Change Healthcare cyber outage

On Wednesday, Feb. 21, Change Healthcare began experiencing a cyber security issue and isolated its systems to prevent further impact. Optum, UnitedHealthcare, and UnitedHealth Group (UHG) systems were not affected by the issue, according to information provided by UHG. UHG has indicated they have taken appropriate action to contain the incident so that customers and partners do not need to sever network connections and disrupt vital services. Cybersecurity experts and the HHS Administration for Strategic Preparedness and Response (ASPR) suggest taking these steps to protect your networks:

• With consideration of the written attestation from UHG that the Optum network is safe, organizations should evaluate their risk of using Optum, UnitedHealthcare and UHG systems.
• While UHG asserts that any system that is currently live and available is safe to use, organizations should evaluate their risks and make determinations if connections to Change Healthcare are appropriate at this time.

As part of your risk evaluation, health care organizations should consider the impacts of severing connectivity to Optum, which includes but is not limited to loss of prior procedure authorizations, electronic prescribing and other patient care functions. Ultimately, your organization should make its own determination on whether or not to block Optum specifically while considering all the risks and consequences of doing so. Change Healthcare is posting updates on the status of the cyberattack.

If you would like to share information about experiences stemming from the Change Healthcare cybersecurity incident, please respond to this survey.

The AMA sent a letter (PDF) urging CMS to provide financial relief from MIPS penalties for physicians and other clinicians impacted by the Change Healthcare cyberattack.

View the AMA’s statement expressing the need for advanced funds to physicians following UHG’s announcement outlining the restoration timeline for the Change Healthcare claims system. The AMA also called for full transparency and security assurances from UHG.

The Centers for Medicare & Medicaid Services (CMS) is taking steps to assist physicians in the wake of the Change Healthcare cybersecurity attack.

The AMA credits the Department of Health and Human Services and CMS for responding to the urgent situation caused by the Change Healthcare cyber security incident and the unprecedent disruptions to medical practices and access to care. The newly announced flexibilities that have been put in place are a welcome first step, but the AMA is urging CMS to recognize that physicians are experiencing financial struggles that threaten the viability of many medical practices. Many physician practices operate on thin margins, and the AMA is especially concerned about the impact on small and/or rural practices, as well as those that care for the underserved. The AMA is urging federal officials to go above and beyond what has been put in place and include financial assistance such as advanced payments for physicians.

As the cyber-takedown of Change Healthcare has forced medical practices to go without revenue for a twelfth day, the AMA urged U.S. Department of Health and Human Services (HHS) (PDF) Secretary Xavier Becerra to use all its available authorities to ensure that physician practices can continue to function, and patients can continue to receive the care that they need.

A press release was issued announcing the AMA letter sent to HHS Secretary Becerra.

United Health Group (UHG) has created a website to provide updates on the cyber-attack that has impacted Change Healthcare and several of UHG’s systems. The website and the information it contains is provided by UHG and not by the AMA. The AMA has not reviewed the information for accuracy or content.

Information on the Change Healthcare Cyber Response.

Actionable next steps for impacted medical practices include (but are not limited to) the following:

• Communicate with your payors regarding payment workarounds to bypass disrupted Change Healthcare applications.
• Monitor the Change Healthcare Incident update website for relevant updates.
• Develop a set of security- and Incident-related questions or criteria for Change Healthcare to reestablish connectivity with Change Healthcare systems (e.g., what assurances can be provided that the risk has been contained and remediated? What security improvements have been implemented to help ensure similar incidents do not occur again? What personal information about our patients and/or clinicians has been compromised? What actions are Change Healthcare taking to protect those patients and/or clinicians?).
• Review HIPAA compliance programs, including (among others) written policies and procedures and security risk analyses.

Cybersecurity updates

In response to active exploitation of a cybersecurity vulnerability, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have released a joint announcement on what is believed to be the cyber-attack that impacted Change Healthcare. The advisory details the attack and provides information for medical practices and information technology staff to help strengthen your organization’s cybersecurity.

AMA has curated resources and has tips for physicians and health care staff to protect patient health records and other data from cyberattacks.