Categories

Tag: Change Healthcare

What We Can Learn From the Change Healthcare Hack

By ZACHARY AMOS

The health care sector is no stranger to cyberattacks. Still, large incidents like the February 2024 ransomware attack on Change Healthcare are enough to shake up the industry. In the wake of such a massive breach, medical organizations of all types and sizes should take the opportunity to review their security postures.

What Happened in the Change Healthcare Cyberattack

On February 21, Change Healthcare — the largest medical clearinghouse in the U.S. — suffered a ransomware attack, forcing it to take over 100 systems offline. Many of its electronic services remained down for weeks, with full restoration taking until early April.

A week after the attack, the infamous ransomware-as-a-service gang BlackCat claimed responsibility. BlackCat was also responsible for 2021’s Colonial Pipeline shutdown and several attacks on health care organizations throughout 2023. This latest act against Change Healthcare, however, stands as one of its most disruptive yet.

Because Change and its parent company — UnitedHealth Group (UHG) — are such central industry players, the hack had industry-wide ripple effects. A staggering 94% of U.S. hospitals suffered financial consequences from the incident and 74% experienced a direct impact on patient care. Change’s services affect one in every three patient records, so the massive outage created a snowball effect of disruptions, delays and losses.

Most of Change’s pharmacy and electronic payment services came back online by March 15. As of early April, nearly everything is running again, but the financial fallout continues for many enterprises reliant on UHG, thanks to substantial backlogs.

What It Means for the Broader Health Care Sector

Considering the Change Healthcare cyberattack affected almost the entire medical sector, it has significant implications. Even the few medical groups untouched by the hack should consider what it means for the future of health care security.

1. No Organization Is an Island

It’s difficult to ignore that an attack on a single entity impacted almost all hospitals in the U.S. This massive ripple effect highlights how no business in this industry is a self-contained unit. Third-party vulnerabilities affect everyone, so due diligence and thoughtful access restrictions are essential.

While the Change Healthcare hack is an extreme example, it’s not the first time the medical sector has seen large third-party breaches. In 2021, the Red Cross experienced a breach of over 515,000 patient records when attackers targeted its data storage partner.

Health care enterprises rely on multiple external services and each of these connections represents another vulnerability the company has little control over. In light of that risk, it must be more selective about who it does business with. Even with trusted partners like UHG, brands must restrict data access privileges as much as possible and demand high security standards.

2. Centralization Makes the Industry Vulnerable

Relatedly, this attack reveals how centralized the industry has become. Not only are third-party dependencies common, but many organizations depend on the same third parties. That centralization makes these vulnerabilities exponentially more dangerous, as one attack can affect the whole sector.

The health care industry must move past these single points of failure. Some external dependencies are inevitable, but medical groups should avoid them wherever possible. Splitting tasks between multiple vendors may be necessary to reduce the impact of a single breach.

Regulatory changes may support this shift. During a Congressional hearing on the incident, some lawmakers expressed concerns over consolidation in the health care industry and the cyber risks it poses. This growing sentiment could lead to a sector-wide reorganization, but in the meantime, private companies should take the initiative to move away from large centralized dependencies where they can.

Continue reading…

Where’s Our Infrastructure Plan B?

By KMI BELLARD

I’ve been thinking a lot about infrastructure. In particular, what to do when it fails.

There was, of course, the tragic collapse of Baltimore’s Francis Scott Key Bridge. Watching the video – and, honestly, what were the odds there’d be video? — is like watching a disaster movie, the bridge crumbling slowly but unstoppably. The bridge had been around for almost fifty years, withstanding over 11 million vehicles crossing it each year. All it took to knock it down was one container ship.

Container ships passed under it every day of its existence; the Port of Baltimore is one of the busiest in the country. In retrospect, it seems almost inevitable that the bridge would collapse; certainly one of those ships had to hit it eventually. The thing is, it wasn’t inevitable; it was a reflection of the fact that the world the bridge was designed for is not our world.

Transportation Secretary Pete Buttigieg noted: “What we do know is a bridge like this one, completed in the 1970s, was simply not made to withstand a direct impact on a critical support pier from a vessel that weighs about 200 million pounds—orders of magnitude bigger than cargo ships that were in service in that region at the time that the bridge was first built,” 

When the bridge was designed in the early 1970’s, container ships had a capacity of around 3000 TEUs (20-foot equivalent foot units, a measure of shipping containers). The ship that hit the bridge was carrying nearly three times that amount – and there are container ships that can carry over 20,000 TEUs. The New York Times estimated that the force of the ship hitting the bridge was equivalent to a rocket launch.

“It’s at a scale of more energy than you can really get your mind around,” Ben Schafer, a professor of civil and systems engineering at Johns Hopkins, told NYT.

Nii Attoh-Okine, a professor of engineering at the University of Maryland, added: “Depending on the size of the container ship, the bridge doesn’t have any chance,” but Sherif El-Tawil, an engineering professor at the University of Michigan, disagreed, claiming: “If this bridge had been designed to current standards, it would have survived.” The key feature missing were protective systems built around the bases of the bridge, as have been installed on some other bridges.

We shouldn’t expect that this was a freak occurrence, unlikely to be repeated. An analysis by The Wall Street Journal identified at least eight similar bridges also at risk, but pointed out what is always the problem with infrastructure: “The upgrades are expensive.”

Lest anyone forget, America’s latest infrastructure report card rated our overall infrastructure a “C-,” with bridges getting a “C” (in other words, other infrastructure is even worse).

What’s the plan?

——–

Then here’s an infrastructure story that threw me even more.

Continue reading…

Fee-For-Service: Predominant, Winning & Stupid

By MATTHEW HOLT

In recent days and weeks, there have been three stories that have really brought home to me the inanity of how we run our health care system. Spoiler alert, they have the commonality that they all are made problematic by payment per individual transaction—better known as fee-for-service.

First, several health insurers who sold their reputation to Wall Street as being wizards at understanding how doctors and patients behave had the curtain pulled back to reveal the man pulling the levers was missing a dashboard or dial or three. It happened to United, Humana and more, but I’ll focus on Agilon because of this lovely quote:

“During 2023, agilon health experienced an increase in medical expenses attributable to higher-than-expected specialist visits, Part B drugs, outpatient surgeries, and supplemental benefits, partially offset by lower hospital medical admissions. While a number of programs have been launched to improve visibility, balance risk-sharing and enhance predictability of results, management has assumed higher costs will continue into 2024,” the company said in a statement

Translation: we pay our providers after the fact on a per transaction basis and we have no real idea what the patients we cover are going to get. You may have thought that these sharp as tacks Medicare Advantage plans had pushed all the risk of increased utilization down to their provider groups, but as I’ve be saying for a long time, even the most advanced only have about 30% of their lives in capitation or full risk groups, and the rest of the time they are whistling it in. They don’t really know much about what is happening out in fee-for-service land. Yet it is what they have decided to deal with.

The second story is a particularly unpleasant tale of provider greed and bad behavior, which I was alerted to by the wonderful sleuthing of former New Jersey state assistant director of heath benefits Chris Deacon, who is one of the best follows there is on Linkedin.

The bad actor is quasi-state owned UCHealth, a big Colorado “non-profit” health system. They have managed to hide their 990s very well so it’s a little hard to decipher how much money they have or how many of their employees make millions a year, but it made an operating profit last year of $350m, it has $5 BILLION in its hedge fund, and its CEO (I think) made $8m. It hasn’t filed a 990 for years as far as I can tell. Which is probably illegal. The only one on Propublica is from a teeny subsidiary with $5m in revenue.

So what have they been doing? Some excellent reporting from John Ingold and Chris Vanderveen at the Colorado Sun revealed that UC has been getting collection agencies to sue patients who owe them trivial amounts of money, and hiding the fact that UC is the actor behind the suit. So they are transparent on how much very poor people allegedly owe them, and come after them very aggressively, but not too transparent on how their “charity care” works. The tales here are awful. Little old ladies being forced to sell their engagement rings, and uninsured immigrants being taken to the ER against their will and given a total runaround on costs until they end up in court. Plenty more stories like it in a Reddit group reacting to the article.

What’s the end story here? UC Health gets a measly $5m (or a share of it) a year from all these lawsuits which is less than the CEO makes (according to a Reddit group—with no 990 it’s a little hard to tell).

Yes, all these patients are being billed or misbilled for individual procedures and visits. It makes people terrified of going to the doctor or hospital, and no rational health services researcher thinks that charging people a fee to use health care encourages appropriate use of care. Last month Jeff Goldsmith had an excellent article on THCB explaining why not.

Of course it goes without saying that if these patients were covered by some kind of a capitation, subscription or annual payment none of this cruelty or waste motion would be happening.

The final example is still going on.

Continue reading…

Change Healthcare’s CEO on Payers, Providers & The New Healthcare Economy

By JESSICA DaMASSA, WTF HEALTH

From his vantage point at the helm of one of healthcare’s biggest IT infrastructure companies, Change Healthcare’s President & CEO, Neil de Crescenzo, has an unrivaled perspective at how covid19 has impacted hospital systems and payers. His business builds the “connective tissue” that not only supports the administrative management and patient engagement aspects of “Big Healthcare,” but it also literally helps those organizations make money, processing about $1.5 Trillion in claims each year. So, what’s he seen so far in 2020? And what’s ahead for 2021? Neil stops by to talk about current challenges facing healthcare provider orgs and payers — and what’s ahead in the “new” healthcare economy where “change” is the only constant. From HHS’s new interoperability rules to telehealth and the more dispersed healthcare system it will inevitably create, we dive into all things future of health including the details behind Change’s two recent health tech acquisitions (each over $200M), what Neil thinks about the Teladoc-Livongo merger, and how digital health startups have an unprecedented opportunity to help expand the healthcare system beyond its traditional footprint.

Health in 2 Point 00, Episode 126 | A triple-episode ft. Bigfoot, Tictrac, Lifestance & many more

Today on Health in 2 Point 00, there’s been so much movement in digital health funding this week that we have a triple-episode. Bigfoot Biomedical raised $55 million in a Series C, Tictrac raised $7.5 million for employee wellness, Lifestance Health raised a whopping $1.2 billion, Maven acquired Bright Parenting, Higi raised $30 million, Bright.md raised $16.7 million, Tia raises $24 million, Doktor.se raising €45 million, Orbita raised $9 million, Curatio’s undisclosed A, Siren raised $11.8 million, 100plus raised $15 million, Ubie raised $18.7 million, Change Healthcare acquired 2 different companies—PDX for $208 million and ERX for $213 million, and special funds by Andreessen Horowitz and Softbank supporting founders of color. —Matthew Holt

Health in 2 Point 00, Episode 75 | Rounds & IPOs, Health Datapalooza, & the Facebook Controversy

Today on Health in 2 Point 00, Jess and I are at 10th annual Health Datapalooza in Washington D.C.! Jess talks to me about Xealth’s $11 million round to develop out its company, and Change Healthcare is applying for a $100 million IPO. The big takeaways from Health Datapalooza are that many people and companies have integrated data into their systems, but they haven’t been able to gain many actionable insights from it. Also, if you haven’t heard of the complaint Andrea Downing, Fred Trotter, and David Harlow wrote to the FTC concerning the privacy and data that can be downloaded from Facebook’s groups, you better check it out. It details out the concern that Facebook is not protecting the data of patients as anyone can download sensitive data from the groups and use it — Matthew Holt

Health in 2 Point 00, Episode 63 Walgreens & Fedex partnership, Verily’s adherence program, & more!

Today on Health in 2 Point 00, Jess and I get festive for the holidays. In this episode, Jess asks me about Walgreens and its new partnership with FedEx for next day prescription delivery and with Verily to help patients with prescription adherence. She also asks me about blockchain startup PokitDok getting its assets acquired by Change Healthcare. Lots of job changes are happening as well. Amy Abernethy, the chief medical officer at Flatiron Health, was named Deputy Commissioner of the FDA. Rasu Shrestha, who was previously at the University of Pittsburgh Medical Center, is the new chief strategy officer of Atrium Health. Finally, Zane Burke, who recently stepped down as president of Cerner, was just hired as Livongo’s new CEO, while Glen Tullman remains executive chairman of the company. Dr. Jennifer Schneider was also promoted from the company’s chief medical officer to president. We have one more episode of Health in 2 Point 00 for 2018, so be on the lookout for our year-end wrap-up. —Matthew Holt