Unintended consequences are not unintended if you know they are going to happen. The COVID-19 pandemic shed a damning light on an entire pillar of the American economy, as many hospitals skated on the brink of bankruptcy and fundamentally exposed the fragility of the healthcare workforce. It had a lasting impact on the nation’s approach to disaster preparedness, critical care equipment reserves, our nation’s vaccine programs and starkly revealed the fragility of health system operations and finances.
This month, another crisis broke the system, the Change Healthcare cyberattack. Change powers $1.5 trillion in healthcare payments annually. It is a major part of the infrastructure upon which the country’s healthcare dollars flow. The payroll of a janitor at a hospital in New York, a physician who owns her own practice in Oklahoma, or the CEO of a health system in California are all inextricably tied to its function.
Related: 'Nightmare': Pharmacies, hospitals reel from Change Healthcare outage
A major part of the payroll and financial well-being of 17% of the American economy is linked to this single piece of software, which is owned by UnitedHealth Group. For many healthcare providers across the country, the outage meant a complete stoppage in the flow of payments. The 15 billion healthcare transactions that Change processes annually has a direct effect on over a third of all patient records.
For a health system with less than 100 days’ cash on hand or a private medical practice, many of which have less than 60 days’ cash on hand, such a cyberattack on a company far removed from these organizations can be financially fatal in just a matter of months.
Could we have predicted a global pandemic that would fundamentally transform healthcare in the United States? Could we have predicted that if a piece of software failed, suddenly businesses in communities across the country were at risk of being financially wiped out?
The answer is yes and yes. Just as the healthcare system was challenged with H1N1 15 years ago and SARS more than 20 years ago, we knew that "someday" there would be a global pandemic unless we were prepared. We’ve also had warnings that isolated instances of cybersecurity breaches could turn into a national catastrophe.
The WannaCry cyberattack in 2017 had a global impact on healthcare and disrupted the operations of the National Health Service in the United Kingdom. In 2020, Universal Health Services, one of the largest healthcare providers in the United States, was hit be a ransomware attack that forced its facilities to revert to paper records and caused significant disruptions to patient care. Both of these raised alarm and were a prologue to this broader attack.
How do we future-proof our healthcare economy from a another similar failure?
First, realize that the current centralized, payer-reliant, payer-focused reimbursement system is built for billing and collections and is owned by the payers. Change Healthcare, for example, is owned by Optum, part of UnitedHealth, for automating provider contracts to reduce costs, engage members to support satisfactory care and manage medical expenses.
Second, claims processing, reconciliation and prior authorizations are still done by humans under the hood of the software. In software engineering, the time it takes to bring a system back online is directly related to its operational complexity and human dependency.
Three immediate steps are necessary to mitigate what will surely happen again in some form in our current system:
We need a decentralized, software-driven, redundant approach that will prevent a single system from having a long-term devastating financial impact. Every health system should have a multi-clearinghouse-capable back-up revenue cycle system. Such an approach should have as many direct payer links as possible.
Physician practices and health systems need to reevaluate their security vulnerabilities across all relevant entities. Endpoint security and penetration testing become more important than ever. Organizations must treat cybersecurity as a not if, but when, problem and upgrade their systems accordingly.
Most important, especially for health systems, cybersecurity needs to be a standing oversight and policy committee at the board level.
Whether the Change Healthcare hack is viewed as fair warning and not just the first round in an ongoing national catastrophe will require unprecedented collaboration between healthcare organizations, payers and the tech/cybersecurity world.
Dr. Stephen Klasko is the former president and CEO of Thomas Jefferson University & Jefferson Health in Philadelphia and currently serves as an executive-in-residence at General Catalyst. He is also senior adviser to health technology company Commure.