Resources

Podcast

The Change Healthcare Attack and Its Effects on Healthcare Organizations

a blue background with a logo for the modern practice podcast with a microphone

On this episode of The Modern Practice Podcast, host Gary Tiratsuyan is joined by Rectangle Health’s Chief Product and Strategy Officer, Michael Peluso, and Senior Vice President of Enterprise Technology Partnerships, Brian Doyle. They discuss the Change Healthcare cyber-attack, the implications of this incident on healthcare organizations, and how practices can:  

  1. Mitigate risk to their practice and patient data 
  2. Ensure revenue continues to flow despite disruptions to insurance payments 
  3. Identify needed compliance and cybersecurity improvements by leveraging Rectangle Health’s no-cost HIPAA Gap Assessment. 

Connect with Mike Peluso on LinkedIn >> 

Connect with Brian Doyle on LinkedIn >>

 

 

Transcript

Gary Tiratsuyan 00:17 

Hello, everybody and welcome back to the Modern Practice Podcast brought to you by Rectangle Health. I’m your host, Gary Tiratsuyan. Today we’re delving into a critical topic that sent shockwaves throughout the healthcare industry. As many of you are already aware, Change Healthcare recently fell victim to a cyber-attack, disrupting processes for physicians and hospitals nationwide, from billing to prescription management.  

The repercussions of this attack have been felt far and wide, affecting countless providers and patients in an instant. Today we unravel the implications of this event and explore its impact on healthcare organizations and beyond. Joining us are two industry experts, Mike Peluso, Chief Product and Strategy Officer, and Brian Doyle, Senior Vice President of Enterprise Technology Partnerships at Rectangle Health. Thanks for taking the time and welcome to the show.  

Mike Peluso 01:12 

Gary, thanks for having us. It’s great to be here. 

Brian Doyle 01:16 

Thanks a lot, Gary. We’re excited.  

Gary Tiratsuyan 01:18 

I want to dive right into it and get into the heart of the matter. Change Healthcare is a prominent player in the industry. But Mike, give us a brief overview. Who are they? What do they do? Why does their recent cyber incident have such a significant impact on healthcare organizations and patients?  

Mike Peluso 01:40 

As you said, Change Healthcare is a prominent player in the healthcare industry, and they facilitate a large portion of healthcare transactions. And when we say healthcare transactions, think about eligibility transactions, checking if a patient has insurance or checking if the patient has benefits. Think about claim transactions. When a provider, medical facility, or dental facility wants to submit a claim to an insurance company, it’s got to go through Change Healthcare, or more often than not it goes through Change Healthcare. Additionally, think of payments back from insurance companies. A lot of times those will flow through Change Healthcare as well.  

They are a major software entity, a major clearinghouse entity. You’ll hear us use that term a lot. And as you know, I love a good analogy. Think of them similar to an oil refinery. Think about how an oil refinery takes oil, refines it, and then delivers it out to all the gas stations throughout the country. If you were to rewind back a few years and think about how there was an oil refinery outage, think of that. Think of the broad, broad implications of that.  

And a lot of people go, I don’t know, who cares if an oil refinery is out? But think about the implications that we all felt in that, all of a sudden, gas stations weren’t getting gas. All of a sudden, consumers weren’t able to put gas in their car. All of a sudden, people weren’t able to go places. That’s a pretty big impact.  

Take that same impact, and then apply it to something like pricing. The supply of gas went way down, so the price went way up as well. When you look at the Change Healthcare incident, the broad implications are far-reaching and similar. We’ll go through some of that. I know you have a few questions. But if I could give everybody a really good analogy of what the impact is, that would be a good way to sort of sum it up. 

Gary Tiratsuyan 03:39 

I think that paints a great picture. And it’s evident that Change Healthcare’s extensive presence made it a prime target for a cyber-criminal.  

Brian, I’m going to turn to you now on the cyber-attack on Change Healthcare. It’s been described as one of the most substantial breaches in healthcare history. From your conversations with healthcare organizations, can you elaborate on the specific ways that they were impacted by the attack? 

Brian Doyle 04:11 

Yeah, absolutely. What we’ve heard over and over again is shockwaves. In our discussions, specifically with mid-market to upmarket healthcare organizations, it became very, very apparent that this breach was multifaceted for their organization. The first and probably most important factor was the inability or the slowdown of their financial cash flow. When we think about billing, we think about claim processing. Many of these providers were unable to collect payments for weeks. We actually talked to one organization who said they’d have $3 to $4 million a week tied up due to this breach. When you think about cash flow and what that means to run your business, it’s critical.  

Then we started talking about some ancillary issues from this breach. Some organizations raised concerns about data security. In healthcare, you may not really think about that very often. It’s just kind of in the back of your head. But data security and patient privacy are at the forefront right now. A lot of these organizations had to have a reality check. They haven’t thought about these things in a long time. They kind of just check that they’re HIPAA compliant and move on. But now, with this breach, data security and cyber insurance is extremely important. Not only to know how you’re set up, but how you’re going to get out of an issue like this.  

Overall, we’ve heard a number of different things from our healthcare providers stemming from cash flow, cyber insurance, lack of compliance, and lack of updates. It’s brought a lot to the surface throughout the market.  

Gary Tiratsuyan 06:16 

Thanks for that, Brian. It speaks to the sophistication of the attack. It’s evident that many providers were left scrambling to cope with the fallout. As you mentioned, they’ve got cash locked up and not flowing freely. And it’s really making them resort to less efficient methods like paper submissions for claims processing.  

In light of this challenge, Mike, what advice would you offer a healthcare provider today to navigate around the obstacles? To deal with the situation now and streamline their reimbursement process? Even in the long term? 

Mike Peluso 06:54 

Great question. Kind of a big one. I’ll break it down with the best term that I can utilize for providers. And the best advice that I can give is risk mitigation. That term has a lot of different meanings. Brian just mentioned this created payment risk. In order to operate a successful business, you need payments coming in on a consistent basis. Cash flow.  

Providers, they’ve always focused on that insurance cash flow. That’s the way it is in the U.S. healthcare system. Insurance carriers pay a lot of the claims. As an industry, we’ve invested millions, billions, if not trillions, in getting paid from insurance companies. It was almost a foregone conclusion that insurance company payments would always flow until this incident with Change Healthcare. All of a sudden, that consistent thing that always occurs stopped for everyone. It was almost the equivalent of a COVID moment. You never thought it would happen, the world shutting down in a day. Well, imagine your cash flow shutting down in a day. And then that cash flow flows down to the employees of that practice. If there’re no dollars coming into that practice, there’s no payroll, either.  

When you think about risk mitigation, you have to think about cash flow. And the other side of insurance payments is patient payments. There’s been a lack of investment in patient payments in the industry. It hasn’t had the spotlight the way that insurance payments have. But you can mitigate some of your insurance payment risk, and turn it into a living, by making sure patient payments are flowing. If one stops, the other one still comes in. It goes both ways. If for some reason patient payments stop flowing one day, well, at least you have the insurance payments coming in.  

This incident highlights what happens when insurance payments stop flowing. Practices are kind of like boats in the water without an engine. They’re sitting there going, what do I do? The backup engine might not be as big as the normal engine, but it’s there, and it’ll get you wherever you need to go for that time period.  

The second risk mitigation factor is to not put all your eggs in one basket. I think a lot of providers didn’t know they had that many eggs in the Change Healthcare basket, that they were so reliant on this one, large vendor. But now we’re trying to respond to the incident and understand how you mitigate that. Take a look at large vendors. Make sure you know, especially if you’re a large organization, what your backup plans are. If one goes down, you can switch to another one. This goes for any critical service in an office. It doesn’t have to be just claim submission or eligibility, it can be payments or supply vendors. What if you bought all your gauze and rubber gloves from one vendor, and that vendor went out of business tomorrow? You have to get gauze and rubber gloves from somewhere else. Again, I’m giving you pretty extreme examples, but you don’t want all your eggs in one basket. I think this has definitely taught us that.  

Finally, Brian touched upon it, within HIPAA and PCI regulations, you as a as a medical provider, dental provider, hospital, or any type of facility, have to meet standards to protect your data. This includes things like having two factor authentication for passwords and data backups. Up until this incident, I think a lot of people looked at these as check boxes. Yeah, I have that. Or, I have a document that says I have it. But having a document and actually having policies and procedures or technology in place to support it are totally different things. Again, I would sum it up into those three risk-mitigating concepts. Now the urgency is building to make sure you’re going after at least those three. 

Gary Tiratsuyan 11:48 

That makes total sense. It’s risk mitigation and business preparedness to open up different avenues or different channels to collect revenue and cover yourself. Thanks for that insight. It’s crucial for providers to explore avenues to recoup lost revenue.  

Brian, I want to shift to you and shift focus slightly. Let’s talk about Text-to-Pay, Bulk Text-to-Pay, keeping your card on file, and online patient payments offered by Bridge™ Payments. Within your engagements with providers, and especially with larger healthcare organizations, do you see the market adopting these types of payment solutions? And how does expediting patient payments correlate with bolstering practices’ financial stability in times like now when we’re dealing with the Change Healthcare attack? 

Brian Doyle 12:48 

It’s a great question and a fascinating one that has a lot of ebbs and flows. In the past, pre-COVID, things like Text-to-Pay or card on file were nice-to-haves. That’s kind of cool, but one’s going to use it. That was the overall trend in in healthcare. Then COVID came and all of a sudden consumers and patients said, this is the only way I’m going to pay now. I need to have this. That trend is still here. The consumerization of payments is real.  

An analogy I like is the OpenTable analogy I don’t call a restaurant, give my name, and then walk in and they pull out a book to find my reservation. I do all of that with my phone and my card is already on file when I walk in. With consumers of healthcare want these technologies now, and what we’re seeing is a lot of upmarket providers have a lot of these solutions in place. They’re just not leveraging them, because for whatever reason they’re concentrating elsewhere.  

We have seen an uptick in usage or adoption across the board specifically with Text-to-Pay and card on file. Card on file is mission-critical to keep the cash flow coming in. If we don’t have insurance payments coming in, we have to make sure we get paid from our patients. Card on file is the best way to do that with the ancillary products like Text-to-Pay and payment plans for patients in need.  

Now, what we’re seeing even more is at the individual provider level. They’re realizing probably for the first time that they absolutely need the software for these payment solutions. In the past, they thought, my patients will pay me, no big deal. We’ll get paid when we bill. Well, the billing is piling up. We don’t have insurance payments coming in. Leveraging these payments is allowing providers to make payroll, to continue to provide health care – what they’re trying to do in the first place. 

So, the overall adoption of these payment solutions has absolutely grown over the last four to eight weeks. The expediting of patient payments is not just about convenience any longer. It’s about ensuring financial resilience and the sustainability of healthcare practices, particularly during challenging times like these. 

Gary Tiratsuyan 15:29 

Makes sense. Mike, I want to turn to you and reference what Brian just spoke about, this uptick in card on file usage and Text-to-Pay. Let’s take a step back and look at providers who don’t have this functionality or the systems in place to collect these payments. When systems were down, what were the downstream effects on revenue? Additionally, what was the impact of the cyber-attack on patients during that same time frame? 

Mike Peluso 16:08 

Great question. It’s not the easiest explanation, but let’s walk each other through it because it’s complex. I think that’s why you don’t see a lot of descriptions online and why we don’t really understand the true impact. The day that this incident happened, providers were expecting payments from insurance companies. They immediately stopped on that given day. Most people would go, that’s bad, right? But then they stopped for an additional two to three weeks following that day. That’s a little worse, right? You would think that after two to three weeks, it’s all back to normal. But the piece that everyone is forgetting is that during that two-to-three-week period you also couldn’t submit a claim for payment either. So not only are you not getting the money owed to you, but you can’t put in any claims for additional money owed to you.  

That impact will extend for a very long time. Three weeks later, when everything comes back online, then you have to put in the submission. Then the claims process, which can take, depending on the payer, 30-60-90 days, kicks in. So this three-week period will create reimbursement issues for easily the next 90-120 days. A lot of these practices don’t have the resilience for that. They didn’t build systems for that. They, like all of us, assumed that the insurance payments would just keep flowing. Even the government has gone in and tried to figure out ways to give temporary loans. And even the vendors, Change Healthcare itself, have tried to figure out a way to get temporary loans, anything they can do to help float that time period. A lot of people look at incidents like this, and think it was just days, right? Well, it’s a lot bigger than just 10 days. So hopefully everybody has a better appreciation for it now.  

The other thing, too, is that during that 10-day period, providers may not have been able to check eligibility for a patient. Some providers are okay with this. You’re coming in for services, you have a good relationship with your dentist. Change Healthcare goes down, but you’ve been coming here for five years, so we’re going to go ahead and give you service. But think about new patients. Providers couldn’t validate whether they had benefits or not. Depending on whether or not they had the ability to take patient payments, they might not have had the ability to collect anything from an emergency case  or a new case. And a lot of times providers will say, sorry, I can’t help you. That also occurred during that time. That has an effect on the practice. And now we’re starting to talk about the effects on patients. That definitely created some issues.  

One last thing, and the biggest one. We don’t dwell on this one a lot, but it is a big one. Change Healthcare most likely had a record for 70 percent of the United States population. Wow. That’s how big and broad-reaching they are. Right now, that data is out there somewhere for someone to obtain. It’ll take a little while to unravel all this, but in the next year almost all of us will get one of those letters that says your data has been breached by an incident. You’re now offered free credit monitoring. I know there are some rules and regulations around that. I think everyone will start to see that very soon.  

I’m hoping patients don’t link that back to their providers because patients don’t know Change Healthcare. I’m hoping patients don’t go, Dr. Joe put all my data out there into the dark web. How did that happen? I think we’ll also have to do some good communication with patients to help them understand Dr. Joe didn’t do anything wrong. Dr. Joe did everything he was supposed to do. Dr. Joe has the right cybersecurity policies, the right HIPAA policies, and the right protections in place. This happened from a much bigger entity. You could blame the gas station for running out of gas, but it was really the oil refinery. It wasn’t the gas station. I think we’ll have to navigate that in the coming months. And we’ll certainly be able to help providers with that as well. 

Gary Tiratsuyan  21:17 

Thanks for that, Mike. It’s a perfect segue. Brian, over to you. We’ve spoken a lot about the revenue impact and keeping revenue flowing even when the insurance payments may be down, or vice versa. And being prepared for risk mitigation. But I want to talk about true cybersecurity protection. How can a provider ensure that they’re keeping patient data safe? 

Brian Doyle 21:47 

Like Mike said, let’s make sure we have the proper HIPAA certifications and proper cybersecurity insurance. And let’s make sure we’re buttoning up what we need to button up. Individual clinics have to go through an annual HIPAA assessment. Every single year, you have to do it. If you call us, we’ll help you out. We’ll actually provide it for you. We’ll take care of you. We want this to get done. But you have to make sure you’re going through the process. You need a software or solution in place that has data backup and that encrypts emails. You need to have cyber insurance. Heaven forbid anything ever did happen, you know you’re protected.  

Our Bridge™ Compliance product is specifically built for healthcare providers to maintain effective and scalable HIPAA, OSHA, and cybersecurity protections. What we want to do at Rectangle Health is provide this for as many people as we possibly can, as fast as we can. We could have this up and running for you in about a week. Give us a call. Let’s go through it. Let’s make sure everyone’s protected. 

Gary Tiratsuyan 23:05 

Thanks, Brian. The attack on Change Healthcare was attributed to one of the world’s largest ransomware groups, highlighting their persistence, their sophistication. And we all know patient data is incredibly valuable. There’s the reason for the attack. And Change Healthcare’s reach obviously drew these criminals to them specifically. 

I think one of the most concerning aspects is the uncertainty surrounding whether the criminals will release this sensitive patient data, even after a ransom is paid. And with that in mind, what kind of proactive measures can providers take to minimize the risk of falling victim to a ransomware attack? And, if there’s an unfortunate event that they do become victim to, what steps should a provider take immediately? We’ve touched on the aftermath of the attack. But do you see a sense of heightened apprehension within the industry following the incident?  

Mike Peluso 24:15 

I think the best thing I can say is that if it can happen to Change Healthcare, it can happen to you. I mean, Change Healthcare is a huge corporation. They probably have 200 cybersecurity or security analysts on staff there, and it still happened to them. You as a provider are by no means safe from becoming a victim. You have to be proactive about that. You have to be vigilant about that.  

The other thing that providers don’t get the luxury of (luxury is not the right word for it) is that Change Healthcare just shut down operations for three weeks. Basically, they locked all the doors and went into an incident response mode, we’re going to get this fixed. As a provider, you actually have to go into the same incident response mode. But when you can’t lock the door because you’re a provider of critical services for patients, people are going to want to come in the next day for their appointments still. People are going to need that emergency dental treatment or that broken tooth fixed. Most people don’t want to miss their appointment with their cardiologist.  

If you’re in a situation where it happens to you, as a provider, it’s actually more critical for you than it is for somebody like Change Healthcare because patients are going to come in the next day. And they’re not going to want to hear that you had a cyber incident and they can’t get their medical problem worked on. Some of these are life-saving treatments. Cancer patients are not going to want to hear that they can’t get their cancer treatment because there was a cyber incident. I don’t mean to be so severe in my example, but I want to let providers know, I want to let listeners know that it’s almost more critical for you to be more vigilant and more responsive to these types of things than it was for Change Healthcare.  

Take it as a learning lesson. If it can happen to Change Healthcare, it can happen to you. You need to have the right policies in place, you need to have the right systems in place, you need to have the right data backups in place, you need to have the right sort of secondary systems or backup systems in place. If something does go wrong, it’s even more critical for you as a medical or dental provider to have those than it is for someone at the scale of Change Healthcare.  

Hopefully, as providers hear this, you go, I really have to make sure this doesn’t happen. Sometimes it’s hard to avoid. It’s going to happen, or it might happen. Maybe that’s the right word. What do you do when it does happen? What’s the plan? How do you get the data back? Do you have the cyber insurance in place to make sure your business stays afloat? Can you open the very next day? Can you continue business operations without anything happening to the patient? Obviously it’s going to be a little bit chaotic for the organization. But again, you want to be able to continue providing services to patients, regardless of set incident. And you have to have a lot of policies, procedures, and systems in place, similar to some of the ones Brian talked about, to make sure that business continuity continues. 

 Gary Tiratsuyan 27:49 

That makes sense. Brian, anything from you? 

Brian Doyle 27:54 

Mike, that’s it 100 percent. At the provider level, if you’ve pushed it off or haven’t gotten your assessment this year, let’s make sure you do it. Again, it could happen to Change Healthcare. It could happen to you.  

The common theme that I’ve seen in my research, and all this is to Mike’s point, is that if it can happen to Change Healthcare, it can happen to anyone. That’s very real. If you’re a mom-and-pop shop, dentist, dental practice or chiropractor that doesn’t leave you off the target. You’re still on their radar for the attack. Doing everything you can to protect your practice, your business, and your patients is critical.  

I’m going to drop a link into the episode description for Rectangle Health’s no-cost HIPAA Gap Assessment. Additionally, Rectangle Health recently released an extensive blog article outlining the Change Healthcare attach, and there’s a ton of valuable information in there. So I want to wrap up with specific action items and takeaways for our listeners. And I’ll turn to turn to you both, starting with you, Brian. An event like this can happen again, at any time. What can providers do to ensure that they’re operating at the highest efficiency and are doing everything they can to protect themselves, their businesses, and their patients today? Starting right now – immediate action items. 

Brian Doyle 29:29 

First and foremost, let’s invest in cybersecurity measures. That’s mission-critical, especially at this point. This includes implementing advanced threat detection technologies, regularly updating security protocols, and conducting your risk assessments on an annual basis.  

Second, we need to foster cybersecurity awareness. I know I said that at Rectangle Health we go through a lot of phishing, scams, and things of that nature. It’s tedious, but it’s a step in the right direction. We need to have that conversation to add an FTE level within a provider’s office. Those are two immediate actions we can take right now – today – to mitigate risk. Lke Mike said, this is all about risk mitigation at the end of the day.  

Mike Peluso 30:15 

To add to that, there are big vendors in this space. And I would consider Rectangle Health to be a big vendor in the space. I would consider Epic to be a big vendor in the space. I would consider athena to be a big vendor in this space and Henry Schein in the dental space. We all need to look at our risk mitigation. For Rectangle Health, if I’m the payments supplier for 60,000 plus practices and my connection to Visa, Mastercard, or Discover goes down, then I better have a secondary connection to Visa, Mastercard, or Discover? As I’m servicing my customers, they shouldn’t have that disruption. I haven’t built one critical connection to the next endpoint. As vendors in this space, as partners in the space, and as providers in this space, I think we all need to do that.  

Change Healthcare is a great example. Everybody had one connection to Change Healthcare. But when it went down, all the providers wondered if they could send the claims to someone else. No, we only built one connection? Oh, man. Okay. Why stop at two connections? Why don’t you build three connections? As we look at partners and providers in the space, we all have to do better for our customers. For providers, their customers are ultimately the patients. We all have to do better for them. How can we build multiple ways to do these critical business functions? And how can we de-everage some of the critical choke points or components to make sure that if something big like this happens, there isn’t just one road to get there. We all have to come together on that.  

I think providers have to look and really try to understand some of their critical systems. I’m sure there were plenty of providers that didn’t know 100% if their insurance claims flowed through Change Healthcare. They have to ask those questions, and they have to push on their vendors. Like I said, even as a payments vendor, providers should ask us, if something goes wrong in your primary connection, do you have a backup? We absolutely do. We have nine of them, to tell you the truth. If there’s something that goes wrong, we can do that. And we have to push on some of these other partners in the space. Rectangle Health partners with some of these companies, and Rectangle Health has partnered with a lot of the largest providers in these spaces. Well, we have to partner with them to really take a look at some of these critical dependencies and try to mitigate risk as well. 

Gary Tiratsuyan  33:15 

Thanks for that, Mike. One key note to make is that the dentist just wants to provide dental care, a doctor just wants to provide medical care. You don’t have to do this alone. I think that’s a big, important note to mention. You can take this no-cost HIPAA Gap Assessment and have a conversation with a consultant from Rectangle Health to identify the issues and the gaps and where you may need some additional padding or security or built-in processes and workflows. You don’t have to tackle it yourself. You don’t have to be an expert. As you mentioned, Mike, Rectangle Health has so many partners, you could partner with someone that is an expert in the industry and protect your practice, your patients most importantly, and your business as well. Tank you so much for those insights.  

For our listeners tuning in, if you’re interested in discussing options on these solutions with Brian and Mike, I’ll have details in the episode description as well as both Brian and Mike’s LinkedIn profiles for you all to connect . Ask any questions you may have, they have a wealth of knowledge as you’ve heard today. Mike and Bryan, again, thank you so much for taking the time to join me today. The insights and the recommendations go a long way toward hopefully helping providers navigate these challenging times and to be better prepared if it does happen again. It can help them be vigilant and alert that this type of incident could very well happen to them as well. Appreciate you both coming on. 

Mike Peluso 34:53 

Gary, this is great. Thanks for having us. 

Brian Doyle 34:57 

Gary, thanks a lot. We appreciate it. 

Gary Tiratsuyan 34:59 

Looking forward to speaking again soon and under less tense or better circumstances. For listeners tuning in, if you found this information helpful and enjoyed the episode, please like or subscribe the Modern Practice Podcast. Leave us feedback in the comments or on your favorite streaming channel. We appreciate you listening in and be on the lookout for new episodes coming soon. Thanks for tuning in. Until next time, everybody. 

 

Editor’s note: This interview has been edited for length and clarity. 

 

 

Get started today!

Thousands of providers like you supercharge their front office with Practice Management Bridge. Schedule a call to see how we can help reduce admin work, so you can focus on your patients.

Book a Demo