ICYMI: A flash report of top Healthcare RCM news headlines from March and April.

Our healthcare system experienced one of the largest cyberattacks in history. 

Not surprisingly, the top headline for the past two months has been the unprecedented cybersecurity breach involving Change Healthcare. This event highlighted the susceptibility of healthcare organizations and brought attention to the escalating threats posed by highly advanced ransomware groups like ALPHV/Blackcat. 

Despite the ongoing disruption of operations and deterioration of patient care caused by such attacks, many healthcare organizations, both public and private, are taking proactive steps to prepare for future cyber threats.

Congress conducted a subcommittee hearing to examine the healthcare sector’s cybersecurity vulnerabilities. 

A house hearing took place on April 16th to discuss the cybersecurity threat in the healthcare sector. 

During the session, house representatives voiced concerns about the potential lack of adequate cybersecurity measures to prevent future breaches in the wake of the Change Healthcare cyberattack. Topics of discussion included:

  • Are large conglomerate healthcare organizations, like UnitedHealth Group, making themselves prime targets for data breaches and ransomware attacks?
  • How can we better understand how the healthcare sector is inherently vulnerable and acts as a cyberattack playground?
  • Did UnitedHealth Group have the required privacy and security practices in place, or was the breach unavoidable?
  • Why there is a lack of cybersecurity investment across healthcare providers, especially since it’s a prime target?

Many of the legislators’ questions about the Change Healthcare cyberattack went unanswered since UnitedHealth Group did not send a representative. 

Healthcare providers and cybersecurity experts urged the government to provide healthcare systems with adequate funding to prevent future breaches while avoiding burdensome regulatory requirements. They also asked government representatives to create more accountability for third-party software and service companies when a data breach occurs. 

On Wednesday, May 1, UnitedHealth Group’s CEO, Andrew Witty, will appear in front of two Congressional panels to discuss the Change Healthcare cyberattack. 

UnitedHealth Group provided a data breach progress report for the Change Healthcare Cyberattack and confirmed that they paid a ransom.

UnitedHealth Group released a press release on Monday, April 22, to provide a progress report for the Change Healthcare Cyberattack with a focus on their reconnection status, breached data analysis, and an additional support resource for potentially impacted people. 

While the stolen data applies to many Americans, UnitedHealth Group estimates it will be several months before it can deliver official breach notifications to consumers and providers. In the meantime, the organization set up a call center and 2-year credit monitoring service for any consumers or patients who fear their data has been compromised.

On April 29, a UnitedHealth Group spokesperson told CBS News that a ransom payment was made, but they did not confirm the amount. 

The Cybersecurity and Infrastructure Agency wants to establish a new rule requiring cyberattacks to be reported within 72 hours and any money paid to criminals disclosed within 24 hours. 

The Cybersecurity and Infrastructure Agency (CISA) has proposed a new rule that would require critical infrastructure entities, including healthcare organizations, to report cyber incidents within 72 hours. The goal of the rule is to help CISA identify trends in cyberattacks, help victims, and quickly share information with other companies. 

Individuals have until June 3 to give their feedback on the proposed rule.

Telehealth’s Future Expansion Under Review

Congress Considering 15 Bills To Permanently Expand Telehealth Access

Many telehealth access expansions are scheduled to expire in December 2024. The American Telehealth Association and healthcare providers are appealing to lawmakers to permanently remove the restrictive regulations that made telehealth access difficult prior to the COVID-19 pandemic.

The American Hospital Association is also urging Congress to make the telehealth expansions permanent. The government’s cautious approach is due in part to cost considerations since both healthcare utilization and the cost of care may increase.  

UnitedHealth Group Shuts Down Telehealth Care Business Three Years After Its Launch 

On April 24, Endpoints News reported that UnitedHealth Group will shut down its Optum Virtual Care business that provides online urgent, primary, and pharmacy services. 

According to Endpoints sources, UnitedHealth Group notified impacted employees on April 18th of the decision to shut down the business with some employees reporting their last day will be in July.

Joint Commission Launches New Telehealth Accreditation Standards

The Joint Commission announced its new Telehealth Accreditation Program (TEL), which aims to help virtual healthcare providers and remote patient monitoring organizations implement standardized policies and procedures to provide high-quality care in a safe environment regardless of the care setting. 

The accreditation requirements will be available in May the program goes into effect July 1, 2024.

What’s Next…

Stay tuned for more healthcare revenue cycle industry updates in our new Revenue Cycle Round Up series where we share the latest trends in revenue cycle payer compliance, IT, and operations.