On February 21, there was a ransomware attack on UnitedHealth’s subsidiary, Change Healthcare. There are reports that a $22 million ransom has been paid to try and resolve this issue.
Subsequently, the Department of Health and Human Services (HHS) launched an investigation, through its Office for Civil Rights (OCR), due to the scope and impact of the attack. Apparently Change Healthcare processes about half of the medical claims in the United States — for around 900,000 physicians; 33,000 pharmacies; 5,500 hospitals; and 600 laboratories.
As a result of this attack, numerous patients have seen a disruption in the delivery of their health care, as they have been unable to get access to needed medicines or medical procedures. Additionally, given that Change Healthcare is the largest processor of billings and reimbursements for medical claims nationwide, this ransomware attack has resulted in thousands of health care institutions and professionals not being paid in a timely manner, or simply not being paid.
Since October 2009, when the HHS/OCR first started publishing summaries of health care data breaches on its website, there have been almost 6,000 large health care data breaches – whether from hacking, ransomware attacks, theft, loss, or impermissible disclosures. Additionally, large pharmaceutical companies, including Merck and Roche, have been victims of ransomware attacks that have left them paralyzed for weeks at a time.
The hackers initially started as small teams, but are now sophisticated groups, offering “ransomware-as-a-service”, even to state-sponsored hackers. And, this is where national agencies like the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) get involved, as these are criminal acts that threaten the country’s infrastructure.
Preventive Medicine physicians are often leaders in large health care organizations. While our focus is primarily on the delivery of high-quality health care, there is also a need to pay attention to the types of cybersecurity tools and solutions our organizations are deploying, in anticipation of such ransomware attacks and hacking incidents.
The new American Board of Preventive Medicine’s Public Health & General Preventive Medicine test content outline contains a section on Informatics. In it, there is a knowledge requirement, which sets a standard for storing, securing, protecting, managing, sharing, and manipulating data. We have a responsibility as physician executives to participate more broadly across our institutions to mitigate the risks posed to delivering high-quality health care by these cybersecurity threats, as they will only grow in frequency and magnitude.
One of our Board members, Dr. Helga Rippen, has long been at the forefront of dealing with such issues at the intersection of health care and technology, and in the coming year, perhaps ACPM can explore the creation of a Special Interest Group focused on this topic.
One final policy question remains: Is there a need to limit the size and scope of the organizations managing health care across the country, as an attack on one such as UnitedHealth’s subsidiary Change Healthcare, can lead to catastrophic outcomes given the disruption in patient care that can result from such ransomware attacks?
Mirza I. Rahman, MD MPH, FAAFP, FACPM