It seemed improbable the first time someone told me the fallout from the cyberattack on the Change Healthcare platform might last for weeks, or for months even.
Four weeks after the hack essentially halted billing by a huge subset of providers, it seems impossible that their finance offices will be free from the massive mess the stoppage has created any time before summer.
Per the assessment of others much more technologically savvy than I, the attack and the resulting outage revealed the true vulnerability of the day-to-day computer infrastructure on which healthcare organizations — including even low-tech nursing homes — now rely.
Shoring up the defenses for such vital services must be both a short-term and long-term priority.
But the attack also revealed other weaknesses in a healthcare system that is driven more and more by a desire for efficiency, and yes, profits.
The idea of submitting bills to a third-party that can transmit them to so many different payers and relieve some pressure on in-house billing offices is a great one. It must have been working smoothly for so many: Change Healthcare reportedly manages between 14 and 15 billion transactions annually.
But in 2022, Change became part of Optum and its parent company, UnitedHealth Group, putting more services and control into the hands of a singular organization. Now we’ve seen what happens when a hugely centralized organization is unprepared for a given challenge.
Who we share information with and how we share it can’t be an afterthought anymore. Providers who put all their eggs in the Change Healthcare basket are feeling that, for sure.
Spreading the work
David Finkelstein of RiverSpring Living predicts more nursing homes will split their billing submissions across multiple clearinghouses in the future. On the one hand, it creates more management and coordination hurdles. On the other, it will ensure access to an alternative service provider next time there’s an outage.
The financial fallout for the players and victims in this saga are also just beginning to become clear, and Finkelstein has warned of predators targeting seniors who are concerned their health information could have been accessed by the hackers.
Lawsuits over HIPAA violations are already starting, and aging services groups are initiating tough conversations about how far liability reaches and who should be responsible for costs of defending related cases.
They’re also broaching the (far from resolved) question of who will cover the added costs of figuring out the billing mess and tons of extra paperwork and processing that will be required to crawl out of payment delays and even possible denials. While federal officials have opened a gateway to advanced payments, the government has said nothing so far about other emergency funding.
Many providers are already reassessing their billing office budgets for 2024 to incorporate all the extra pay for staff and temps. But providers also must reassess their data relationships.
In the quest to become more efficient, has your staff outsourced certain services so completely that you’d be hard pressed to envision a way forward without that vendor? It may be time to reevaluate or at least revise contingency plans.
It’s all the more important to do that high-tech due diligence sooner rather than later. Given UnitedHealth Group’s reported willingness to pay the hackers’ ransom, it’s all but certain that more healthcare hacks are coming.
The only question is how well the sector will be prepared next time.
Kimberly Marselas is senior editor of McKnight’s Long-Term Care News.
Opinions expressed in McKnight’s Long-Term Care News columns are not necessarily those of McKnight’s.
