The Policy Implications of the Change Healthcare Cyberattack
Published by The Lawfare Institute
in Cooperation With
It’s been a rough few weeks for the health care sector, ever since a ransomware attack hit Change Healthcare on Feb. 21. Regulators launched an investigation and established a massive emergency loan program for hospitals, physicians, and other health care providers. While cyberattacks have been on the rise in health care over the past decade, this is arguably the most disruptive attack to date. But understanding its effects requires a tremendous amount of institutional knowledge about a complex industry.
On Feb. 21, Change Healthcare notified clients that it was experiencing a network interruption related to a cybersecurity incident. Attributed initially to a “suspected nation-state” and subsequently to ransomware operator AlphV/BlackCat, details of the attack’s severity unfolded rapidly. On March 1, a bitcoin address connected to BlackCat received 350 bitcoins (equivalent to $22 million) in a single transaction assumed by many to be Change Healthcare's ransom payment. The fate of any data stolen during the attack remains unknown. Some business operations have been restored, while other disruptions are expected to continue until the week of March 18.
Change Healthcare does not provide health care directly, like a hospital or a physician. And it isn’t an insurance company (though it is owned by UnitedHealth Group, the largest health insurer in the United States). Rather, Change Healthcare serves as an intermediary between health care providers, patients, and payers, offering revenue and payment cycle management services. Put simply, Change Healthcare gets hospitals and doctors paid. But it hasn’t done that for almost a month.
A month without getting paid can be devastating to hospitals and doctors, threatening their ability to make payroll, purchase necessary supplies, and care for their patients. Though the numbers can be difficult to pin down, estimates suggest that health care providers are losing $25-$100 million daily due to this cyberattack—a nearly unprecedented disruption to the business of health care.
The response from the Centers for Medicare and Medicaid Services (CMS), which is the agency that administers Medicare, in the form of an emergency loan program is also nearly unprecedented. As part of the loan program, CMS has offered “accelerated payments” to hospitals and doctors experiencing disruptions due to the Change Healthcare cyberattack. Eligible providers will receive an amount equivalent to 30 days of Medicare claims payments, with automatic repayment occurring over the following 90 days.
Beyond the damage to doctors, hospitals, and patients, the Change Healthcare cyberattack and CMS’ response have several important policy implications.
First, market consolidation in the health care industry that occurred long before this recent cyberattack means there may be actors that are “too big to fail,” and these actors aren’t just the usual suspects. When policymakers talk about consolidation (that is, a move away from competitive markets) in health care, they’re usually referring to the increasing dominance of a few very large hospital systems and insurance companies. And indeed, another recent high-profile cyberattack in health care hit the second largest hospital system in the United States, resulting in ambulance diversion, canceled surgeries, and equipment outages at multiple hospitals around the country. But another way of quantifying health care consolidation might be the flow of dollars. Whatever the precise share of all health care spending flowing through Change Healthcare, it’s clearly too much to lose for even a few weeks. Should actors like this be required to enact recommended cybersecurity defenses? To demonstrate readiness in the event of a cyberattack? Should we apply lessons from financial sector regulation to health care?
While that regulatory strategy may be appropriate for large financial intermediaries like Change Healthcare, it may not be the right approach for other actors in the health care system. But one thing seems clear: If policymakers want to see fewer disruptive cyberattacks, the current voluntary approach to cybersecurity may be insufficient. I am heartened to see discussion of mandatory minimum cybersecurity standards (paired with financial incentives), but let’s not wait until fiscal year 2029, as the Department of Health and Human Services has proposed, to enforce these.
Second, the sophistication of cyberattacks in the health care sector seems to be increasing with cybercriminals deliberately targeting well-resourced actors. At this point, many people working in health policy are likely wondering, “Why Change Healthcare?” and “Why now?” Mainstream perceptions of cyberattacks often picture cyberattackers sending random phishing emails from their parents’ basements. But existing research—not to mention the recent attack on Change Healthcare—paints a much different picture: increasingly sophisticated ransomware attacks affecting well-resourced health care providers. That BlackCat knew to target a financial intermediary like Change Healthcare—and that they were able to penetrate what were likely well-developed cybersecurity defenses at a well-resourced institution, resulting in weeks of disruption—suggests a sophisticated operation with knowledge of the pressure points in health care. The evolving nature of cyberattacks adds a further sense of urgency to the need for minimum cybersecurity standards across the health care sector.
Third, CMS deserves commendation for its swift action in this situation, but it should consider making this financial reserve permanent. The Change Healthcare attack is not the first time a cyberattack has disrupted business operations for a few weeks. In my research on hospital ransomware attacks, I found that the average disruption is two to three weeks, resulting in a financial loss equivalent to roughly 1 percent of the attacked hospital’s total annual revenue. For hospitals operating on the knife’s edge of profitability, this lost revenue can be the difference between a year in the black and a year in the red. And while ransoms appear to be rising over time, they are still dwarfed by the revenue lost due to disrupted patient care during a cyberattack.
By offsetting the financial pain of a ransomware attack, CMS might better align hospital incentives with law enforcement’s goal of reducing ransom payments. Right now, any health care provider experiencing an attack has to weigh the financial and reputational cost of paying a ransom against the cost of potential prolonged business disruption. Lessening the latter might reduce the frequency of ransom payments—which is likely a key ingredient in deterring future cyberattacks. Lest one argue that this would also lessen the incentive for health care providers to invest in cybersecurity defenses, surely a policy could build in some “skin in the game,” to reduce any potential moral hazard.
Fourth and relatedly, the cyber insurance market is in desperate need of scrutiny—and potentially regulation. Mitigating massive financial loss in the event of a relatively low-probability cyberattack is something we might reasonably expect of cyber insurance policies. But with every passing year, these policies seem to get more expensive and less comprehensive. Hospitals and other health care providers aren’t required to hold cyber insurance policies, and an increasing number report dropping them due to cost. To a health economist, this pattern suggests an insurance market unraveling due to adverse selection, but it’s tough to evaluate without more information.
The Change Healthcare cyberattack is a sobering example of the U.S. health care system’s vulnerability to cybercrime. I sincerely hope that this episode represents a significant outlier—rather than the new normal for cyberattacks in health care—but that may depend on swift policy action in the near future. The necessary policy changes may not be universally popular and will certainly be expensive. But failing to enact a meaningful response all but guarantees future disruptive cyberattacks like the one Change Healthcare currently faces.