News > Cyber-Attacks > CA-General
by Kevin Wood

HHS Mounts Multi-Agency Response to Crippling Change Healthcare Cyber-Attack

Multiple agencies assisting

The far-reaching consequences of the Change Healthcare cyber-attack continue to reverberate throughout the U.S. healthcare system. The Department of Health and Human Services (HHS) has responded with a coordinated effort, mobilizing multiple agencies to mitigate the disruption and shore up the sector’s vulnerable cybersecurity.

Immediate Measures for Operational Continuity

Faced with significant cash flow disruptions due to payment and claim processing outages, the HHS has taken decisive steps. The Centers for Medicare & Medicaid Services (CMS) has spearheaded relief by:

• Expediting Clearinghouse Switches: Providers impacted by the attack can quickly switch clearinghouses through accelerated enrollment with their Medicare Administrative Contractors (MACs). This process is being made as seamless as possible.
• Prior Authorization and Filing Flexibility: CMS urges Medicare Advantage and Part D sponsors to suspend or loosen prior authorization, utilization management, and timely filing requirements. This provides much-needed breathing space for healthcare providers while systems are offline.
• Advance Funding: Providers experiencing substantial financial strain are encouraged to contact their MACs to inquire about the potential for accelerated payments, similar to those offered during the COVID-19 pandemic.
• Paper Claims Acceptance: While electronic billing remains the standard, CMS ensures that MACs are accommodating providers who need to temporarily file paper claims as a fallback option.

Collaboration Across Federal Agencies

The HHS emphasizes that a consolidated federal response is vital for tackling this cybersecurity crisis. In addition to their actions, several key agencies are actively involved:

• FBI: The Federal Bureau of Investigations leads the criminal investigation, pursuing those responsible for the attack and intelligence gathering to protect against future incidents.
• CISA: The Cybersecurity and Infrastructure Security Agency provides vital technical assistance and shares actionable threat intelligence with the healthcare industry to bolster defenses.
• White House: The highest levels of government are engaged, coordinating resources and policy strategies to safeguard healthcare systems nationwide.

A Turning Point for Healthcare Cybersecurity

The Change Healthcare attack underscores the urgent need for the entire healthcare ecosystem to double down on cybersecurity measures. The HHS stresses this point, citing their December 2023 concept paper, which proposed four pillars of action:

1. Performance Goals: Developing robust, voluntary cybersecurity performance goals specific to the needs of the healthcare sector.
2. Congressional Support: Working with Congress to incentivize and support improvements to cybersecurity in hospitals throughout the nation.
3. Accountability: Promoting increased accountability across the healthcare industry to prioritize cybersecurity readiness.
4. One-Stop Coordination: Establishing a streamlined hub for resource sharing and information coordination to better serve the sector’s needs.

The HHS strongly urges hospitals, providers, technology vendors, and everyone involved in the U.S. healthcare system to prioritize cybersecurity. Resources are available on the HPH Cyber Performance Goals website to help bolster defenses. The Change Healthcare cyber-attack is a stark reminder that the American people cannot afford further disruptions to vital care.