Ransomware, Government Regulations, Breach

Calls grow for federal funding after Change Healthcare cyberattack

An "Emergency" Sign in front of a hospital in the early evening

The Change Healthcare ransomware attack story has evolved to the point where the industry and leading political leaders are calling for the federal government to step in and help providers with an impending cash flow crisis so insurance claims can get paid and patients can get the drugs they need.

Reports emerged over the last few days that patients going to local pharmacies for refills are being asked to pay the full price. With Change Healthcare systems still down, employees at pharmacies are unable to process basic information such as if the insurer covered a drug and, if there was a co-pay, how much was the co-pay.

In a letter to Congress March 4, the American Hospital Association (AHA) urged lawmakers to have the federal government fund providers and ensure that UnitedHealth, which owns Change Healthcare, to implement a “meaningful” financial assistance system.

Senate Majority Leader Charles Schumer sent a March 1 letter to the Centers for Medicare and Medicaid Services (CMS) asking it to make accelerated and advanced payments available to the hospitals, pharmacies, and relevant providers that have been impacted by the Change Healthcare cyberattack.

“In addition, CMS should also direct Medicare Administrative Contractors (MACs) to use a streamlined and efficient process to ensure claims processing and payments resume in a timely manner," Schumer wrote. “The longer this disruption persists, the more difficult it will be for hospitals to continue to provide comprehensive healthcare services to patients.”

Toby Gouker, chief security officer at First Health Advisory, said the industry has been pressing the federal government to free up funds to avoid a cash flow crisis among providers, plus fund a Paycheck Protection Program (PPP) for all the third-party contractors affected by the cyberattack.

“We’re getting closer to a financial cliff,” said Gouker. “We’re asking the government for funds like we did during the COVID pandemic to help stem the critical cashflow issues many healthcare provider organizations are facing right now. HHS is ready for a more permanent fix, and even the Health Sector Coordinating Council has released a strategy document for implementing mission critical cybersecurity practices. All healthcare truly needs right now are the resources through federal funding that will empower them to adopt security measures that are standard in most other industries.”

In response to the evolving situation, Health and Human Services (HHS) put out a statement Tuesday acknowledging that CMS has heard from providers about the availability of accelerated payments, like those issued during the COVID-19 pandemic.

“We understand that many payers are making funds available while billing systems are offline, and providers should take advantage of those opportunities,” said the HHS statement. “However, CMS recognizes that hospitals may face significant cash flow problems from the unusual circumstances impacting hospitals’ operations, and – during outages arising from this event – facilities may submit accelerated payment requests to their respective servicing MACs for individual consideration.”

Change Healthcare’s response to cyberattack

In an update on March 4, Change Healthcare confirmed that ALPHV/BlackCat was the ransomware group involved in the attack. The company said its experts are working with Mandiant and Palo Alto Networks to mitigate the attack and is actively working to understand the impact to members, patients and customers.

“Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need,” said Change Healthcare. “Based on our ongoing investigation, there’s no indication that Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue.”

Since the cyber incident last week, a large provider told Gouker that it's stopped receiving roughly $100 million a day in payments for pharmaceuticals. Gouker added that the provider noted that the $4,000-a-month loan program Change Healthcare offered was a fraction of the organization's $350,000 monthly payroll.

“Healthcare also has many more third-party related services that are affected, companies that provide janitorial services, payment exchanges, and deliver oxygen,” explained Gouker.

The cybersecurity response to Change Healthcare incident

Details regarding the Change Healthcare incident continue to emerge since it was first disclosed in February. On the cyberfront, reports were swirling that an ALPHV/BlackCat affiliate accused the main organization of stealing a $22 million ransomware payment made to the affiliate by Optum.

Morgan Wright, chief security advisor at SentinelOne, and an SC Media columnist, said the ransomware gang may have seen the writing on the wall, stiffed their affiliate, and called it a day.

“I expect to see an ‘Under New Management’ sign in the near future,” said Wright.

Wright added that this ongoing situation presents a moral dilemma for the government, as well as the ransomware criminals, which leads to multiple questions:

  • If the government steps in and assists healthcare, where is the line drawn for other sectors?
  • With ALPHV/Black Cat, which is essentially Darkside rebranded, what happens if the same attacks occur against another pipeline?
  • Would the Federal Energy Regulatory Commission be asked to cover operational costs?
  • How would this not embolden even more attacks, knowing the federal government would essentially be the guarantor of all debts in the industries that have been attacked?”

On the other hand, Wright said the use of existing authorities to accelerate payments to entities that have suffered through no fault of their own would seem in keeping with the role of the federal government to defend and protect Americans against threat actors.

“For ALPHV/Black Cat, this attack against Change Healthcare may be the clarion call that galvanizes international attention to disrupting and shutting down ransomware gangs with additional law enforcement and intelligence assets,” said Wright.

Chad Graham, CIRT Manager at Critical Start, said government intervention could act as a critical stopgap, ensuring the continuity of healthcare services. Furthermore, such an intervention would highlight the importance of cybersecurity in healthcare, establishing a firm stance that attacks on crucial infrastructure are matters of national security and public health, warranting direct government action.

“This would not only provide immediate relief, but also potentially stabilize healthcare providers financially, many of whom operate on narrow margins and could face instability or bankruptcy due to cash flow interruptions caused by cyberattacks,” said Graham. “However, this approach is not without its drawbacks. Intervening could create a moral hazard, reducing the incentive for healthcare institutions to invest in robust cybersecurity measures if they anticipate government assistance during crises.”

Ira Winkler, CISO at CYE, said he didn’t think the government should step in and pay, but they should treat this as a nation-state level threat to our critical infrastructure and destroy the ALPHV/Black Cat infrastructure and name the people in charge.

“This is an affiliate program, where the attackers essentially lease the infrastructure from the group,” explained Winkler. “We are getting to the point that this is ridiculous in the lack of apparent action by the government that’s potentially costing lives. Other ransomware ‘affiliate’ networks have said that hospitals are off limits, but now they are purposefully targeting healthcare. This requires a massive response that would best be literally treating this in the same way if a third world country would attack our infrastructure.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.