With the recent massive wave of health-information digitization over the past decade, hospitals and healthcare providers have long considered the possibility of a cyberattack as a growing threat. Unfortunately, that threat became a very costly reality this year for Change Healthcare—and so many other organizations in its path. In February, a ransomware attack on Change Healthcare halted medical billing operations across the United States, pushing numerous financially struggling health systems and medical practices to the edge of bankruptcy. This breach disrupted the cash flow of organizations that collectively represent a fifth of the U.S. economy, potentially exposed up to 85 million patient records, and incurred billions of dollars in damages. Recovery efforts are ongoing, and it may take months or even years to fully understand the extent of the impact.
Moreover, in the past five years, significant hacking-related breaches in the healthcare sector have risen by a staggering 256%, and ransomware incidents reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) have surged by 264%. In 2023, hacking accounted for 79% of the major breaches reported to the OCR. These breaches significantly affected over 134 million individuals, representing a 141% increase from the previous year.
Cybersecurity in Healthcare
Although the financial sector has battled hackers for decades, many health systems are new to cybercrime and aren’t as adept at deterring attacks. Cyberattacks on hospitals and healthcare providers are becoming more common for two main reasons: The bad actors are finding success, and hacked medical records, according to the American Medical Association, are 50 times more valuable than financial information on the illegal market.
These cybercriminals seek to exploit the vulnerabilities inherent in healthcare’s complex network of clinical, financial, and administrative systems. The sheer volume of data and the continuous shift of operations to the cloud, married with the fact that many health systems haven’t fully invested in cloud security, help make this sector a prime target.
The cost of cyberattacks on healthcare—and patient care
According to a 2024 survey by the American Hospital Association (AHA), 94% of hospitals are financially affected by the Change Healthcare cyberattack, with over half reporting “significant or serious” effects. The survey revealed that more than 80% of hospitals experienced cash flow issues due to the attack. Of these, nearly 60% reported a revenue impact of $1 million per day or more.
Additionally, 74% of hospitals reported direct patient care impact, and almost 40 percent report patients having difficulty accessing care because of delays in processing of health plan requirements, such as prior authorization. While hospitals are implementing workarounds to mitigate patient care disruption and address the affected Change Healthcare systems, these solutions are often labor-intensive and costly.
Ransomware attacks on healthcare providers also pose a major threat to patient care. According to Software Advice’s 2024 Medical Cybersecurity Survey, over 25% of these attacks directly affect patient care, causing disruptions in medical services, data loss, and compromised patient safety. Due to its mission, healthcare has unique cybersecurity challenges that go beyond financial loss and breach of privacy. The loss of patient data can threaten patient safety and put lives at risk.
Who’s at risk?
Hospitals and healthcare providers both large and small are targets for attacks. The vulnerabilities of smaller hospitals result from smaller staff and resources to defend against cyberattacks, whereas larger hospitals and health systems present more entry points for attackers to find vulnerabilities. Not only is patient care affected, but also the revenue cycle.
Healthcare organizations have complex supply chains made up of an extensive web of internal and external systems, components, and processes that work together to ensure the highest level of efficiency and quality. The resulting complexities require healthcare RCM leaders to protect their institutions not just from the inside, but also from potential vulnerabilities at their outside vendor partners.
How to combat cybersecurity threats
One way to effectively address cybersecurity risk is to partner with an RCM and denials management vendor that has robust, verifiable cybersecurity protocols in place. One good sign is a Health Information Trust Alliance (HITRUST) certification, or even better—a recertification—the most rigorous certification program available to healthcare organizations.
The HITRUST Risk-based, 2-year (r2) Certification achievement places Aspirion in an elite group of organizations worldwide that have earned this certification. The certification demonstrates that Aspirion’s Compass applications have met the most stringent industry-defined risk and compliance requirements. HITRUST is an important element of Aspirion’s broader strategy, hosted in the Microsoft Azure cloud, to ensure information security, privacy, compliance, and cybersecurity controls on behalf of its clients.
“Achieving recertification for this high-level endorsement underscores our dedication to surpassing the cybersecurity and data protection benchmarks established by the industry,” said Amy Amick, Aspirion CEO. “We recognize the severe impact of data breaches and cyber-attacks within the healthcare sector and rigorously adhere to complex compliance requirements, safeguarding data, and upholding privacy standards. Data compliance is complex and costly, yet Aspirion willingly assumes this responsibility to ensure the protection of data for our provider clients with the highest level of diligence and excellence.”
As the most streamlined and all-encompassing framework in the healthcare industry, HITRUST is a win-win for Aspirion and its partners:
- Risk Reduction: Holistic understanding of data integrity enables Aspirion to address risks and vulnerabilities to reduce the potential for future issues.
- Industry-leading: HITRUST is the leading standard for data security in the healthcare sector. Aspirion’s recertification proves its best-practice utilization and ability to effectively tackle requirements across various regulatory standards.
- Competitive advantage: Aspirion’s ability to prioritize the security of healthcare partner patient data sets us above our competitors.
Finally, for internal security system enhancements, health systems must develop strong defenses and build detailed recovery plans. They should commit to greater collaboration, including with other hospitals and businesses in the area and with partners such as Aspirion. The healthcare ecosystem could leverage the Health Information Sharing and Analysis Center (Health-ISAC), an industry group that already crowdsources information about cybersecurity threats and best practices. By collaborating more, you build greater collective protection against today’s cyber threats.
Are you ready for a vendor partner who takes protecting patient and client data seriously? Reach out to Aspirion today.