimum security standards might be or if the new law is even going to pass this Congress.

Change Healthcare Ransomware Final Thoughts

Something needs to change with healthcare security. Attacks have gone up and become only more damaging, while the impacts on patient safety and care continue to become more acute. Change Healthcare in particular still hasn’t brought all its systems back up as of early April 2024, despite UnitedHealthcare Group working constantly to rebuild and reconstruct systems as quickly as they can. Some services have come back and others still remain in limbo for the foreseeable future. 

Senator Warner’s legislative proposal is a needed step on the regulatory side of the equation either way. The healthcare industry is a vital part of the country’s infrastructure, and defining minimum standards expected of hospitals and healthcare providers should go a long way toward improving the state of cybersecurity industry-wide. For now, it remains to be seen how long it will take for the industry to recover from this attack and get back to providing patients with the best outcomes possible.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.

IoT Device Security in 2024 The High Cost of Doing Nothing | Asimily

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.