On Feb. 21, hackers broke into the records of Change Healthcare, owned by UnitedHealth Group, in what the American Hospital Association called “the most serious incident of its kind leveled against a U.S. health care organization.”
The breach had far-reaching implications, compromising patient health records and crippling insurance payment and billing processes. UnitedHealth Group executives estimate that the breach cost it $872 million in Q1 and expect that figure to grow as high as $1.6 billion on a pre-tax basis.
Unfortunately, the breach was far from a one-off. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights shows six hacking/IT incidents on healthcare providers in Indiana since the start of 2024. Victims include Bloomington Regional Rehabilitation Hospital, Valley Oaks Health, and Otolaryngology Associates LLC – the last incident affecting more than 316,800 individuals.
“About a third of our 170 member hospitals were impacted by the Change Healthcare cyberattack; for some, up to 100% of revenue was impacted,” said Laura Kracher, vice president of public affairs and communications at the Indiana Hospital Association (IHA). “Across the state, hospitals experienced a major backlog in payments that threatened their financial stability. Hospitals asked payors for financial assistance, including relaxing prior authorization requirements, reducing claim denials, and providing interim payments to allow them to recoup the revenue needed to sustain operations.”
“The cyberattack on UnitedHealth Group and Change Healthcare serves as a stark reminder of the critical need for robust cybersecurity measures within the healthcare sector,” said Lisa Plaggemier, executive director of the National Cybersecurity Alliance, a nonprofit organization that partners with governments and corporations to promote the safe use of technology.
Area healthcare organizations are escalating cybersecurity from an IT issue to the executive level, said Jay Bhat, Administrative Director of Information Security at Franciscan Alliance. “Franciscan Alliance considers cybersecurity a board level issue,” he added. “The organization continues to monitor the cybersecurity landscape and is investing in technology, people, and processes to protect our patient data and continuously improve our program.”
This means prioritizing comprehensive risk assessments and implementing stringent security protocols to safeguard sensitive patient data, including regular security audits, employee training on cybersecurity best practices, encryption of data at rest and in transit, and proactive monitoring for suspicious activities, Plaggemier said. Additionally, investments in cutting-edge cybersecurity technologies and partnerships with reputable cybersecurity firms can bolster defenses against evolving cyber threats.
“JMH has committed more financial resources toward investments in hardware, software, and technology to assure there is continuous, 24-hour-per-day monitoring of all our digital systems,” said Dr. David Dunkle, MD, MBA, President/CEO of Johnson Memorial Health, Franklin. “JMH has also partnered with a trusted vendor to implement biweekly educational sessions regarding cybersecurity threats for all our employees.”
Because of the reliance on critical information systems to ensure safe delivery of care, Indiana hospitals have taken a wide variety of preventative measures, Kracher said. These include implementing “hack” labs to test medical devices before they’re used for patient care; performing annual risk assessments to understand any critical system vulnerabilities; and aligning IT systems to key governance standards from the Joint Commission, Federal Emergency Management Agency (FEMA), and the U.S. Department of Homeland Security.
“Collaboration between government agencies, law enforcement, and private sector stakeholders is essential to enhance threat intelligence sharing and coordinate responses to cyber threats, ultimately bolstering the resilience of the healthcare sector against future cyberattacks,” Plaggemier said.
“JMH actively participates in briefings conducted by government regulatory agencies that enforce cybersecurity measures,” said Dunkle of Johnson Memorial. “We are grateful for, and pay close attention to, the information that they regularly disseminate to us.”
Bhat agreed. “Franciscan Alliance continuously participates with various government agencies around cybersecurity,” he said. “As rules and regulations change, we actively ensure we are able to meet and exceed those requirements. We actively participate in information-sharing programs and review that information to ensure we are protected.”
In March, the Indiana Hospital Association and the Indiana State Medical Association (ISMA) sent a letter to the Indiana Department of Insurance (IDOI) outlining the major problems hospitals, physicians, and other providers experienced. In response, IDOI encouraged all insurance companies to: