Cyberattacks and Cybersecurity in Health Care

According to the Department of Health and Human Services (HHS), the health care sector is particularly vulnerable to cybersecurity risks. Health care facilities are attractive targets for cyber criminals in light of their size, technological dependence, sensitive data, and unique vulnerability to disruptions. And, cyber incidents in health care are on the rise.

• Review the latest cybersecurity federal alerts and advisories.
• Access educational materials designed by HHS to give HIPAA covered entities and businesses insight into how to respond to a cyber-related security incident.
• Access American Medical Association (AMA) resources for physicians and health care staff to protect patient health records and other data from cyberattacks.

Ascension Cyberattack

Ascension, which operates 140 hospitals in 19 states, reported on May 9 a cyberattack. Electronic patient charts were among the systems affected. MyChart — a portal for patients to see their records and message providers — was unavailable, along with some phone services and systems for ordering tests, procedures, and medications.

Ascension will be posting additional updates and regional information regarding cybersecurity here: https://about.ascension.org/cybersecurity-event.

The CAP is also monitoring the impact of the attack on practices utilizing the Pathologists Quality Registry. After the Change Healthcare cyberattack earlier this year, the Centers for Medicare & Medicaid Services (CMS) added an option to cite the cyberattack when requesting the 2024 Merit-based Incentive Payment System (MIPS) Extreme and Uncontrollable Circumstances (EUC) hardship exception. The CAP wants our practices to know that this is a viable option, and they should take advantage of the EUC hardship application if they have been impacted by the cyberattack and are unable to access their data for MIPS reporting . The 2024 MIPS EUC portal is now open, and physicians have until December 31, 2024, to file a hardship application and avoid a 2026 MIPS negative payment adjustment. For more information on the 2024 EUC hardship application please visit the CMS webpage.

Change Healthcare Cyberattack

On February 21, Change Healthcare, owned by UnitedHealth Group, experienced a cyberattack that has significantly impacted health care operations across the country. Pathologists have reported disruptions in claims processing, cash flow constraints, and other difficulties in daily practice operations. Below are the latest updates and resources to assist pathologists in managing the fallout.

Resources

• HHS resource document with information, resources, and tools from health plans and payers for providers in need of assistance. If these contacts do not respond to inquiries, please contact  HHScyber@hhs.gov.
• United Health Group dedicated webpage with product restoration updates, information about the temporary funding process, and additional resources. Note: United Health Group continues to emphasize the availability of payments to providers in need – submit a request through the Temporary Funding Assistance Program Form or call 1-877-702-3253.
• Centers for Medicare & Medicaid Services (CMS) FAQ document related to the accelerated/advance payments available to providers who are experiencing delays in the submission or processing of Medicare claims payments as a result of the Change Healthcare cyberattack. Contact your respective MAC for assistance.  A list of MACs can be found on the CMS.gov website.

News and Other Updates

• Ascension Health System Latest Victim of Cyberattack, May 14, 2024
• Resources for Pathologists Affected by Change Healthcare Cyberattack, April 9, 2024
• AMA Survey on Impact of Change Healthcare Cyberattack Due April 3, April 2, 2024
• CMS Reopens 2023 MIPS Extreme and Uncontrollable Circumstances Applications, March 26, 2024
• CMS Extends 2023 MIPS Data Submission Deadline Until April 15 Due to Impact of Change Healthcare Cybersecurity Attack, March 19, 2024
• HHS, CMS Offer Assistance in Wake of Ransomware Attack, March 12, 2024