If you've been in the physical therapy industry for a while, you’ve probably heard about the recent Change Healthcare hack. It's been quite a wake-up call, reminding us of the importance of cybersecurity, particularly for practices that depend on electronic systems for their daily operations. This incident affected countless healthcare professionals and patients, leaving many scrambling to manage their business without access to critical electronic claims and data services. But fear not, because while this incident was a challenge, it's also an opportunity to learn how we can better safeguard our practices.
On February 21, a cybercriminal group calling itself AlphV or BlackCat launched a ransomware attack against Change Healthcare. In response, Change Healthcare immediately disconnected its systems from third-party platforms to prevent further compromise. This action affected many healthcare providers who rely on their electronic claims processing and data management services. This left them unable to submit claims or access needed information.
The hackers managed to encrypt sensitive data, holding it hostage and demanding a ransom. Despite their best efforts to secure information, Change Healthcare ultimately paid a reported $22 million in ransom to recover their data. This was a controversial decision that many experts believe could embolden future cybercriminals.
As one of the largest clearinghouses in the healthcare industry, Change Healthcare plays a pivotal role in processing claims for physical therapists and other rehab therapy professionals. Its systems handle everything from claim submissions to authorizations and payments. When the cyberattack hit, many practices experienced significant delays in claims processing and disruptions in their revenue streams.
This hack also left patients unable to access necessary prescriptions, treatments, and services as hospitals and pharmacies couldn't process requests quickly enough. For rehab therapists specifically, the inability to submit claims affected both their revenue and relationships with patients.
In the wake of the Medicare cyber attack in 2024, the Department of Health and Human Services (HHS) stepped in to provide expedited support. It urged Medicare Advantage organizations and Part D sponsors to show leniency with prior authorizations and extend advanced payments to affected providers. This intervention helped ease some financial strains.
Additionally, HHS advised providers to request new Electronic Data Interchange (EDI) setups from their Medicare Administrative Contractors (MACs) to continue claims processing and, if necessary, revert to paper claims as a temporary solution.
This incident revealed several crucial lessons for physical therapy practices about protecting their businesses from similar cyberattacks.
Human error remains one of the primary causes of successful phishing and ransomware attacks. All it takes is one click on a malicious link in a phishing email, and the entire system could be compromised. Practices must implement ongoing cybersecurity training programs to help employees recognize and avoid potential threats.
Two-factor authentication (2FA) is a crucial security measure that can help prevent unauthorized access. With 2FA, even if a hacker obtains your password, they would still need a one-time code sent to your phone or email to access your systems.
Weak passwords are an open invitation for hackers. Practices should establish a policy that requires staff to use strong, unique passwords for every account and change them regularly. Password managers can help make this task easier by securely storing complex passwords.
Hackers frequently exploit vulnerabilities in outdated software to gain access to sensitive data. Ensure that all software, including antivirus, firewall, and practice management systems, is updated regularly to fix any known security gaps.
Firewalls help block unauthorized traffic, and security software provides an additional layer of protection against malware. To protect against external threats, practices should combine both.
One of the reasons ransomware is so effective is that it restricts access to essential data. Practices should regularly back up critical files in secure, offline locations. This precaution makes it easier to recover and continue operations without paying a ransom.
It's clear that practices must be proactive in protecting their patients' data and ensuring the continuity of their business. Here's a summarized action plan that physical therapy practices can adopt:
Thankfully, the Change Healthcare cyber attack is almost fully resolved, with many services coming back online and practices catching up with their backlog of claims. However, it serves as a red-flashing warning sign for the industry, emphasizing that no practice is immune to such attacks.
Physical therapy practices need to make cybersecurity a major priority. Implementing the best practices highlighted above can help mitigate future threats and ensure security and resilience. By learning from the challenges and aftermath of the Change Healthcare hack, rehab therapy professionals can move forward with the tools and knowledge necessary to protect themselves from future threats.
In the wake of cyberattacks like Change Healthcare, physical therapy practices must recognize the importance of robust, secure practice management software. PtEverywhere is designed specifically for physical therapy practices, incorporating advanced security features that safeguard sensitive data while enhancing practice management efficiency.