May 27, 2024
What PT Practices Learned from the Change Healthcare Hack
If you've been in the physical therapy industry for a while, you’ve probably heard about the recent Change Healthcare hack. It's been quite a wake-up call, reminding us of the importance of cybersecurity, particularly for practices that depend on electronic systems for their daily operations. This incident affected countless healthcare professionals and patients, leaving many scrambling to manage their business without access to critical electronic claims and data services. But fear not, because while this incident was a challenge, it's also an opportunity to learn how we can better safeguard our practices.
The Scope of the Change Healthcare Cyber Attack
On February 21, a cybercriminal group calling itself AlphV or BlackCat launched a ransomware attack against Change Healthcare. In response, Change Healthcare immediately disconnected its systems from third-party platforms to prevent further compromise. This action affected many healthcare providers who rely on their electronic claims processing and data management services. This left them unable to submit claims or access needed information.
The hackers managed to encrypt sensitive data, holding it hostage and demanding a ransom. Despite their best efforts to secure information, Change Healthcare ultimately paid a reported $22 million in ransom to recover their data. This was a controversial decision that many experts believe could embolden future cybercriminals.
Immediate Impact on Rehab Therapy
As one of the largest clearinghouses in the healthcare industry, Change Healthcare plays a pivotal role in processing claims for physical therapists and other rehab therapy professionals. Its systems handle everything from claim submissions to authorizations and payments. When the cyberattack hit, many practices experienced significant delays in claims processing and disruptions in their revenue streams.
This hack also left patients unable to access necessary prescriptions, treatments, and services as hospitals and pharmacies couldn't process requests quickly enough. For rehab therapists specifically, the inability to submit claims affected both their revenue and relationships with patients.
The Federal Response to the Medicare Cyber Attack of 2024
In the wake of the Medicare cyber attack in 2024, the Department of Health and Human Services (HHS) stepped in to provide expedited support. It urged Medicare Advantage organizations and Part D sponsors to show leniency with prior authorizations and extend advanced payments to affected providers. This intervention helped ease some financial strains.
Additionally, HHS advised providers to request new Electronic Data Interchange (EDI) setups from their Medicare Administrative Contractors (MACs) to continue claims processing and, if necessary, revert to paper claims as a temporary solution.
Lessons Learned from the Change Healthcare Hack
This incident revealed several crucial lessons for physical therapy practices about protecting their businesses from similar cyberattacks.
1.Invest in Cybersecurity Training
Human error remains one of the primary causes of successful phishing and ransomware attacks. All it takes is one click on a malicious link in a phishing email, and the entire system could be compromised. Practices must implement ongoing cybersecurity training programs to help employees recognize and avoid potential threats.
2. Implement Two-Factor Authentication
Two-factor authentication (2FA) is a crucial security measure that can help prevent unauthorized access. With 2FA, even if a hacker obtains your password, they would still need a one-time code sent to your phone or email to access your systems.
3. Use Strong Passwords and Change Them Regularly
Weak passwords are an open invitation for hackers. Practices should establish a policy that requires staff to use strong, unique passwords for every account and change them regularly. Password managers can help make this task easier by securely storing complex passwords.
4. Keep Software Updated
Hackers frequently exploit vulnerabilities in outdated software to gain access to sensitive data. Ensure that all software, including antivirus, firewall, and practice management systems, is updated regularly to fix any known security gaps.
5. Adopt Robust Firewalls and Security Software
Firewalls help block unauthorized traffic, and security software provides an additional layer of protection against malware. To protect against external threats, practices should combine both.
6. Back Up Data Frequently
One of the reasons ransomware is so effective is that it restricts access to essential data. Practices should regularly back up critical files in secure, offline locations. This precaution makes it easier to recover and continue operations without paying a ransom.
How Practices Can Safeguard Their Data in the Future
It's clear that practices must be proactive in protecting their patients' data and ensuring the continuity of their business. Here's a summarized action plan that physical therapy practices can adopt:
- Create an Emergency Fund: Establish an emergency fund to cover any unexpected revenue disruptions caused by cyberattacks or other crises.
- Conduct Regular Security Audits: Evaluate your current systems and processes for potential vulnerabilities. Work with cybersecurity professionals to shore up weak spots and implement best practices.
- Strengthen Vendor Contracts: Review your agreements with software and clearinghouse vendors. Make sure they are committed to maintaining high security standards and can provide you with fast, reliable support in an emergency.
- Craft a Crisis Management Plan: Prepare a step-by-step plan to respond swiftly and effectively to cyber threats. Ensure that all team members know their roles in the event of an attack.
Moving Forward After the Change Healthcare Cyber Attack Is Fixed
Thankfully, the Change Healthcare cyber attack is almost fully resolved, with many services coming back online and practices catching up with their backlog of claims. However, it serves as a red-flashing warning sign for the industry, emphasizing that no practice is immune to such attacks.
Physical therapy practices need to make cybersecurity a major priority. Implementing the best practices highlighted above can help mitigate future threats and ensure security and resilience. By learning from the challenges and aftermath of the Change Healthcare hack, rehab therapy professionals can move forward with the tools and knowledge necessary to protect themselves from future threats.
How PtEverywhere Enhances Cybersecurity for Physical Therapy Practices
In the wake of cyberattacks like Change Healthcare, physical therapy practices must recognize the importance of robust, secure practice management software. PtEverywhere is designed specifically for physical therapy practices, incorporating advanced security features that safeguard sensitive data while enhancing practice management efficiency.
Key Features of PtEverywhere that Boost Cybersecurity:
- Comprehensive Data Encryption: PtEverywhere ensures that all data, whether in transit or at rest, is encrypted using industry-standard encryption protocols. This reduces the risk of data breaches and unauthorized access.
- Built-In Two-Factor Authentication (2FA): To further secure user access, PtEverywhere supports two-factor authentication. This adds an extra layer of security, ensuring that even if a password is compromised, unauthorized users cannot access the system without a second form of verification.
- Regular Security Updates: PtEverywhere continuously updates its platform to address new security vulnerabilities as they arise. This proactive approach ensures system protection against the latest threats.
- Secure Cloud Storage: With PtEverywhere, all data is stored securely in the cloud, ensuring that information is not only safe from local threats (such as physical theft or damage) but also backed up regularly. This cloud-based approach allows for quick recovery and access from any approved device, providing practices with flexibility and peace of mind.
- Compliance with Industry Standards: PtEverywhere is compliant with important health industry regulations, including HIPAA. Compliance ensures that the software adheres to stringent guidelines regarding data privacy and security, offering further assurance to its users.
- Enhancing Practice Resilience: By choosing specialized physical therapy software like PtEverywhere, practices streamline their day-to-day operations and strengthen their defenses against cyber threats. From scheduling and billing to comprehensive client management and documentation, PtEverywhere provides a secure and efficient platform tailored to physical therapists' unique needs.