In the wake of a recent cyberattack that occurred on February 21st on Change Healthcare, a subsidiary of UnitedHealth Group, the vulnerability within healthcare system management. The healthcare industry to cyber threats has been brought to the forefront. Change Healthcare, as the largest clearinghouse for medical claims in the country, processes billions of medical claims annually, making it a prime target for cybercriminals.
The cyberattack resulted in the shutdown of three key systems: claims processing, payment and billing, and eligibility verifications. Experts have raised concerns about the far-reaching impact of such attacks, with the national advisor for cybersecurity and risk for the American Hospital Association highlighting the “ransomware blast radius.” This is more than just a jargon riddled term. It has real implications for health data, which grows in complexity on a near daily basis. As health data becomes more complex, it inevitably becomes more vulnerable to cyberattacks. Yet those in leadership position seemingly fail to see this trend.
Rather than prioritizing the integrity of healthcare system management , Congress is focused on the healthcare mergers and acquisitions market, somehow equating corporate growth with increased data risk. Congressman Frank Pallone expressed concern about the consolidation of health technology companies, questioning if such mergers could pose unreasonable risks to the healthcare system.
The acquisition of Change Healthcare by UnitedHealth Group for $13 billion in 2022 has raised further questions about the security of healthcare data. The Department of Justice (DOJ) attempted to block the merger, citing potential threats to competition and data security. However, a federal judge allowed the merger to proceed, and the DOJ dropped its appeal.
As the healthcare industry continues to digitize, enhancing healthcare system management and storing vast amounts of sensitive patient data, the need to bolster cybersecurity measures has never been more crucial. Complex health data, often stored in disparate healthcare content management systems, makes the healthcare sector uniquely vulnerable to cyber threats and proactive steps must be taken to prevent future attacks and protect patient information.
This does not mean federal regulators should target health corporations. Rather, the fundamental structure of health data must be decentralized. Patient data is most secure when patients have full autonomy over it. Rather than blaming a system inherently rife with flaws that allow cyberattacks, Congress should emphasize individual ownership of health data.
The blast radius for data breach only increases with larger health systems. But when we decentralize health data, return ownership to the patients, then the blast radius decreases and the potential for risk dramatically reduces. Yet we continue to consolidate data and continue to encourage the build-up of corporate conglomerates in healthcare. And then we punish them for the inevitable data breaches that are preordained to occur.
The real solution lies in the hands of the patients. Once they regain autonomy over their medical data, they will protect it far better than any corporate entity in healthcare.
It is an obvious solution to a problem that will continue to grow. It is too bad Congress is immune to common sense. Maybe Congress should get itself checked for its own cyberattack risk. Perhaps then we will actually see some headway toward patients regaining control of their own medical records.
