How to Prevent Healthcare Cyberattacks

By Deane Waldman
March 20, 2024
How to Prevent Healthcare Cyberattacks
AP
X
Story Stream
recent articles

The news is inundated with reports of the cyberattack on ChangeHealth and its downstream effect: inability to pay providers for patient care. There is a straightforward way to avoid all future attacks. That preventative step is easy to understand, simple, and not merely politically incorrect, it is politically radioactive. 

On Wednesday, February 21, 2024, ChangeHealth, a healthcare billing and collecting company, reported a ransomware attack that demanded $22 million for return of all the company’s currently stolen data. Though ChangeHealth is a relatively obscure IT organization, it’s healthcare payment activities affect one out of every three Americans. 

As a result, millions of providers could not be paid and care could not be provided. The cost to the system was estimated at $100 million per day.

The culprits remain unidentified. ChangeHealth remains locked out of their own data. Millions of providers remain unpaid for their services.  Washington is scrambling to find money for them. And while paying the perpetrators seems a simple, surprisingly cheap solution, everyone knows that paying off a blackmailer just encourages more blackmail. 

The reason why this was possible might be described as efficiency over security. It is much more efficient to have a single source or repository of information than to have the information distributed in numerous places. With all the billing information in one computer bank, ChangeHealth can quickly and easily (and cheaply) organize its data and send out payments without duplication or error. 

A single locus for all information offers an attractive single point for cyberattack. This was just what the Defense Department feared when it created the internet. 

The progenitor to today’s internet, ARPANET, was created in 1968-69 by ARPA (Advanced Research Projects Agency), which was renamed in 1972 by adding “D” (Defense) to create DARPA. ARPANET was an electronic information exchange system allowing instant communication between various components of the national defense grid, from war-rooms and think-tanks to battlefield soldiers and missile silos. 

The planners understood the strategic vulnerability of having a single hub through which all information was routed. An enemy could cripple our communications by destroying that single hub. Therefore, they put security as their highest priority. ARPA developed a distributed network of many information sources and connected them. Today, we have billions of such information communication hubs: servers, routers and computers. It’s called the world wide web (and Al Gore did not create it.)

Whoever attacked ChangeHealth used the vulnerability of a single information locus to hold their data for ransom. The solution is obvious. Do what the Defense Department did – distribute the data widely to reduce vulnerability.  

What does that mean for healthcare?

ChangeHealth is an IT company that third-party payers – government, insurance companies, and health plans – use to collect money from premium payers, verify bills from providers, and pay the providers according to rules set up by the third parties. 

To make the information secure, distribute it to all the true payers: the patients or more accurately, taxpayers and premium payers. Rather than a single source – the third party – holding all the information, have the billing and payment information reside with the patient. Cut out third-party middleman security risk. Let each patient pay his or her provider directly. 

It would then be impossible to attack 332 million loci of health information sources. 

Before the shouting starts, “I can’t possibly afford to pay for my care – it’s just too dam**d expensive,” here is reassurance. When patients pay providers directly, that is called direct-pay or “patient-controlled health care.”  Patients would have very large, unlimited family HSAs funded by the premiums currently paid to insurance companies by employers. There would be state (not federal)-created medical safety nets, so goodbye Medicaid. Dismantle Medicare and pay out into family HSAs what has been paid in. 

Taxpayers would no longer have to pay two trillion (!) “healthcare” dollars for federal BARRCOME – bureaucracy, administration, rules, regulations, compliance, oversight, mandates, and enforcement. This money could be recouped as payments for care and/or reductions in tax burden.  

Healthcare ransomware attacks would become a thing of the past. As an added benefit, the cost of care would go down precipitously and access to care would go up similarly. 

Everyone would love patient-controlled healthcare, except Washington politicos.

Deane Waldman, M.D., MBA is Professor Emeritus of Pediatrics, Pathology, and Decision Science; former Director of the Center for Healthcare Policy at Texas Public Policy Foundation; former Director of the New Mexico Health Insurance Exchange; and author of the multi-award winning book, Curing the Cancer in U.S. HealthcareStatesCare and Market-Based Medicine.



Comment
Show comments Hide Comments