Feds respond to Change Healthcare cyberattack; hospitals find it lacking

After hospitals, medical groups and physicians have pleaded for assistance, the federal government is responding to the Change Healthcare cyberattack.

The U.S. Department of Health & Human Services outlined steps to help healthcare organizations Tuesday, including measures to expedite getting claims processed so providers can get paid. Hospitals and other providers have said they've been losing a great deal of money since Change's systems went down two weeks ago, and their ability to provide patient care is being hampered as well.

Some providers had been critical of the government's response to the cyberattack and welcomed the first steps. However, the American Hospital Association issued a statement that indicated the federal response was lacking.

Rick Pollack, president and CEO of the American Hospital Association, pressed the government for more decisive steps.

"The magnitude of this moment deserves the same level of urgency and leadership our government has deployed to any national event of this scale before it. The measures announced today do not do that and are not an adequate whole of government response," Pollack said in a statement.

* Read more: Change Healthcare cyberattack called most significant on health sector in U.S. history

The hospital association said Tuesday it would continue to press Congress for more help. The AHA has written to leaders in the Senate and U.S. House of Representatives urging them to take decisive action.

"We cannot say this more clearly – the Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. health care system in history," Pollack said. "For nearly two weeks, this attack has made it harder for hospitals to provide patient care, fill prescriptions, submit insurance claims, and receive payment for the essential health care services they provide."

The American Medical Association credited the health department with taking action, but also said that other measures are needed.

Jesse M. Ehrenfeld, M.D., the AMA's president, said the health department has taken "a welcome first step, but we urge CMS to recognize that physicians are experiencing financial struggles that threaten the viability of many medical practices.

"Many physician practices operate on thin margins, and we are especially concerned about the impact on small and/or rural practices, as well as those that care for the underserved," Ehrenfeld said. "The AMA urges federal officials to go above and beyond what has been put in place and include financial assistance such as advanced payments for physicians."

* Read more: Florida Hospital Association CEO describes impact of Change Healthcare cyberattack

The federal response

The health department says it has been communicating regularly with UnitedHealth Group, Change Technology's parent company, about the need to enable health providers to continue to serve their communities. UnitedHealth Group said it first learned of the attack on Feb. 21.

Change Healthcare provides a wide array of services to hospitals, including billing, prescription orders, and solutions for insurance authorizations. The health department said in a news release it is responding after "hospitals, doctors, pharmacies and other stakeholders have highlighted potential cash flow concerns to HHS stemming from an inability to submit claims and receive payments."

The health department outlined a step to help providers get claims processed more quickly and help with some of their cash flow woes. HHS said it is going to make it easier for providers to change clearinghouses that they use for processing claims, a process that typically takes weeks. The Centers for Medicare & Medicaid Services says it will expedite the process to make the switch.

Hospitals and health systems have been pleading the government to speed up Medicare payments to help ease some of their financial pressures. The health department said hospitals can submit accelerated payment requests to Medicare for consideration, and said it would provide more information on filing such requests later this week.

The health department outlined other steps, but many involved encouraging insurers and managed care plans to help providers.

For example, the health department says CMS "will issue guidance" to Medicare Advantage plans about relaxing prior authorization requirements during the outage. CMS is also urging Medicare Advantage plans to provide "advance funding to providers most affected by this cyberattack."

CMS is also encouraging Medicaid and Children's Health Insurance Program managed care plans to ease pre-approval requirements and consider offering funds to providers in advance.

'More must be done'

Still, providers are seeking more substantial action.

Chip Kahn, president and CEO of the Federation of American Hospitals, said in a statement, "While HHS' announcement today reflects the gravity of the Change Healthcare cyberattack, more must be done as the fallout spreads, disrupting patient care and undermining caregivers. The response from Congress and the Administration must be up to the task and on a scale to mitigate this unprecedented attack."

The Medical Group Management Association welcomed assistance from the government, but also spoke about the need to offer accelerated payments to physician practices. Some medical groups have been seeing serious financial problems since the cyberattack occurred two weeks ago.

"Physician practices are in no way immune to the significant cash flow problems resulting from this incident and are often far more vulnerable than hospitals able to carry larger financial reserves," Anders Gilbert, the MGMA's senior vice president of government affairs, said in a statement. "CMS must require its contractors to extend the availability of accelerated payments to physician practices in a similar manner to which they are being offered to hospitals."

U.S. Senate Majority Leader Charles Schumer sent a letter Friday to CMS and called for swift Medicare payments to hospitals.

"As a consequence of the termination of Change Healthcares systems, hospitals, pharmacies, and healthcare providers are facing an immediate - and rapidly intensifying - adverse impact on their cash flow and, ultimately, on their financial solvency," Schumer wrote.

'Supply chain compromise'

Change Healthcare identified the group behind the cyberattack as an organization known as ALPHV/Blackcat. A hacker forum used by cybercriminals said UnitedHealth paid $22 million to regain access to data, Reuters reported.

Tyler Hudak, incident response practice lead for TrustedSec, a cybersecurity firm, works with health systems and hospitals. He tells Chief Healthcare Executive® that the attack underscores how all organizations are vulnerable to cyberattacks.

Also, he stresses that this incident shows how damaging attacks can be to hospitals and healthcare providers, even if it was a partner that was hacked.

"I hate to put it like this," Hudak says. "This is a great example of a supply chain compromise and how it can affect organizations, even when they themselves are not compromised. I think that's going to be the biggest takeaway from this.

"When we look at this in a year or two, organizations need to understand who is in their supply chain, who they rely upon for goods and services, and what happens when those companies go offline. Do you have backups? Do you have alternatives you can go to? How do you continue operations for potentially weeks without having the service available to you?"