Many health system CIOs are still dealing with the fallout of the Change Healthcare cyberattack nearly three weeks after it led to disruptions across the industry, but some IT chiefs say the event could pave the way for changes.
CIOs told Becker's the ransomware attack that took many payer and prescribing systems offline could increase federal cybersecurity muscle for healthcare, scrutiny of mergers and acquisitions, and spotlight on the sector's interconnectivity.
"For one thing, it is evident that we do not just need regulation and policies for cybersecurity in healthcare — we also need a federally-mandated ecosystem to assist with and standards for the cleanup and restoration activities after such an event," said Saad Chaudhry, chief digital and information officer of Annapolis, Md.-based Luminis Health. "If there is indeed a breach of PHI [protected health information], there will need to be a mass-coordination event with all the orgs whose people are impacted and will need to be notified and given identity protection."
He said Change's statements on some of these issues — namely whether cybercriminals did, as they claimed, steal massive amounts of data — have been inadequate. The company has said it is still investigating the impact on the health information of patients, members and clients.
Others point to what the hack has revealed about the interconnectivity of so much of the healthcare system, largely brought on by consolidation. UnitedHealth Group, the biggest healthcare company in the U.S., got even bigger when it acquired Change Healthcare in 2022 for $13 billion. Change processes 15 billion healthcare transactions annually. The cyberattack is the largest to ever hit the sector.
"The event has highlighted the increasing vulnerabilities of the healthcare industry due to the growing dependence on digital solutions and connectivity, especially with the rise of mergers and acquisitions," said Muhammad Siddiqui, CIO of Richmond, Ind.-based Reid Health. "Therefore, it is critical to implement comprehensive cybersecurity strategies that can prevent disruption of healthcare services, safeguard patient data, and uphold the integrity of the digital healthcare infrastructure."
Mr. Chaudhry said many leaders in the field are "beginning to wonder if there is such a thing as 'too big to not affect us all' in healthcare."
Like many health systems, Norwalk, Ohio-based Fisher-Titus has run into trouble submitting claims and receiving payments from payers and obtaining medications for patients during the cyberattack outage. CIO Linda Stevenson said the financial impact on her health system has been "huge."
"While we have always worked on ensuring we have proper downtime procedures, and have tested those processes, this highlights the fact that we are still constrained by the cybersecurity efforts and downtime expectations of other areas of the healthcare chain," she said. "As we should never let a crisis go to waste, it is my hope that we will now get the appropriate amount of attention on the critical connections between all the links in the chain."