Last week’s data breach of United Health Group’s (UHG) prescription provider comes at a critical time in the digital transformation of connected healthcare. Just as evidence shows clinicians are seeing positive results from digital processes, the security of consumer data has taken another hit.
On Feb. 21 the healthcare giant confirmed that its subsidiary Optum was forced to shut down IT systems and various services after a cyberattack by “nation-state” hackers on the Change Healthcare platform. Optum operates the Change Healthcare platform, which is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the U.S. healthcare system.
The breach caused complete disruptions at healthcare clinics, medical billing companies, and pharmacies. As Bleeping Computer reported, “the payment processing disruption in pharmacies has been particularly noticeable, with the majority of local and box store pharmacies across the country unable to process any insurance claims or accept discount prescription cards.”
The situation was so serious that the American Hospital Association (AHA) recommended that all healthcare organizations that rely on Optum solutions disconnect their systems immediately to protect their partners’ and patients’ data.
“We recommend that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum,” warned the AHA.
Late last week the ripple effects from the breach were still being felt throughout the system, which is used in all 50 states. “We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” Change Healthcare said in a statement. “We will continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action and disconnect.”
The breach comes at a critical juncture in digital healthcare’s transformation. PYMNTS data shows that consumer interest in using a unified digital platform for managing healthcare information and medical insurance benefits is well established among all age groups, with two-thirds of baby boomers and seniors expressing interest in unified healthcare platforms, with 24% very or extremely interest- ed.
On the provider side reports show a renewed focus on digital transformation, with one analyst saying that “a powerful wave of modernization” is transforming the industry. And new reports show that digital healthcare platforms are playing a major role in addressing the industry’s most important post-COVID issue: Clinician burnout. A report released last week from Wolters Kluwer urged healthcare IT departments to be more aggressive in their transformation efforts with an eye toward lightening the administrative load on clinicians.
“To properly address burnout, your digital health strategy will need to respond to both patient and clinician demands,” the report stated. “By enabling patients to become deeper participants in their care, you’ll better support value-based care initiatives, patient education goals, and a clinician-centered digital health strategy. The information patients’ access should be clearly aligned with the materials clinicians are referencing in their work.”
The breach at Change Healthcare was the second incident for UHG within three months. Clearly better security is needed and may be available in the short term.
As of March 31, the industry will be impacted by the new version of PCI DSS 4.0. According to the McDermott law firm, the new version introduces many new requirements that will impact the industry directly. Entities that provide digital health services and accept payment cards are likely “merchants” or “service providers” under the PCI DSS definitions. Both merchants and service providers must complete either a report on compliance (ROC) or a self-assessment questionnaire (SAQ) at least annually to comply with PCI DSS. ROCs or SAQs that are started after March 31, (the retirement date of prior PCI version 3.2.1) will need to use the new 4.0 version with its more rigorous requirements.
“After two years to prepare, the March 31, 2024, date for compliance with PCI DSS 4.0 is almost here,” the firm stated last week. “PCI DSS 4.0 – which brings major changes to the payments ecosystem – places an increased focus on targeted risk analysis, organizational maturity and governance. It also makes PCI DSS compliance a continuous effort, rather than an annual snapshot exercise, and introduces a customized approach to PCI assessments, enabling businesses to implement alternative technical and administrative controls that meet the customized approach objective.”