American Hospital Association CEO talks about Change Healthcare ransomware attack and cybersecurity

Harrisburg - It’s been more than 40 days since the Change Healthcare cyberattack sent shockwaves throughout the hospital industry.

Rick Pollack, president and CEO of the American Hospital Association, says hospitals are still dealing with many unknowns. He spoke about the attack as part of a discussion at the Hospital + Healthcare Association of Pennsylvania Leadership Summit Wednesday morning.

“I’ve been consumed with this,” Pollack said, noting Wednesday marked “day 43” since the attack was reported on Feb. 21.

The American Hospital Association has called the Change Healthcare attack “the most significant” cyberattack ever launched against the healthcare industry. Nearly all hospitals (94%) said they have suffered a financial impact from the Change Healthcare attack, according to an AHA survey. Nearly 60% of the hospitals said the impact on their revenue has been $1 million per day or greater.

UnitedHealth Group, the parent company of Change Healthcare, has said the attack was launched by the “Blackcat” ransomware gang, which has targeted healthcare organizations in the past, federal authorities say.

It’s unclear what kind of private health data the ransomware group took from Change Healthcare, or how many hospitals are affected, Pollack said.

“We don’t know what they’ve captured,” he said.

• Read more: Pennsylvania hospital group CEO talks about cyberattack, and financial impacts

It’s also not clear how many health records may have been taken. The federal government requires organizations to report breaches of private health data affecting more than 500 individuals to the U.S. Department of Health & Human Services. Such breaches must be reported within 60 days. As of Wednesday, there hadn’t been a report on the Change Healthcare breach to the health department.

Organizations must also notify patients about health data breaches. While it’s unclear which hospitals are affected, Pollack said the notification requirements belong to Change Healthcare or UnitedHealth.

“It's their responsibility to inform patients, not our responsibility,” Pollack said.

• Read more: Change Healthcare cyberattack shows ‘no one is immune’

UnitedHealth Group has distributed more than $3.3 billion in payments to hospitals and other providers since the cyberattack. Change Healthcare handles a variety of services for healthcare providers, including processing claims, billing, handling prescriptions and insurance eligibility checks. Some hospitals and physician groups have been reeling due to the interruption of payments. Change Healthcare processes 15 billion transactions annually and is involved in one in every three patient records, federal officials say.

UnitedHealth has restored some services, although some hospitals are still having issues processing claims, officials at the Pennsylvania hospital conference said.

Hospitals and other health providers lodged heavy criticisms at UnitedHealth’s initial offers of assistance, calling them insufficient with terms that were onerous.

“They put out an advance payment program for our hospitals that was a joke,” Pollack said. He also said UnitedHealth downplayed the amount of work hospitals needed to deploy workarounds.

Now, Pollack said UnitedHealth Group has become “a little more responsive” with hospitals.

Still, Pollack said UnitedHealth isn’t to blame for the breach, saying the company is a “victim” of a ransomware attack. He warned the audience of Pennsylvania hospital leaders about the threat of sophisticated cyberattacks.

“We’re dealing with nation-states or gangs that are sanctioned by nation-states,” Pollack said.

While many hospitals have been victims of ransomware attacks, Pollack also warned that many ransomware attacks are being launched at the vendors and partners that hospitals rely on every day. Many incursions are aimed at third parties, he said.

“It’s people we give information to,” Pollack said. “Change is a perfect example of that.”

The federal government has opened an investigation of the Change Healthcare cyberattack, Pollack noted. The health department said last month that its Office of Civil Rights will focus on whether Change Healthcare or UnitedHealth Group violated federal regulations relating to patient privacy.

Pollack noted that the American Hospital Association opposed UnitedHealth Group’s acquisition of Change Healthcare, and warned of a massive consolidation of private health data that would result. The Justice Department sued to block the deal but lost a legal battle to avert the merger. But the breach illustrates the concerns the hospital association raised, Pollack said.

“We saw the handwriting on the wall,” Pollack said.

Pollack also talked about the need for the government to be doing more to help hospitals and other critical infrastructure guard against cyberattacks. He praised the government for moving from viewing cyberattacks as just a financial crime and recognizing such attacks as a “threat of life” crime.

“That’s a big deal in law enforcement,” Pollack said.

While Pollack said he welcomes the federal government setting cybersecurity goals for hospital organizations, he added that the government shouldn’t impose financial penalties to health systems for breaches. The health department has said it would work with Congress to increase financial penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA).

Pollack argues the cybersecurity standards should be voluntary. He says penalizing hospitals is misguided since many breaches involve their vendors or partners.

“It doesn’t solve the problem,” Pollack said.